Editor's note: This is the final edition of a series on credential stuffing, from large-scale breaches through remediation. Be sure to read the first and second installments.
When the pandemic sent workers home en masse, it offered new opportunities for cybercriminals. Many used COVID-19 fears to lure phishing victims. What malicious actors want are credentials, and their efforts are successful — 97% of security executives reported a rise in credential theft, according to research from CyberArk.
Once credentials are stolen, it is like giving a thief the key to the front door. Malicious actors have the ability to enter the organization's network and take a leisurely look around until they find something else of greater value.
Threat actors in possession of legitimate credentials are difficult to defend against, and for more reasons than just because they have the login information.
Defending against credential stuffing is difficult because most companies aren't able to control and monitor every location where credentials are used. That means many organizations can't enforce unique passwords across multiple access points.
Reused passwords are gold to threat actors — one set of stolen credentials will gain entrance into multiple sites.
Passwords get recycled because users want something easy to remember. They don't want complicated authentication methods, either.
More than one-third of respondents said ease of use is very important when using multi-factor authentication, according to a study by Ponemon Institute and Yubico. Businesses are highly incentivized to not put any barriers in front of customers trying to authenticate to their services.
"As a result, anything that could result in blocking a legitimate user often faces significant resistance in implementation," said John Bambenek, threat intelligence advisor at Netenrich.
The best defense
The best defense against credential stuffing is unique passwords, but let's be realistic — unless forced to act differently, users are going to stick with a single password across multiple accounts, both internally and across websites and software for personal use. Companies need to step up to the next level of access authorization.
"The use of multifactor authentication (MFA) and not using email addresses as logins are two very quick ways to prevent the use of credential stuffing," said Bambenek.
More than half of all companies have embraced some level of MFA, according to a LastPass study. The largest enterprises have the greatest acceptance, with 87% using some form of MFA, but only about a quarter of the smallest businesses (with under 25 employees) have adopted more secure authentication methods.
Most often, the method of choice is an SMS message to the phone, with hardware solutions and biometrics a very distant second and third option. Gaining steam is passwordless authentication methods.
"Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key," according to a OneLogIn blog post.
It works like a lock and key. The public key is the lock and is provided by the account to be accessed. The private key unlocks the account through an authentication option held on a local device.
Using technology
The risks of credential stuffing can be reduced by moving passwords into the background. A password manager or privileged access management solution automates passwords for each login.
"Organizations need to look for solutions that are useable, scalable, easily integrate into existing environment, employees want to use and adds value to the business not only reduce the risks from cyberattacks," said Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify.
There are several technology solutions that organizations can turn to for the assist on credential stuffing prevention:
- Identity and access management (IAM)
- Privileged account management (PAM)
- Password managers
- Cloud infrastructure entitlement management (CIEM)
IAM is the go-to solution for protecting identities and access credentials, especially as many companies decide to continue with remote work or a hybrid work option.
It is "the discipline that enables the right individuals to access the right resources at the right times for the right reasons," according to Gartner.
IAM is often paired with a password manager, so users only have to remember one password. Password managers encourage the creation of unique passwords and also allow for secure sharing of a password for collaborative projects.
PAM, on the other hand, manages authentication for the backend systems, such as the passwords needed for servers. It offers a management solution for administrative accounts and non-human accounts that aren't regularly monitored. Credential stuffing attacks using privileged account information often go undetected for longer periods of times because they are regularly unsupervised. PAM tools offer that supervision otherwise neglected.
CIEM is relatively new among identity management tools. CIEM solutions manage both human and non-human identities in cloud solutions and focus on least privilege access. Apps developed in the cloud can have dozens of human identities and hundreds of non-human identities, all of which have differing levels of access.
Many cloud-related data breaches take advantage of orphaned or non-active identities to get into the system. CIEM enforces least privilege authorization so only active and necessary identities have access.
Who is responsible for identity management?
Identity management technology focuses on three tasks: to identify identities, authenticate those identities and then authorize them for access. It is up to the organization to choose which identity management program is the best fit for its security system — and it might be different platforms for different areas.
The responsibility for identity management procedures is spread across the company. The security team or the IT team might be designated with setting up permissions, but they don't determine which identities — both human and non-human — have authentication and authorization entitlements.
That determination comes from department representatives, and it should be made with a least privilege mindset. User access should be selective and minimal, taking away the insider threat of credential theft or misuse.
It is also the responsibility of the department representatives to ensure orphaned identities — employees who left the company or moved to a new job or project and non-human identities no longer needed in the development process, for example — don't exist in the system.
While identity management technologies must be aligned with authentication tools, it is up to the identity management teams to make sure there are no loopholes that users can use to skip MFA requirements.
These tools aren't perfect solutions. A challenge with IAM, for example, is how verbose the permissions are. It's a positive that users can create very granular access based on the organization's needs, but the resulting frustration in figuring out what exactly those needs are could be a turn-off to end-users.
"This causes said users to start wildcarding permissions — instead of picking out the fine-grained access that they require," said Shawn Smith, director of infrastructure at nVisium.
The best prevention for credential stuffing is a mix of access management solutions and smart password and authentication management. The fewer opportunities to allow threat actors to enter the system in one easy attempt, the more protected the company is from a data breach.