How to tell if your organization’s credentials have been involved in a breach
Stolen credentials are the easiest route into your organization for a hacker. Verizon’s 2023 Data Breach Investigation Report found that threat actors used stolen credentials in 49% of attempts to gain unauthorized access to organizations. The problem IT teams face is knowing when credentials have been stolen or leaked in a breach – otherwise you’re waiting to respond to a security issue rather than handling it proactively. We’ll run through three different tools you can use to stay on top of the risk of leaked credentials and respond quickly if your organization becomes involved in a breach.
Scan your Active Directory for compromised passwords
If we consider your organization to be a house, then some cybersecurity tools might be high-end ‘nice-to-have’ alarm systems. Your Active Directory on the other hand, can be thought of as the front door. Securing the passwords in your Active Directory is fundamental, as these are the credentials end users are using several times a day to log into your corporate systems. Having a password policy that allows for weak passwords is asking for trouble; organizations should be enforcing the creation of strong passwords – ideally long passphrases.
But even strong passwords can become compromised through phishing, data breaches, or password reuse. An end user might be unwittingly using a ‘strong’ password that’s been compromised – and in this case, the password might as well be ‘12345’ or ‘password.’ This is where having a tool that can scan your Active Directory for known compromised passwords is an invaluable proactive measure. For example, a tool like Specops Password Policy continuously scans your Active Directory against a database of over 4 billion unique compromised passwords. The feature operates daily, detecting breached passwords not only during password changes or resets.
Health-check your Active Directory today
Interested to know whether your end users are using breached passwords? Specops Software offer a free tool that runs a read-only scan of your Active Directory and gives you a report detailing any password-related vulnerabilities it finds. It checks against 1 billion compromised passwords rather than the full Specops database, but it’s completely free to use. Download Specops Password Auditor here.
Use Threat Intelligence to search the dark web for leaked credentials
It’s common for cybercriminals to sell breached data for a profit. Leaked credentials are in particularly high demand as they can be used for initial access and the opportunity to launch further attacks, such as deploying ransomware. So how can you tell if your organization is having its credentials touted for sale on underground forums?
It’s possible for analysts to search the dark web manually, although this isn’t ideal. It’s a time-consuming process that requires continuous monitoring of various underground forums, markets, and sites, along with staying updated with new sources. This effort diverts resources away from analysis and threat mitigation. Additionally, it exposes analysts to risks such as malware and other malicious attacks, and there is a risk of revealing their identities to threat actors. Manual investigations can require extensive infrastructural support, including the use of virtual machines, proxies, VPNs, and other security tools, which adds additional costs and complexity.
A threat intelligence solution can simplify the monitoring of the dark web for mentions of your organization by automating the surveillance process. This ensures comprehensive coverage and real-time detection of potential threats, allowing security teams to respond promptly to risks. It also optimizes resource utilization by freeing analysts from the labor-intensive task of manual monitoring, enabling them to focus on in-depth threat analysis and mitigation strategies. Additionally, the solution provides a secure and anonymous environment for analysts, reducing the risks associated with manual investigations.
Are your users’ credentials up for sale?
Is your organization being discussed on the dark web? You can’t know unless you look. Outpost24’s Threat Compass can assist in identifying any compromised employee credentials following any recent breach you might be concerned. You can continuously track dark web communication for mentions of your organization, searching underground forums for intelligence, including hacktivist ops, data leaks, malware attack vectors and illegal marketplaces. And vitally, each Threat Compass module is backed up by Outpost24’s world-class in-house analyst team.
Setting up the credentials module only takes a few minutes, and the results are constantly refreshed and kept up to date. As shown in the screen below, adding a domain or employee email to configure the module is simple. You can then focus the research on specific matching to ongoing attacks. Reach out if you’d like a live demo of Outpost24’s Threat Compass.
Proactively monitor your domains with EASM
External attack surface management (EASM) solutions can map all of your organization’s publicly-facing digital assets (both known and unknown) and then analyze them for risk. Some EASM solutions, like Outpost24’s Sweepatic, integrate threat intelligence data into their platforms to help with monitoring for leaked credentials. This can help you find out if users of any of your domains have had their credentials leaked, letting you know if there any passwords matched with user email addresses or user names found online.
EASM can also help with the proactive discovery of issues that may lead to credentials being leaked in the future. One example is staying on top of expiring domains. Domain names don’t last forever and even the biggest, best-known organizations are essentially renting theirs. Sometimes entirely new domain names are needed, like when an organization changes name after a re-brand or merger, or ceases to exist entirely after a bankruptcy or closure.
The issue is these names don’t cease to exist – they go back on the market, where anyone can buy them. A recent case in Belgium saw an ethical hacker purchase 107 expired domains related to government organizations. From there, he was able to find hundreds of connected email accounts and reset their credentials. This is a good example of a credential leak that would be hard to catch at the time but could have been easily prevented by tracking and remediating expiring domains.
Map your attack surface today
Leaked credentials are just one area EAAM can help with. An EASM solution offers continuous discovery, analysis, and monitoring of everything connected to your company’s online exposure, including domains, websites, hosts, services, technologies, SSL certificates, and more. If you’d like to see firsthand what EASM can do, book a free analysis of your attack surface here.
Need help searching for leaked credentials?
All the tools discussed in this article help to make up Outpost24’s Exposure Management Platform, and they can all play a role in keeping you aware of whether your end user’s credentials have been leaked online. If you’d like to know how any of these solutions could fit in with your organization, get in touch to speak to an expert.