10 ways to prepare for credential leak incidents

Rick Holland | 30 June 2016

From LinkedIn to MySpace, threat actors like Peace of Mind and Tessa88 have been selling credentials in various criminal dark web locations.  Most recently we have seen thedarkoverlord offer up five different healthcare databases in the Real Deal marketplace (see figures 1 and 2). The proliferation of these dumps containing personally identifiable information, including credentials, is astounding.

Figure 1

darkoverlord 1 

 

Figure 2

darkoverlord 3 

Organizations must prepare for the eventuality that either your employees’ passwords will be stolen or your customers’ passwords will be stolen. Responding to these scenarios must be built into your threat modeling and tabletop exercises. To help prepare for these types of incidents, we recommend the following ten steps:

  1. Establish a policy for which external services are allowed to be associated to corporate email accounts.
  2. Implement an enterprise password management solution - not only for secure storage and sharing but also strong password creation and diversity.
  3. Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
  4. Proactively monitor for credential dumps relevant to your organization’s accounts. Consider additional monitoring for your high value target’s (e.g.: executives) non-enterprise accounts. 
  5. Internally (or with the help of an external service) evaluate credential dumps to determine if the dumps are new or have been previously leaked.
  6. Implement multi-factor authentication for external facing corporate services like: Microsoft Outlook Web Access, and Secure Sockets Layer Virtual Private Networks as well as for software as a service offerings like Google Applications, Office365, and Salesforce.
  7. Understand and document any internal services that aren't federated for faster and more complete incident response to any breach that impacts an organizational account.
  8. Ensure that you have an emergency password reset process in place. Make sure that all of the users’ accounts are included, not just Microsoft Active Directory accounts. 
  9. If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g.: accessing resources that have not been accessed in the past.)
  10. Update security awareness training to include the risks associated with password reuse. Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.