10 ways to prepare for credential leak incidents

10 ways to prepare for credential leak incidents
Rick Holland
Read More From Rick Holland
June 30, 2016 | 2 Min Read

From LinkedIn to MySpace, threat actors like Peace of Mind and Tessa88 have been selling credentials in various criminal dark web locations.  Most recently we have seen thedarkoverlord offer up five different healthcare databases in the Real Deal marketplace. The proliferation of these dumps containing personally identifiable information, including credentials, is astounding.


Organizations must prepare for the eventuality that either your employees’ passwords will be stolen or your customers’ passwords will be stolen. Responding to these scenarios must be built into your threat modeling and tabletop exercises. To help prepare for these types of incidents, we recommend the following ten steps:

  1. Establish a policy for which external services are allowed to be associated to corporate email accounts.
  2. Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity.
  3. Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
  4. Proactively monitor for credential dumps relevant to your organization’s accounts. Consider additional monitoring for your high value target’s (e.g.: executives) non-enterprise accounts.
  5. Internally (or with the help of an external service) evaluate credential dumps to determine if the dumps are new or have been previously leaked.
  6. Implement multi-factor authentication for external facing corporate services like: Microsoft Outlook Web Access, and Secure Sockets Layer Virtual Private Networks as well as for software as a service offerings like Google Applications, Office365, and Salesforce.
  7. Understand and document any internal services that aren’t federated for faster and more complete incident response to any breach that impacts an organizational account.
  8. Ensure that you have an emergency password reset process in place. Make sure that all of the users’ accounts are included, not just Microsoft Active Directory accounts.
  9. If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g.: accessing resources that have not been accessed in the past.)
  10. Update security awareness training to include the risks associated with password reuse. Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Azure AD: Auto Validate Exposed Credentials

Azure AD: Auto Validate Exposed Credentials

January 19, 2021 | 3 Min Read

SearchLight customers can now automatically...
ICYMI: SolarWinds Compromise Update

ICYMI: SolarWinds Compromise Update

January 8, 2021 | 7 Min Read

Note: This blog is a follow-up of our...
Looking back at 2020: A Year in Review

Looking back at 2020: A Year in Review

January 6, 2021 | 8 Min Read

2020 is truly an extraordinary year (and...
SolarWinds Compromise: What security teams need to know

SolarWinds Compromise: What security teams need to know

December 14, 2020 | 5 Min Read

The Cybersecurity and Infrastructure...