May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 21, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Note: This blog is taken from our recently published Exposed Credentials Solutions Guide, which includes a complete list of our mitigation strategies and free resources to begin monitoring for exposed credentials.
Preventing an account takeover (ATO) or data breach through compromised credentials has never been a small job nor easy job. Unfortunately for security teams, these sorts of breaches have been on the rise as the number of available exposed credentials and ease of access to these credentials increases.
Earlier in 2020, the Photon research team at Digital Shadows (now ReliaQuest) uncovered that account takeover has never been easier (or cheaper) for cybercriminals with brute-force cracking tools and account checkers available on criminal marketplaces for an average of $4. In addition to these cracking and credentials stuffing tools, it was found that more than 15 billion credentials are in circulation―up 300 percent since 2018 and coming from 100,000-plus discrete breaches.
In this blog, we’ll jump into the four essential steps to mitigate account takeover through exposed credentials and outline the ways in which threat intelligence can be applied to proactively prevent a breach in your organization.
Get our free research report on ATO prevention best practices, Exposure to Takeover here.
The first step is to identify employee credentials exposed on the open, deep, and dark web (ideally on a continual basis). Newly compromised credentials offer the best chance at access to valid employee accounts, so they fetch the highest prices of the cybercriminal forums. Often upon exposure, these credentials are immediately shared or posted for high prices to criminal forums, dark web marketplaces, Telegram channels, or IRC channels. Later on, these credentials become repackaged and shared more widely across more public forums and paste sites.
Organizations that can detect their employees’ credentials within these breaches as early as possible stand the best chance of preventing access to valid employee accounts.
You can subscribe to a credential monitoring service for free, such as HaveIBeenPwned, to monitor for leaked credentials of your employees. It alerts you to instances of breaches including your organization’s email domain. Although HaveIBeenPwned doesn’t provide you with passwords, it’s a great place to start identifying which accounts are potentially compromised.
You can also sign up for a Test Drive of Search Light (now ReliaQuest GreyMatter Digital Risk Protection) to search for recently exposed credentials across paste sites and criminal forums.
Some organizations make it their policy to automatically reset user accounts, even if no password has been exposed or it’s still unknown if they do or do not provide valid system access. This approach as it can quickly snowball, creating unnecessary friction for users and ultimately leading to password fatigue.
Instead, work efficiently by prioritizing validation of breached credentials that contain both an email AND a password, which makes it easier to determine if they can provide genuine access.
Credential validation can be a winding, time-consuming process. There is no way to identify the age of credentials from the credential itself with many “new” data leaks including credentials from previous leaks, sometimes from a long time ago. Oftentimes, data leaks include partial credentials or credentials which do not even match the standard username and password format of your organization. With a focus on validity, you can reduce time investigating invalid credentials pairs and focus on the important matters.
You can read more about Digital Shadows (now ReliaQuest)’ own credential validation methods here.
There are three possible pathways after a pair has been validated:
Once a credential pair has been validated to provide system access, speed to alert the user to reset their passwords becomes key. And not all accounts are equal: C-Level and accounting personnel should be addressed with higher priority. A staggering 33,000 of exposed credentials are for accounting inboxes—these credentials seemingly move faster on the cybercriminal market for the sensitive financial data they provide access to.
Once the initial fire has been put out and the affected credentials have been reset, there is a chance to step back and apply a second coating of security to the situation.
First, the user may still be at risk if they are reusing passwords across multiple other accounts. According to Google, more than 50% of people are suspected to reuse passwords, meaning the exposed credential could still provide access to other corporate systems, cloud services or other third parties. Educate the user of responsible password usage and verify the exposed password was not used for any other purpose.
Second, use data to tailor their training. Some security teams will prevent users from using passwords that are the most commonly used. Check out NordPass’ list of the most common passwords of 2020 for further information.
Lastly, combat password fatigue by applying technical solutions at your organization. The average person uses some 191 services that require them to enter passwords or other credentials. That’s a lot to keep on top of, and it presents a huge problem if compromise occurs, particularly if a person uses the same credentials across multiple services. You can consider technologies such as single sign-on (SSO) and hardware tokens or use multi-factor authentication to strengthen access control for sensitive systems.
For more mitigation strategies, download our Exposed Credentials Solutions Guide.