Credential Crisis: A Growing Concern
Credentials are the backbone of modern cybersecurity, but they are also the primary target of attackers. The theft of credentials, known as credential compromise, can lead to a breach, allowing attackers to bypass perimeter controls and evade detection.
Ran Geva, CEO and co-Founder at Webz.io, explains that compromise does not necessarily mean the credentials have already been used, but rather that they are no longer exclusively controlled by the legitimate user.
Types of Credentials
Credentials can be categorized into two major groups: human identities and non-human identities. Human identity credentials include passwords, passkeys, biometrics, soft and hardware tokens, and more. Non-human identities include APIs, SSH keys, X.509 certificates, service accounts, session tokens, and keys.
Session tokens, in particular, require notice, as a company may have 3,000 employees but 300,000 active tokens, which can be scraped by infostealers.
Consequences of Credential Compromise
According to Erin Meyers, identity expert at Huntress, the defining trait of credential compromise is that the attacker isn't breaking in the traditional way; they're logging in or reusing an already-authenticated session, inheriting the legitimate user's permissions, and making malicious activity blend into normal access patterns.
From the system's perspective, agrees Ariel Parnes, co-founder and COO at Mitiga, the resulting activity appears authorized, making detection uniquely challenging.
Dan Schiappa, president of technology and services at Arctic Wolf, adds that credential compromise is one of, if not the most useful and widespread, tactics of threat actors, since it can be carried out with minimal technical skill to gain easy access to target environments.
Causes of Credential Compromise
The primary cause of credential compromise is the traditional agility gap – the time gap between threat actors' adoption of new techniques and security's ability to adapt defenses to the new threat.
Phishing remains the primary attack against individual credentials, but AI can produce compelling deepfakes with realistic backstories, making it difficult to detect and prevent.
Torsten George, CMO at ID Dataweb, comments that social engineering exploits human weaknesses, and attackers don't need to use technology to steal credentials.
Detecting Credential Compromise
Knowing credentials have been compromised is crucial, but it's often difficult to detect. Renee Burton, VP of threat intel at Infoblox, suggests using public breach notification services, such as Have I Been Pwned, to check if an email address has appeared in known data breaches.
However, Reinhard Hochrieser, SVP of product and technology at Jumio, warns that finding out if credentials have been stolen is nearly impossible, especially for biometrics.
Ariel Parnes suggests using dedicated breach intelligence databases, including public repositories and Dark Web Monitoring services, to detect compromised credentials.
Prevention and Mitigation
Preventing credential compromise requires multiple approaches, including breach dataset monitoring, dark web and marketplace monitoring, infostealer log intelligence, closed forum scraping, and Telegram channel monitoring.
Ran Geva notes that detection requires constant monitoring, which is why he launched lunarcyber.com, a free service that monitors for signs of compromise.
Stuart Sharp, VP of product at One Identity, adds that phishing-resistant MFA methods, like WebAuthn and Passkeys, can greatly reduce the risk of unauthorized access.
Roy Katmor, CEO at Orchid Security, notes that MFA is highly effective against simple password replay, but it's less effective against session theft, token replay, and MFA fatigue/push bombing.
Torsten George comments that the human will always be the weakest link in the cyber attack chain, and that's what many attackers exploit.
In conclusion, the credential crisis is a growing concern that requires constant vigilance and multiple approaches to prevent and mitigate. It's essential to monitor for compromised credentials and to use phishing-resistant MFA methods to reduce the risk of unauthorized access.
Source: SecurityWeek