Censys: The World of Attack Surface Management
In 2017, 51 different organisations collectively reported 2.3 billion enterprise credential spills. In order to better understand this criminal enterprise, Shape Security have released a Credential Spill Report detailing the way in which criminals stole, weaponised, and resold credentials.
The state of enterprise credential spills
Today, username-password combinations are incredibly valuable to cybercriminals. In fact, more criminals are now harvesting credentials from data breaches in order to test them on "every website and mobile app imaginable."
A small subset of those credentials then unlock accounts as consumers tend to reuse passwords. However, this subsequently allows criminals to "drain those accounts of value to commit all manner of fraud."
The longer it takes for a company to discover a credential spill, the more time criminals have to carry out attacks. Indeed, it took enterprises an average of 15 months to discover and report a credential spill in 2017.
Why is this criminal enterprise so difficult to conquer?
First of all, the report notes that "there is no owner of the problem" at an organisational level. Despite this, credential stuffing attacks place a burden on IT, security, fraud, and customer service department in different ways.
IT have to support excess traffic, while fraud analysts review hundreds of additional cases of account takeover. As the report notes, however, "when something is everybody’s problem, it’s no one’s problem."
At an industry level, the concept of passwords often distracts companies from tackling the problem. Many people propose augmenting or replacing passwords with a different authentication system in order to overcome credential stuffing.
Nevertheless, companies with high competition are reportedly reluctant to introduce additional friction into their experience. Indeed, multi-factor authentication solutions could risk losing out on potential revenue.
Moreover, attackers are already able bypass 2FA by performing credential stuffing attacks against wireless providers. Cybercriminals are also able to defeat biometrics like fingerprints, as demonstrated when Apple unveiled the iPhone 5s.
What is the solution?
The first obstacle is manageable, according to the report. Indeed, once something becomes an expensive enough problem, a CEO, Board, or customers will demand a solution.
However, augmenting or replacing passwords with another form of authentication will not tackle the second obstacle. This is essentially a distraction because the challenge is not "picking the right piece(s) of information to use to determine that a user is who they say they are."
In fact, the challenge is using hundreds or other signals to ascertain exactly who is using that information. Nonetheless, it "may be impossible for any one company to collect enough information about its users to make the right call every single time."
If every company shared their data on users and attackers, this would create a realistic, composite view of the user. A collective defence is therefore absolutely vital when it comes to addressing enterprise credential spills.
Check out the Top 10 Data Futurists to Discover in 2019