5 steps to mitigate risk of credential exposure

Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft. 

While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the reality is that existing methodologies have proven largely ineffective. According to the 2022 Verizon Data Breach Investigations Report, over 60% of breaches involve compromised credentials. 

Attackers use techniques such as social engineering, brute force, and purchasing leaked credentials on the dark web to compromise legitimate identities and gain unauthorized access to victim organizations’ systems and resources. 

Adversaries often leverage the fact that some passwords are shared among different users, making it easier to breach multiple accounts in the same organization. Some employees reuse passwords. Others use a shared pattern in their passwords among various websites. An adversary can use cracking techniques and dictionary attacks to overcome password permutations by leveraging a shared pattern, even if the password is hashed. The main challenge to the organization is that hackers only need a single password match to break in. 

To effectively mitigate their exposure, given current threat intelligence, organizations need to focus on what is exploitable from the adversary’s perspective. 

Here are five steps organizations should take to mitigate credentials exposure:

Gather Leaked Credentials Data

To start addressing the problem, security teams need to collect data on credentials that have been leaked externally in various places, from the open web to the dark web. This can give them an initial indication of the risk to their organization, as well as the individual credentials that need to be updated.

Analyze the Data

From there, security teams need to identify the credentials that could actually lead to security exposures. An attacker would take the username and password combinations (either cleartext or hashed), then try to use them to access services or systems. Security teams should use similar techniques to assess their risks. This includes:

  • Checking if the credentials allow access to the organization’s externally exposed assets, such as web services and databases
  • Attempting to crack captured password hashes
  • Validating matches between leaked credential data and the organization’s identity management tools, such as Active Directory
  • Manipulating the raw data to increase the achieved number of compromised identities. For example, users commonly use the same password patterns. Even if the leaked credentials do not allow access to external-facing assets or match Active Directory entries, it may be possible to find additional matches by testing variations.

Mitigate Credential Exposures

After validating the leaked credentials to identify actual exposures, organizations can take targeted action to mitigate the risk of an attacker doing the same. For instance, they could erase inactive leaked accounts in Active Directory or initiate password changes for active users. 

Reevaluate Security Processes

After direct mitigation, security teams should evaluate whether their current processes are safe and make improvements where possible. For instance, if they are dealing with many matched leaked credentials, they may recommend changing the entire password policy across the organization. Similarly, if inactive users are found in Active Directory, it may be beneficial to revisit the employee offboarding process.

Repeat Automatically

Attackers are continuously adopting new techniques. Attack surfaces change, with new identities being added and removed on a routine basis. Similarly, humans will always be prone to accidental mistakes. As a result, a one-time effort to find, validate, and mitigate credential exposures is not enough. To achieve sustainable security in a highly dynamic threat landscape, organizations must continuously repeat this process.  

However, resource-constrained security teams cannot afford to manually perform all these steps on a sufficient cadence. The only way to effectively manage the threat is to automate the validation process.

Pentera offers one way for organizations to automatically emulate attackers’ techniques, attempting to exploit leaked credentials both externally and inside the network. To close the validation loop, Pentera provides insights into full attack paths, along with actionable remediation steps that allow organizations to efficiently maximize their identity strength.

To find out how Pentera can help you reduce your organization’s risk of inadvertent credential exposure, contact us today to request a demo

Written by: Eli Domoshnitsky
Show all articles by Eli Domoshnitsky
Learn more about automated security validation
Resource center
Get blog updates via email
The Fundamentals of Cloud Security Stress Testing
The Fundamentals of Cloud Security Stress Testing

“Defenders think in lists, attackers think in graphs” said John Lambert from Microsoft, distilling the fundamental difference in mindset between those who defend IT systems and those who try to compromise them. The traditional approach for defenders is to list security gaps directly related to their assets in the network and eliminate as many as […]

Pentera’s 2024 report reveals hundreds of security events per week, highlighting the criticality of continuous validation
Pentera’s 2024 report reveals hundreds of security events per week, highlighting the criticality of continuous validation

Over the past two years, a shocking 51% of organizations surveyed in a leading industry report have been compromised by a cyberattack. Yes, over half.  And this, in a world where enterprises deploy an average of 53 different security solutions to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned […]

Four steps the financial industry can take to cope with their growing attack surface
Four steps the financial industry can take to cope with their growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe’s 2022 FIS Trends Report, for instance, found that more than half of financial services and insurance firms surveyed experienced a notable increase […]

Learn more about our platform