Automatically Triage Compromised Credentials and Protect your Account
Category: Analytics and SIEM, Data Enrichment and Threat Intelligence
Cyware Products Used:
Respond
Orchestrate
Collaborate
Third-Party Integrations:
Recorded Future: To automatically identify and alert security teams about leaked credentials from over 1 million unique sources including paste sites, GitHub, and the dark web.
Active Directory: To retrieve user information and supervisor information using compromised credentials.
Problem Statement
Leaked or stolen credentials are the most common attack vector companies face and they pose a critical risk to organizations. Once an attacker gets access to stolen user credentials, they sell the credentials in the cybercrime underground or use them to compromise an organization’s network. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, domain impersonation, etc.
Solution
It is important to detect, retrieve and respond to alerts on compromised credentials in real-time to prevent unauthorized access to your systems and potential data breach.
The solution is to use the real-time and in-depth intelligence received on compromised credentials to automatically investigate and respond to them by triggering necessary actions.
How do we solve this problem?
Retrieve Stolen Credential Alerts: The playbook starts by retrieving the credential theft alerts from Recorded Future on a regular time interval. You can also use a preferred tool to receive credential theft alerts.
Format Alerts: The playbook identifies important alert details such as the compromised email, password, malicious site address, domain name, domain owner details, source IP address, location, and more.
Verify with CMDB: The compromised credentials are sent to Active Directory to verify if the compromised user's email address is still active. The playbook also verifies if the compromised password matches your organization’s password policy.
If the compromised email address is still active, then the playbook sends a request to Active Directory to reset the credentials. Additionally, the playbook also creates an incident in Respond and initiates response actions.
If the compromised email address is not active, then the playbook creates an incident in Respond and updates the details. After updating the details, the incident is closed with learnings.
Create Respond Incident: The playbook creates an incident in Respond and updates the details of the compromised credential alert. Analysts can take the incident for manual investigation. The playbook also initiates the following actions.
Notify the User: The playbook sends an email to the user about credential compromise and credential reset. The user can set a new password.
Notify the Supervisor: The playbook also notifies the user’s supervisor about the password reset and password policy.
Benefits
Respond Effectively to Account Takeover Attacks
The solution combines advanced threat intelligence automation and enrichment of high-fidelity threat intelligence data to enable analysts to respond effectively to targeted account takeover attacks.
Real-time Intelligence
The solution can proactively detect and respond to credential compromise attacks by automatically collecting, aggregating, and analyzing data from an unrivaled range of sources.
Going Beyond Incident Investigation
The playbook not only just helps the organization respond to specific credential theft threats but also helps capture the learnings from the incidents to put in place long-term strategic controls. This helps organizations to defend against any such future attempts by using the unique capabilities of the fusion center.
Reduced MTTD and MTTR
The solution helps organizations to reduce both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by validating and remediating credential theft alerts within minutes.