Corporate brands are generally thought of as intangible objects that carry the company’s image and reputation. However, your brand is very tangible in the eyes of attackers and can absolutely be targeted and damaged with cyber threats. To prevent such damage, companies can engage in “brand monitoring”. More specifically, this means searching for typosquatting and compromised credentials. While different in intent and practice, both tactics rely on human behaviors to achieve their goals. Such attacks are difficult to detect because the damage can occur outside of a company’s domain, and difficult to prevent because they involve a change in habit rather than corporate policy. In the second part of this series we’ll explain how adversaries can expose credentials, why it matters, and what courses of action a company can take to effectively protect their brand.
A major concern for companies is exposure of corporate account credentials such as user IDs and passwords. We all know people tend to use the same password across multiple sites, and users often register for non-business sites using corporate email addresses. Adversaries will hack into 3rd party sites and steal all possible credentials, later posting or selling them on the Dark Web. This means breaches outside of a company’s network are of great concern, and highly relevant to their network.
Almost daily we read about another major site losing millions of user credentials. While many of these breaches become front-page news, and the target often issues notices to affected users, many more credentials are stolen without anyone’s knowledge. These credentials often get posted and sold on Dark Web sites. Our own research of the UK FTSE 100: Targeted Brand Attacks and Mass Credential Exposure companies found each company had an average of 50 user credentials listed on Dark Web sites.
What to do about compromised credentials
There are a few courses of action that organizations can (and should) take to prevent against abuse of compromised credentials.
The first step in responding to a leak of credentials is to reset passwords for all affected accounts. Depending on the type of company, they may wish to force a reset not just for employees but for customers/partners/contractors as well. Companies should also require stronger passwords, which in this case doesn’t mean a mildly infuriating number of special characters but rather a separate password for private and corporate accounts.
Next is to require Multi-Factor Authentication (MFA). MFA is highly recommended for email accounts, which are considered to be the “single point of failure”. This is because any account that requires a password reset will be sent to an individual’s email, which means that a malicious actor with access to your email can access most any account. It is also highly beneficial for companies to enforce a password audit at set intervals, thus cutting off access to any potentially infected employee accounts.
Anomali specifically monitors the Dark Web for sharing of user IDs and passwords, and collects credentials through automated processes. These collected credentials are available to customers through a feed within the Anomali Threat Intelligence Platform. Similar to scanning for malicious domains, the platform can also be configured to alert customers when their domain is found within lists of credentials on the Dark Web.
Malicious actors inflict damage to a company’s reputation by exposing credentials and stealing data. This tactic relies on predictable human behaviors, and is best mitigated through education, research, and tighter regulations. A Threat Intelligence Platform can simplify the process, and ultimately protect employees, customers, and brands.