Credential Stuffing: Protection, Detection and Response are all Needed

Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.