OK, so you used ClawBack™ or some other tool and found leaked credentials linked to one of your employees on the web. Now, what do you do?
First, don’t panic. Leaked credentials happen all of the time. On average, it was discovered that employee email credentials from 10% of all Fortune 500 companies have been leaked in some form of data breach. (blog.finjan.com) Another report published recently suggests that the web currently hosts leaked credentials of employees for 97% of the top 1,000 global companies – many stemming from third-party data breaches. (blog.finjan.com)
Once you come to terms with your find, it’s time to get down to business researching the issue. The first step is to determine what kind of data you have identified. Usually, leaked credentials come with a user ID like an email, system login name, or the like. Presumably, this is how you found the credentials in the first place. Next, determine if you have a password and/or hash for that user that was contained in the leak. If you found only a list of emails or names, there is not much actionable intelligence there, beyond maybe letting those users know that they are at increased risk for phishing and reminding them to be vigilant.
If, however, you have a password or hash tied to one of your user names in the leak, a few more steps are involved. If you have a password, the first step is to determine if that password meets whatever password policies you have defined across the organization. This is a key leverage point for identifying potential leaks – many, if not most, leaked passwords come from third-party systems and websites that are compromised by attackers but are only used by the firm’s employees. It’s pervasive for industry sites, or shopping sites to be linked to your employee’s identity – it could be as simple as your employee signed up for the site with their work email, and that site got breached. If that is the case, then as long as your employee doesn’t use that password at work (or similar passwords: eg: Summer12 and Summer13, etc.) there is little risk to the firm. If the password would not meet your password policy for your domain, webmail, and other applications, then this is likely the case. If that happens, simply contact the employee, advise them of the leaked credential, and make sure that they understand to change their passwords anywhere they used that password in their online life.
But, what if the password could be one of your domain or webmail accounts? If the password would meet your policies, then immediately force a password change on all systems for that user. If possible, you should also terminate any open sessions and force the user to change their credentials. While a determined attacker may exploit this process to reset the password themselves if they have the ability, it prevents any non-resourced attackers from exploiting the credentials. The worst case is that an employee loses a current session and has to reset their passwords to continue working.
However, don’t stop there – contact the user and advise them of the leaked credential. Ask them if it was used on any work-related systems or applications, and if so, immediately begin an investigation on those systems looking for signs of illicit access. This should be performed using intensive log reviews and should go back to the date of the user’s previous password change whenever possible. Do not depend on the leak date, if shown, as the boundary for the incident. Attackers may have had knowledge and access prior to making the leak public. Often, attackers use compromised accounts for some time, getting what they want from the victim, and then release the stolen credentials to other attackers via a sale, or to the public, in the hopes that the additional attacker traffic will hide the original compromise.
Lastly, if you only have a hash of a potential password, I would still follow the process above. Most hashes can be broken given enough resources. Thus, it is erring on the side of caution to follow the above process, and accept the hash as a credential that could be in use in your environment.
Got other workarounds for leaked credentials? I’d love to hear them. Drop me a line on Twitter, and let me know (@lbhuston). I’ll share any insights in future posts.
If you’d like to learn more about ClawBack – check out our solution for hunting down leaked credentials, source code, and configuration data. Get in touch with us for a discussion, or check out the videos on our website for a walkthrough.