hard truths about account takeover & strategies to defend ......use of stolen creds malware:...

© Information Security Media Group · www.ismg.io

Hard Truths about Account Takeover & Strategies to Defend

Your Enterprise Presented byChip Witt

Head of Product Strategy, SpyCloud


About Our Sponsor

SpyCloud is the leader in account takeover (ATO) prevention, protecting billions of consumer and employee accounts either directly or through product integrations. Our award-winning solutions proactively defeat fraud attempts and disrupt the criminals' ability to profit from stolen information.

To learn more or to check your company’s ATO exposure, visit https://spycloud.com/.

https://spycloud.com/


About Our Speaker

Chip WittHead of Product Strategy, SpyCloud• Nearly 20 years of diverse technology experience, including

product management and operations leadership

• Previous roles at Hewlett Packard Enterprise, Webroot, VMware, Alcatel, and Appthority

• Currently the Head of Product Strategy and manages the Customer Success Program at SpyCloud

• Works closely with field intelligence teams specializing in OSINT and HUMINT tradecraft, threat actor attribution and underground monitoring


Introducing: Joe

• Like many people, Joe has 200+ online accounts

• Joe has multiple personal email addresses

• To keep track of passwords, Joe iterates on a few favorites– Evite password: Cupcake

– Fantasy football password: Cupcake!5

– LinkedIn password: Cupcake!– Work password: Cupcake!1


Introducing: Joe’s Family

• Like Joe, his wife Jane has about 200+ accounts of her own

• Joe’s kids love gaming sites• Jane and the kids also use

variations of Joe’s favorite password (their dog’s name)


Introducing: Joe’s Employer

• Joe works for Acme• Joe is a senior executive with

access to financial accounts• Joe works on projects associated

with Acme’s extensive IP• Like most users, Joe accesses

cloud services like Dropbox in his daily work

• Sometimes those services are associated with his personal accounts


Introducing: Mary

• Mary runs security for Acme• Mary has implemented a strict

password policy:– Passwords must be at least 8 characters

– Passwords must include letters, numbers, and symbols

– Passwords must be changed every 90 days

– Employees must use 2FA

– Employees must use a password manager


Account Takeover (ATO)Organizations don’t know when their employees or customers have

been breached, can’t find their information on the underground, and do not have effective solutions to prevent account takeover.


Stolen Credentials = The Leading Attack Vector

1,095

1,031

980

847

841

Hacking:Use of stolen creds

Malware:Export data

Malware:C2

Social:Phishing

Malware:Spyware/keylogger

Incident CountPalo Alto’s 2017 Report “Credential-Based Attacks”

Verizon 2019 Data Breach Investigations Report


Account Takeover (ATO) is growing at an alarming rate:

• On average, people over 55 maintain 12 passwords, Millennials have 8, and Gen Z have 5

• 59% of people use the same password everywhere

• Since 2017, over 80% of hacking-related breaches have leveraged stolen and/or weak passwords

Password Reuse


Family Members

Employees

= 4

= 14+

The Hidden Attack SurfaceWork related accounts are only part of the problem! Personal accounts and family members are even more exposed.


An Unfortunate Daily OccurrenceA customer calls the bank to complain (their funds have disappeared).

Step 1 – The customer had an account on Fantasy Football (as an example).Step 2 – Fantasy Football was breached and credentials were stolen.Step 3 – The customer’s Fantasy Football password was the same as their gmail password!

Step 4 – A criminal logs into the customer’s gmail account and resets the customer’s password at the bank.

The bank must now investigate…

The bank’s findings:

Step 5 – The criminal steals the funds.


Fraud is Seemingly Unstoppable!

“ATO fraud occurs when a scammer impersonates a consumer to steal from an account. The tactic is on the rise following widespread data breaches exposing personally identifiable information, combined with weak customer authentication methods, and the rise of mobile devices used for payments and e-commerce.”

• 65% of fraud reported to FBI is BEC (business email compromise) fraud

• $8M in losses per day in USA alone

• $12.5B in losses last 5 years &only 3.29% recovered!


Hundreds of AttackersTeam of Attackers1 Attacker

Team of sophisticated criminals monetize

the stolen info

Day 2 Day 3

ATOs begin!

Credentials leak to the Deep & Dark Web

Day 500Day 0

Criminaldiscovers vulnerability

Hundreds of AttackersFriends of AttackersTeam of Attackers1 Attacker

Team shares stolen credentials

within their trusted network

Stolen credentials used in combo lists

Credentials are High-Value Assets Credentials are Commodities

Disrupt the Criminals’ Ability to Profit!Prevent ATO earlier than any other approach

Thousands of Attackers

Thousands of Attackers


Breach # Affected Breach Date Commodity Date Delta

MyHeritage 90 Million 10/27/17 2/20/19 16 months

MyFitnessPal 150 Million 3/01/18 2/21/19 12 months

Disqus 6 Million 12/01/12 10/2018 71 months

Kickstarter 28 Million 2/15/14 7/2018 53 months

Neteller 3.5 Million 10/1/15 7/2018 33 months

Coachella 1 Million 5/19/17 11/2018 18 months

Average = 34 months!

How Long are Credentials High-Value Assets?


Mary’s Argument #1: We Require Multi-factor Authentication

Multi-factor Authentication doesn’t stop all ATOs because:

Ⓧ Adoption is usually low

Ⓧ Criminals use phishing tools to steal access codes

Ⓧ Personally identifiable information (PII) is often exposed. Criminals use PII to guess account security questions!

Ⓧ Lock your mobile account!


Password managers don’t stop all ATOs because:

Ⓧ Most employees don’t use password managers at home

Ⓧ Employees often use work applications using personal emails

Mary’s Argument #2: We Use Password Managers!


Password rotation doesn’t stop all ATOs because:

Ⓧ Users most often begin with a weak password

Ⓧ Users often change their passwords in predictable, guessable ways (e.g. mrsnuffles2 to mrsnuffles3)

Ⓧ Password rotation turns out to be a criminal’s best friend

Mary’s Argument #3: Password Rotation Helps


Corporate policies don’t stop all ATOs because:

Ⓧ The majority of employees admit to not following corporate policies

Ⓧ Threat actors target corporate accounts using reused personal account passwords

Ⓧ Cyber crime tactics evolve faster than corporate policies can be established

Mary’s Argument #4: Our Corporate Policy Mitigates Risk


Recommendations

ü Use Multi-Factor Authentication everywhere!

ü Use a personal VPN to work over public WIFI.

ü Use a password manager for ALL your logins (not just for work)!

ü Stop rotating passwords every 90 days.

ü Monitor your credentials and PII – both work and personal!

ü Don’t trust any email, links, text, picture, attachment, etc.


Check Your Own Corporate Exposurespycloud.com

hard truths about account takeover & strategies to defend ......use of stolen creds malware:...

Documents