Account takeover is a serious threat to us all. Cyber security experts have been raising the issue for years, warning us of the risk of our credentials being leaked, which could result in identity theft. There are now resources available for users to check if their details have been compromised, but we also know that by the time your username and password have been leaked, it’s likely that the cybercriminal community have had access to it for upwards of six months.
A lot of work goes in to preventing breaches, but we always have to assume that a breach is possible. The question is, how can companies detect these breaches, identify data and protect it before it gets leaked?
A huge amount of data is mined through dark web monitoring, and there are a lot of automated free and commercial tools for this as a useful line of defence. The most common types are scanners which search through lists of stolen data “dumped” online. This stolen data can be anything valuable to a person or entity, which means there could potentially be a lot of data to search for.
About the author
Tom Gaffney is a Principal Consultant at F-Secure
Most obviously for consumers, this relates to user credentials from compromised accounts, but it could also include social security or National Insurance numbers, passport details or financial data. Probably the most well know of the consumer tools available for people to see their exposure is Have I Been Pwned?, which allows individual users to scan for their details. More recently, we have seen interesting developments to tools focusing not just on consumer data, but also company specific information ranging from standalone documents to intellectual property. This obviously has value to any organisation or enterprise concerned about their exposure to cyber attacks.
The challenge for all dark web monitoring tools is how to deal with scale, relevancy and speed of information. When it comes to scale, it’s hard to estimate how large the dark web is as a subset of wider deep web, especially when you consider the deep web is several hundred times larger than the standard internet we access every day. This means scanning tools need to have the capability to identify and focus on dark web locations. This is where relevancy and the speed of identifying data applies, because much of it is only dumped into dark web forums after criminals have had their use out of it. Multiple dumps of the same data are also often made across different forums and sources; in our experience, this is the case for 70% of the data we find.
To address the need for speed, companies use more advanced processes and skilled cyber personnel, as more sophisticated techniques are required to find actionable breach data. One method is to become an active part of the dark web community. This doesn’t mean becoming a criminal or hacker, but in order to identify and stop them, we need to view things from the attacker’s perspective, identifying hacker groups and understanding how the process works. For example, a hacker may have the complex skills needed to expose company systems and access credentials, but then may be faced with an encrypted database of passwords. Unless they can decrypt that data, what they have is useless. So what do they do with that data? Sell it? Mine it? They don’t necessarily have all these skills so will turn to the dark web to find people offering decrypting and monetisation services.
Researchers – real humans – are part of this community, through a network of pseudo identities (sockpuppets) and analysts monitor hacker activity in certain locations known to specialise in stolen data. For security companies, this means going deep into the community to find people, places and methods for identifying miscreants, which means we can engage with them before data is made available in an unencrypted form on the dark web. This reduces the detection part of the process down to a few weeks, instead of six months, which in turn increases the likelihood that data can be identified before it is usable. This means that companies been affected by a hacker takeover can proactively manager end user accounts and limit the risk of fraud or identity theft.
Account takeover continues to be a very real threat, but basic cybersecurity hygiene can help mitigate this in the first instance. The common denominator with any online account is that they all need a password to be accessed. Whilst the majority of people know they should be using strong, unique passwords and phrases for every account, it can be difficult to remember which credentials they need to be using. It’s why we, and all our industry colleagues, recommend using a password manager. Why make life more complicated when you don’t have to?