A credential stuffing attack is a trial-and-error cyberattack in which cybercriminals use credentials gathered from a data breach and attempt to leverage them to log into other services belonging to a different organization. As opposed to credential cracking, attacks involving credential stuffing don’t try to guess usernames or passwords. Instead, they bank on the fact that many users will recycle login details across different services — so that leaked credentials from, for instance, an airline could also allow an attacker to gain access to an ecommerce platform or even a banking service.
Most users are too smart and aware of the risks to reuse credentials quite this liberally. However, like phishing emails, the scale with which these attacks can be carried out is enough to offset the relatively low success rate. Former Google Product Manager for Trust and Safety Shuman Ghosemajumder has estimated the success of credential stuffing attacks as having a 2% login success rate. That means that, with a set of 1 million passwords stolen in a cyberattack, credential stuffing would make it possible to take over 20,000 accounts.
Fortunately, whether it’s Multi-Factor Authentication (MFA) or Zero Trust Network Access (ZTNA), the tools are there to help protect against these attacks.
Attacks Are on the Rise
Credential stuffing attacks are on the rise. One recent report noted a 45% increase in credential stuffing attacks year-on-year. With credentials worth a premium, and more of our lives (and, in particular, spending) carried out online, the potential gain to a cyber attacker from a successful attack has never been higher. There are reportedly in the vicinity of 15 billion user credentials that are currently available for sale in various hacker forums online.
Attacks are also getting smarter. Russian cyber espionage groups like Fancy Bear, a.k.a. APT28, Pawn Storm, Sednit, Sofacy Group, Strontium, Sednit, and Tsar Team, have been waging more sophisticated attacks involving the use of ill-gotten credentials to perform credential stuffing attacks at scale. This makes it considerably easier for them to potentially breach accounts in order to access sensitive data, carry out attacks involving privilege escalation, and more.
The involvement of groups like Fancy Bear, whose capabilities are consistent with those of nation state actors, highlights that credential stuffing attacks are no longer the sole province of small one or two-person teams of hackers looking to create mischief.
Protecting Against Credential Stuffing
There are multiple actions that users and organizations should take to protect against credential stuffing attacks. The first and most obvious is, of course, to avoid recycling passwords and login details. If users were to use fresh login credentials on every website and service they used, the threat of credential stuffing attacks would be nil. Although cyber attackers could still attempt to guess login details, different logins for each different service would protect users.
The problem with this, of course, is that choosing different login details can mean having to memorize dozens of different passwords. If you have to change these passwords on a semi-regular basis to maintain security (as best practices would suggest is a good idea), this number expands even further. Password managers are available, but these are not as widespread in their use as they could be.
A smart option is to use added security measures, such as Multi-Factor Authentication (MFA), which demands multiple forms of authentication, thereby compounding the challenge of breaking into an account. (Think of it like having multiple types of locks on a door that a lockpick would have to break.)
One of the best approaches you can take involves Zero Trust Network Access (ZTNA). Also referred to as software-defined perimeter (SDP), ZTNA protects network security by focusing on denying access to users; not assuming that everyone who manages to access a particular resource has a right to be there. ZTNA focuses on identifying users, protecting systems, detecting anomalies through continuous monitoring, and then responding to threats when they occur through containment and mitigation measures.
It means that it’s not only harder to gain access to a system through an approach like credential stuffing but, once inside, it’s much harder for an attacker to move laterally through a system. (To return to the lockpicking analogy, imagine this like having locks not only on your front door, but every door inside your home as well.)
ZTNA is a core part of SASE (pronounced “sassy”), a next-generation network architecture that stands for Secure Access Service Edge. Combining ZTNA with cloud-native architecture, firewall as a service (FWaaS), global SD-WAN architecture, secure web gateway (SWG), and more, SASE is the modern approach all organizations should adopt in order to protect themselves.
It’s one of the biggest revolutions in network security for many, many years — and one that anyone who cares about cyber security should care deeply about the use of. Unless you’re a credential-stuffing cyber attacker yourself, that is…
Follow Techdee for more!