Outsmarting Account Thieves

I created a PowerPoint graphic recently showing the grim faces of several senior executives whose organizations had just experienced serious breaches. It’s an uncomfortable chart to take in, because these disgraced leaders represent all walks of government and industry. From the retail CFO, to the OPM administrator, to the banking CEO, each of these executives exemplifies the intense personal pain that data and account breaches can cause.

Normally, when I show this chart to audiences, someone will inevitably raise their hand and ask why such cyber breaches happen so often, and why – when they do happen – it takes so darn long for anyone on the security team to notice. Such a seemingly simple question, it turns out, is not so simple to answer, especially in the context of the timeline that occurs when a competent threat actor engages in an activity known as an account takeover or ATO.

Let me explain: One of the most basic data primitives in cyber security is the so-called account. Generally represented in IAM infrastructure as a tuple of information, such as name, email, and password, an account serves as the basis for identification, authentication, authorization, and access management decisions on a given system. Get these decisions right, and you will have a secure environment; but get them wrong, and you will have a total mess.

This past week, I spent some time with the executive team from SpyCloud, an Austin-based start-up formed on the idea that good guys can outsmart the threat actors peddling stolen account information on the dark web. Normally, I might scoff at such an ambitious goal, but I’m glad I took the time to listen, because the SpyCloud team has developed something that is not only creative and useful, but that could evolve into part of the global cyber security fabric.

Here’s the idea: The ATO timeline starts with a vulnerability being discovered that exposes accounts. If the vulnerability is exploited, then a bad actor has access to the precious account information. Whether you call this Day One, Day Two, or something similar, the idea is that this occurs at the earliest front-end in the timeline - and this is long before any real detection occurs, typically multiple hundreds of days later. Think of the break-in and theft collectively as Step 1.

What happens next involves a fork of two parallel paths – neither good: First, the threat actors will begin to carefully and methodically test the stolen account information. This can proceed in a variety of different ways – and the SpyCloud team helped me understand several test case methods. The criminal goal, obviously, is to sanitize the stolen goods to optimize market value. (I hate when bad guys exhibit sensible business behavior. Sigh.)

The account test process can take days, weeks, or even months, but the end-game involves sale of the ATO goods to buyers, usually on the dark web. “ATO detection in our industry comes mostly from observers noticing stolen accounts for sale by criminals,” explained Ted Ross, co-founder of SpyCloud. “Obviously, such detection is important, but by the time victims are notified, too much time has passed and the damage is already done.”

It is within the second fork in the parallel ATO paths where you will find SpyCloud’s innovation. Specifically, while test activity proceeds for the stolen goods, threat actors will begin to share information with other individuals. Such sharing is highly predictable, but is based on trust between threat actors and their ecosystem friends. “Sharing of stolen account information during ATO is a reliable step, and it occurs early in the timeline,” explained Ross.

The experienced SpyCloud team members focus their efforts on infiltrating the complex ecosystem in which account takeovers occur. This activity by SpyCloud experts involves using deceptive practices on the dark web and across other closed communities to create trusted relationships with account thieves. It is essentially undercover work, performed with one goal: To gain early access to stolen accounts.

I asked the SpyCloud executives whether this targeted deception required any special techniques or expertise. “Our team of researchers does have experience with social engineering and interaction in these closed communities,” Ross said. “The common term for this human intelligence work is HUMINT, which we combine with advanced technology to gain access to leaked and stolen account information.”

The result of this early collection is a comprehensive database of stolen accounts. For this database to be usable, the SpyCloud team goes through a sanitization process that includes parsing file formats, normalizing collected fields, de-duplicating records against the billions of previously collected entries, validating authenticity – especially for passwords, and enriching the information collected with useful metadata.

The database can be used in batch or real-time mode to validate on-line activity for SpyCloud customers across an API. One common use-case involves enterprise teams comparing a batch of customer domain-information across the SpyCloud API to receive a list of relevant compromised accounts. The team showed me the dashboard interface for such queries and it was slick. Tools are available for sizable customers to interpret results for large batches.

Ross offered the following: “Our objective is to provide a means for any enterprise dealing with customers through on-line accounts to check whether their accounts have been compromised. Since we obtain the stolen information early in the process, we can often prevent problems before the ATO artifacts have been sold on the dark web. In this way, our solution is not only reactive, but also preventive.”

One aspect of the solution that is especially powerful involves cross-domain validation of credentials. For instance, if an enterprise submits name@domain.org to SpyCloud for analysis in conjunction with some e-commerce application, then information might be returned that name@domain.org was associated with a previous account takeover on a completely different on-line service. If a common password is used, then preventive action can be taken.

The SpyCloud team offers several additional services. One involves an attractive personal watch-list capability for teams that want to ensure that their key personnel are not associated with account takeovers outside the workplace. Another involves forensics-based technology support for customers experiencing an ATO-related threat. SpyCloud also provides solutions that focus on protecting Windows accounts in an enterprise Active Directory.

Some alternate resources do exist in this area, including Troy Hunt’s well-known ‘Have I Been Pwned?” website, which offers comparable, free account validation services to interested companies and individuals. Hunt’s website is awesome, but in the end, most companies will want to deal with a professional vendor offering a robust platform, tailored business services, and a team of support staff to deal with the inevitable emergency.

If you’ve not previously considered the use of an ATO risk reduction solution in your enterprise with your customer accounts, then I strongly recommend that you reach out to Ted Ross and his team at SpyCloud. Request the demo and ask them to check out your own credentials. My prediction is that this type of account validation will become not only routine for on-line services, but will eventually be viewed as an essential component of our global security fabric.

Let us know your thoughts, as well as what you learn after examining the SpyCloud offer.