Log In Through the Front Door: Automating Defense Against Credential Leaks

It is my pleasure to uh introduce Barath Subraamin uh and his uh sorry take it away. Yeah. Uh good afternoon everyone. Uh um thanks for joining the session. Uh so today's my topic is uh uh login through the friend front door automating uh defense against credential leaks. I am Barrett Subraman. Uh I work at uh I work at Adobe as a senior product security engineer. Uh just a quick dis disclaimer before the session. Uh most of the topics are more mostly onformational purpose only. Uh moving on u uh let's uh take a moment uh to reflect on this statement uh which says attackers aren't breaking in uh they logging in. This isn't a metaphor uh but

it's a actual reality of uh uh modern uh cyber attacks which are happening. Uh how many of you think uh and agree to this statement? Can you show please show a raise of hands? Thanks. And um and how many of you think attackers are still using odd ways of exploiting vulnerabilities, launching zeroday attacks? Can you please show a raise of hands? Yeah. Honestly, uh both are uh equally happening. Uh but uh what's alarming is the steady rise of this uh uh very simple it's uh sophisticated uh u way of attackers trying to use this simple method of using valid credentials uh to get into uh to get into the system. Uh they are just logging in like

your normal employees. Uh no alerts just access and the worst part is most of the time it always looks normal. Now the comic on the right says it all says it all. Uh credentials are the golden um key for modern breaches. So how big is the problem? Uh let's look at some uh industry reports. Uh starting with um on the left uh we have Google Mandant M trends 2024 report which talks about uh the uh initial infection vectors and stolen credentials uh seems to be uh the number four on their list. Um and if you look at um the recent 2025 uh data uh breach uh investigation report published by Verizon, it indicates use of stolen

credentials to be uh a third in the spot which is one out of every three breach and including the latest crowd strike 2025 global threat report which points out valid account abuse accounts for 35%age of cloud incidents. Um I want to just cl before going to uh the talk I want to really clarify what I mean by credentials here. Part of this it's I want to really focus on email address username and password combinations. Obviously it's a very common term but there are other credentials like API keys, application secrets which are equally sensitive. uh but part of this talk I want to really focus on just credentials which we commonly use in to log into the system

and this poses the highest immediate risk for individuals and organizations even today like national nation state actors and criminal threat actors rely on these leak credentials to facilitate a lot of uh modern attacks. I want to touch um uh briefly on three case studies starting with u um Colonial Pipeline ransomware breach. Let's look at what happened on the breach. Uh attackers used a single uh leaked VPN password which did not have an MFA. They took the leaked credentials from a previous breach. Uh then gained access and conducted a massive ransomware attack. The impact was uh caused fuel shortages uh and

disprure MFA's default enabled by for all accounts and regularly audit and deactivate your old accounts and the need for implementing uh certain active dark web credential monitoring system because this credential was found in a previous uh breach. Let's look at uh another uh second case study which is the Uber breach. Uber breach is bit interesting. It has human behavior aspect to it. There was a contractor involved and the credentials were stolen from the darker beain and there u and the attackers bombarded the contractor with uh multiple MFA request frustrating him and eventually making the contractor accept the approve the MFA request. And the impact was uh the attacker was able to get into the system go into

their public slack channels within the organization and able to brag about the attack. The lesson we learned from this is like regularly train your employees and contractors of social engineering tactics especially on MFA a kind of a a social engineering trick and apply uniform security policies irrespective of contractors or third party vendors and uh the same uh same important the need for implementing active dark web credential monitoring seems to be vital even for this breach. The last case study uh is from 2024 which uh I haven't they did not uh name the state. It's called US state government VPN breach. Again there was an inactive former employee um that was not deactivated. It was admin

credential. They logged into the VPN. Similar situation and the impact was they were able to breach the confidential government systems and gain access to lot lot of other SharePoint admin credentials. And the lesson part of this is like how to disable inactive accounts which which is from your previous employee who have left the company and obviously uh enable MFA every time on your account. And last but not least like we need the need to implement uh active dark web credential monitoring. Part of all of this case study and there was an industry survey done by company called Constella. They interview a lot of executives and nearly half of them admitted that they don't actively monitor for leak

credentials and even though a lot of them have been uh breached because of the same reason. Uh then the one lesson that matters from all of these case study on the survey is the need for actively monitoring the dark web for leak credentials which seems to be uh missing uh with lot of organizations today. And when we talk about how many credentials we are really talking about here, we are talking about more than 25 billion credentials which is out there already in the dark web for people to consume. And let's see who whose credentials are those. Obviously we talked about employees. It's belongs to employee credentials. It can also be your customer credentials and it can be

also your personal credentials which is there out on the out on the dark web. And how does this credential leak starts to happen? There are couple of ways these can couple of common ways it can happen. One is through a third party data breaches. We often hear about certain company got breached like LinkedIn got a data breach or certain companies got a data breach and there are cases where there are infected machines lot of um lot of incidents happen because lot of u victims mistakenly install cracked softwares on their machine. example a gaming software not being a gaming software but they found some online where it's a cracked version they get it installed without knowing it as a some

malware on the software itself and obviously there are a lot of malicious ads you might have gone to a website where you see a lot of pop-ups and there are ways they get victimized because of those ads and the last uh the common other part is uh it's very common fishing people create fake login pages example for bank of America for a lot different sites. They create these fake login pages and circulated and find victims there. In uh in the threat landscape, these stolen credentials typically fall into these two major categories. It's called combo list where uh these uh third party data breaches which is there like the old data breaches which has been there uh like

LinkedIn data breach all those are curated and they have been circulated in the dark web or also from reputable sources. It obviously has username and passwords there is an example there some uh john.do@gmail.com dogmail.com with a password and there are other parts like URL combos. Sometimes it also tells you where the uh victim has leaked their credentials. Is it to a bank of America site or does it belong to some other site? And the other form of distribution happens through stealer locks which is bit more uh interesting and crucial uh because it includes lot of interesting metadata from the machine itself like it's a still infected machine we talked about on the previous slide. Uh there is

this infected machine section which talks about really the stealer logs. It includes all the cookies from your machine and uh let's say if you have a couple of browsers all the all the all the passwords from those browsers and cookies are being circulated through stealer locks and in threat landscape these stealer logs um are commonly called info steelers. It starts from info stealer. This is a set of malware families uh which covertly extract sensitive data. um uh the one we talked about credentials, browser information, all the cookies from your machine and the way they start distributing uh after infecting a machine uh through some malware malware as a service called there a lot of malware as a service

which is being sold on the dark web um uh namely like Lumar stealer uh Redline stealer. There are various other stealers who circulate and monetize these um dark uh monetize these tools mainly for um stealing credentials from infected machines. The common delivery mechanism on the CT infrastructure they use commonly today is like Telegram. It can be discord where somebody starts to type in a banking credential. The uh right after the next minute the credential is being circulated to the dark web through a telegram channel or through a C2 or to a discord. Sometimes they do have a bulletproof hosting where they start to consume these credentials real time. Earlier it used to be only Microsoft uh

targeted u attacks but the crossplatform is also expanding now there there is uh been a lot of target um there's there has been like um stealer uh tools available for different operating system including Mac OS and others this malware also as a service also enable lowkilled threat actors not advanced even lowkilled threat actors can buy these services and start to victimize people and obviously it's commercialized. A lot of people start selling these credentials uh for for couple of dollars um ranging from $5 to even from $1,000. This is just a a simple snapshot. This is just a one-off uh Telegram channel where they start posting these credentials for people to download either for uh free or either

for uh the either for selling it. In the screenshot, it really talks about uh pay $250 uh for a one month subscription and things like that. It's also subscription based. You can be on the channel continue to get these credentials from victims. I also also wanted to talk about um the approach being uh so far seeing the uh the uh about the steel logs and the how threat actors act. How do you approach such a credential monitoring within your organization? I like to suggest a few approaches like one is uh leverage historical combo list uh and breach data to fuel to fuel your detection and response. To start with there are there has been lot of major

breach uh data which has been already available in the um uh in the in the in the market uh such as like uh 2016 anti-public which is the first large scale credential dump and there are lot of subsequent uh data breach which has been aggregated by security researchers or by bad actors but it's been well aggregated and structured dduplicated set of credentials uh namely collection 1 to5 which is there out for people to consume and there are uh uh something called to in 2021 there was something called compilation of many breaches which include 3.2 billion credentials and similarly uh it continues to happen like there is lot of people trying to release this for both

for defenders and for um even for attackers. So the action actionable defense tact tactics uh I would like to encourage uh when we get this combo list this is again step one uh wherein you get this combo list from reputable sources because it's already massively available uh data set which you can already start using in your organization to protect your employees or customers who might be part of this combo list and start to find matches for uh those credentials and start enforcing force password reset. And if they haven't enabled MFA, it's good to enable the MFA. Uh and uh prioritize data transparency. In lot of cases, we have observed that we are not willing to share lot of information with

the victims. But these are generally available data sets. We should be um open to uh transparently share what we see with our victims so they get fully protected. And the point of this approach to start with is to show a proof of value to your leadership and to get a buy in before you start to extend your credential monitoring system to to the next level. When I say next level, uh uh moving on from combo list, we talked about previous uh third party breaches which falls into combo list. But there is the stealer logs which we talked about from infected machines which is also quite crucial. We did step one of looking at combo list. We showed proof

of value with the organization. Now we wanted to extend our program. Now we want to really look at steel logs. What do they capture? They capture full logs of compromised user interaction. We we already saw what steel logs might have. It can have your complete uh complete cookies all the all the login which you have done with various uh different sites including your organization site or even your personal credentials. And why this matters? It helps you to proactively defend against daily attacks not just past past breaches. When you start monitoring your stealer logs, it really means you are actively proactively monitoring what and trying to protect all your users. And apart from just credentials, you might also see cookies um because

it's part of infected machine. You see all active session cookies. It's important to also invalidate those cookies avoid to avoid any session hijacking. When you do a force password reset, uh it's important you do a global session logout. Apart from just doing a um force password reset just for that session there are two operational parts um which I would like to suggest that's how we approach the problem. One is we talked about u combo list which is already available out there. There's like billions of credentials more than 15 terabytes of data available for organizations to consume and obviously you have to take these data from reputable sources. There are a lot of players who can give this

data for cheap once you sell self retrieve this combo list. You can start to have some blob storage. um example put all those data most of the time it is in a CSV format or a txt file or even JSON put it put it in a blob storage and have some kind of uh automation we use something called uh uh Azour data bricks with a technology called autoate autoloader which makes the things little easy for us like we start putting all those data which is terabit terabytes in size and with billions of credentials we consume those data through a uh through this autoloader uh change data capture um technology and put it in a delta table

which is kind of a SQL table. You put all those billion records into this uh SQL table and then you start to iterate through those records which is very common. You have all the credentials already which which has plain text passwords and also including other metadata. You call your internal admin APIs to validate whether the password is correct and start resetting those credentials. When you start resetting your credential, obviously you will focus on your employees and start seeing if the credentials which you found on the on the data set. Does it match your active directory? If it matches, you want to really secure secure your account immediately based on the same common practice. Reset uh force reset uh

force password reset and enable MFA. Similarly, uh the same kind of protection you might tend to give to your customers as well. If you have a huge customer base, you want to also proactively protect your consumers. It's for both the benefit of the customers and also for the benefit of the business as well. You might have a user table wherein you can iterate through all the records with the user table and find matches and uh and then successfully protect your customers as well. And moving on to a different architecture which I call like using vendor or premium integration. So we looked at an integration previously which is more towards combo list and third party data breaches which

obviously you will start with for showing proof of value with your leadership. So you get uh buy in to move further and have some kind of a vendor or premium integration. The reason to choose some vendor or pre premium integration is a number of reasons. One is they have a lot of visibility on dark web because there are dedicated vendors or premium sources, commercial sources. They they look into all discord channels. They have very good visibility on telegram channels all bad networks which they might have access to uh which we it's very difficult for us to build inhouse and there might be many more pace sites and a lot of illegal networks. So this might architecture is

you might be very familiar with. So uh there is a consumer side and obviously there is a vendor side who exposes certain set of APIs. The table which we talked about will reside on the CL vendor side and they will be pulling it from the dark web and they will be populating their data sets and we just use some chron job or some certain automation which can pull uh pull the data set every 5 minutes or 15 minutes just to be more cautious like a lot of people do per day but it's important to get those data as as early as possible. So you could pull it every 5 minutes or 15 minutes to get all the data and the

same approach follows. You have your you call your internal uh admin endpoints uh to validate and reset the passwords and follow the same approach to protect your uh employee accounts and uh your customer accounts. Um I want to really touch on uh the remediation workflow. I think this part of it is crucial based on our internal learnings. So let's say you have um a valid credentials which you found from the dark web. Then you start um you start checking whether is is this a current employee record. You obviously you got a username and password. The first thing you wanted to check is is this your current employee or is it your former employee? Let's say if it's your current

employee then you going to check whether the record is it is the password present on the record. Then you're going to check even though the password is present is the password is in clear text or is is the password is in ashed format. Let's say if the password is in clear text you move to the next step of is password does the password which we found which is in clear text for this user does it match the complexity rules. Once the complexity rule matches it's a very uh happy path scenario you go and check whether is the password really valid. If the password is valid, it's again a happy path scenario. You found um you are uh now actually

protecting a massive data breach for your organization because you found a match from u and the credentials are valid and you do a force password reset and enable MFA. Most of obviously in this uh in this time everybody might have already enabled MFA but it's important to check if the user's account is MFA enabled and you do a force password reset and it's also important you trigger some email and a report to the uh employee about this leak maybe copying his manager so they take it bit more seriously you send out a notification that we found this breach um and you and give them some steps how how do they proceed obviously did a force password reset but you have to

precaution and caution them about this situation and start doing some investigation and rootcast analysis. It's important to assume this as a breach. I think lot of organization consider this to be a normal process but it's important to consider the data once you find a match it's always critical you assume assume assume there to be a breach and start doing close investigation and let's uh and there are other scenarios I like to point let's say if this is not your current employee that's fall into the section A of it it's your former employee do you still ignore the record it's important not to ignore those records as well. We already saw certain case studies which talked

about inactive accounts, former employees account. It's important to not ignore those records. You have to really uh understand and start investigation why why is it why is the credential surfacing now? Maybe it's still a duplicate but still you have to make sure is it really a duplicate instead of just um avoiding that record. And in case if the password is not present, we have seen lot of situations um uh through these feeds. Uh let's say there are couple of vendors um even the when the password is not present with one vendor, it does not mean the other vendor might not have the password. Since this data is already available in dark web, it's important to

realize that these credentials uh are sourced from uh dark web and you assume that to be like a criminal record or because uh you have to really make sure you do this uh investigation and root cause analysis and if the password is crack is not cracked, you fall into a similar situation. You should ensure like you follow it's still a record of interest. You assume breach and act accordingly. And we found um uh another um interesting scenario. Let's say if your password is uh not valid that's on uh and the appath scenario um which we talked about. If the password is uh the password complexity rule matched but uh surprisingly the password uh is invalid

when you validated the password is invalid. It's again important to not ignore the record because uh let's assume like uh the previous day the user might have reset the password. So though it's surprisingly you are not able to validate with your uh password validate the password it's still a record of interest you should take it that more seriously as well. When you look at commercial vendors um it's important not all vendors are created equal. Choosing uh the right one might be very crucial. Uh your vendor should have deep visibility into the dark web and beyond. Speed of data matters like which vendor gives the data much faster. We have seen lot of situations where when there is a two-day

delay between records, you obviously will have a uh window of opportunity for threat actors for 2 days which is not great like you have a commercial vendor who gives data too late might be um might also cause cause a breach to the organization and obviously you you might check for automation capabilities. Do they support lot of automation features and make sure they have a lot of transparency of the record what they share with you and demand clarity on the records you wanted to see. Do you have to really look at all the let's let's assume they look take screenshots you have to make sure you get the screenshots as well. There's an interesting observation I want to share like two faces of the

same coin. This is uh more of a learning we had where I call it like expectation versus reality. We always expect 100 plus daily findings, constant alerts, constant action. Confidence came from volume. More findings meant more protection. But in reality, what we see is like just few findings in January, few findings in February or zero findings in March. uh and then we start to question our automation or start to question our approach and we start to say is it is our automation working but the lesson we learned from the approach is low volume is not equal to uh low value it's still actually a sign of strength you have to consider this to be a credential health insurance keep

scanning no findings today does not mean no threats tomorrow some uh I want to take uh some key a shar are some key takeaways for the session like if your organization does not have certain um program called uh certain credential threat monitoring program make sure you have such a program in place because there are a lot of credentials out there for you to consume and act on you can start leveraging combo list to show proof of value and then move on to your stealer logs to detect more exposures daily and the important thing is monitor broadly just just don't focus on your employees Employees are vital of is so crucial but gives similar importance to your customers as well. It

has both direct and indirect benefit for the organization. And start to share detailed findings with your victims. We have uh seen in lot of organizations uh there is a tendency to not share lot of information with victims. It's important to share what you see from dark web. If you're part of threat intelligence team, just sharing some email without doing some investigation might not be fully protective. So you have to be more transparent what you see and what you share with victims. So uh treat all these leaked accounts as I risk like we talked about assume breach and investigate. Yeah, just a quick recap. We looked at credentials, what they are, why they matter. We looked at certain

industry leading reports and we looked at three case studies. Um and we also looked at the thread sources which is really called combo list and stealer logs and how these are harvested and sold on the dark web. And we talked about two implementation approaches uh A and B. One is more towards showing proof of value and the other towards having some vendor integration. how you go about integrating steel logs and we also looked at the importance of selecting vendors in terms of speed matters and clarity of data matters and the key takeaways is the need for having such a credential monitoring program um within an organization. Uh thanks I'm Barat Subramanyam uh yes my LinkedIn uh handle

and uh Twitter handle please uh stay in touch. Thanks. Thank you Barath for the excellent talk. Um we have a couple questions that came in through Slide View. We got uh a minute or two so we won't be able to take all of them. Uh if anyone wants to catch up with Barath after this the lounge upstairs is the place to do it. Um first question we have up uh how should we think about pass keys to protect ourselves or our companies from password theft? Yeah, pass keys obviously gives lot of protection but it still does not if you start to see credentials on dark web uh it still protects your account from getting compromised but it's important you still

understand the victim mission is still in a compromised situation you have to make sure the victim machine is desanitized either they do a factory image reset you talk to them because it might also include their personal credentials their own mission might be impacted so pass al is a important thing to have but It still does not um ensure your um your victims are fully neutralized. Fantastic. Uh our next question, are there any reasons we should not enforce MFA for everyone during onboarding? No, I think it's a mandatory. We should do it mandatorily. Maybe on the customer side there there is always this user friction um user friction discussion starts happening but on the employee side there is no reason we shouldn't

enable MFA. then it's you are at a huge risk if you don't have mandatory MF MFA enabled. All right. Uh that is sadly all the time we have for Q&A today. Thank you everyone for attending Wrath talk. Um just a quick announcement. Um we do have prayer rooms and mother rooms available upstairs. If you need them, seek out the information desk and they can direct you. Um and thank you again for the amazing talk. Thank you.