How to Use Breach Credentials to Support Intelligence Collection and Attribution
While some organizations may view third party breach usernames and passwords as important indicators to prevent unauthorized access to their own networks, larger organizations are using two factor authentication for securing their perimeters by locking down internet-facing services where the mere availability of these credentials are less actionable.
For security operations and trust and safety teams who are interested in attributing threats to obtain additional context, harvesting unique breach credentials is still of use in conjunction with other data sources that can be used for cross reference purposes.
In the digital underground where cyber crime, fraud, espionage, extortion, and other risks to business are perpetrated, criminals usually cannot keep track of the numerous monikers and fake accounts they use in online forums.
Even the most sophisticated of criminals make mistakes not only in the registration of these accounts, but the re-use of these accounts. Re-using account creation data like username, email address, passwords and forgetting to switch IPs are common mistakes and with the proper tooling, data aggregation, resources, and search capabilities, organizations can typically attribute more than 70% of the individuals targeting their enterprise, giving critical context on the TTPs that are being used.
Password Re-Use Leads to True Identity
In the below example, a cyber actor used a moniker and an email address to register a foreign-based virtual private server to store the data exfiltrated from his illegal cyber activity. Pivoting from this start point, and with the proper collection, it’s not difficult to find the actor’s re-use of the same moniker in other cyber-crime forums, including where it is associated with email addresses the actor uses.
With the proper search functionality, we can search for the email addresses in breach datasets to find passwords the actor has used in the past. We can then cross-reference passwords to find other email addresses the actor uses assuming the password is relatively unique.
We can then perform additional searches on the moniker and different email variations to uncover new unknown associated emails and passwords. These emails may include true name emails the actor uses, leading to a quick attribution win.
PII (Personally Identifiable Information) May Provide Valuable Attribution Data
Additional PII data points beyond usernames and passwords are found in breach datasets and contain a wealth of information that can help attribute an actor using the internet for malicious means. This includes but not limited to the following:
- First Name
- Last Name
- Last Login Dates
- Created Date
With this additional information, accounts can be correlated, allowing for attribution of the bad actor.
Password Resets Provide Additional User Accounts
Another common use of breached credentials is the identification of services to which the credential pair subscribes. For example, when investigating firstname.lastname@example.org, based on his breached credential footprint, it may be determined if data on this user exists within services such as verifications.io, zynga, myspace, exploit.in, Apollo.
With these accounts we can potentially identify information to build a picture of the user. When cross-referenced with IP data and date/time stamps, we often hone in to determine location.
Credential Pair Association with IP Addresses and Location
While rare, using netflow, mobile data, and other external threat hunting sources, correlation using previously identified selectors with IP addresses may be possible. And while IP addresses are generally not helpful without a given date/time stamp since actors can rotate them instantaneously, with proper date/time stamps and when used with other selectors (associated emails, telephone numbers, etc), it is possible to hone in on an originating IP address and a general location.