Security Experts:

Stressing Over Stolen and Abused User Credentials?

We live in a world where security operations professionals often find themselves fighting logs, not threats. They constantly worry that their organization’s defenses will be overrun and valuable data stolen or lost. In honor of Stress Awareness Month, we have an opportunity to reflect on ways to lower your operational burden, the chance of a breach and your stress levels by preventing the theft and abuse of valid user credentials.

Despite the attention attacks like zero day exploits receive, techniques such as these generally are not seen in the real world. Why? These tools are expensive and time-consuming to develop and deploy. When used, they are often deployed by highly sophisticated adversaries with ties to nation-states, cyber mercenaries for hire or other well-resourced attackers. These groups tend to reserve their more advanced attack methods for targets with the potential to yield a big payday or achieve a specific geopolitical goal, big enough to offset the cost of identifying a novel vulnerability exploit and essentially “burning” it by releasing it into the wild. Even for high-value targets, tried-and-true methods like phishing and stolen credential usage are more likely to occur because they are simple and effective.

Given this, most security professionals should focus their efforts on identifying and preventing attack methods, such as credential phishing. Phishing attacks seek to steal valid user credentials (i.e., username and password) from unsuspecting targets by tricking them into thinking they’re sending them to a legitimate source, such as logging into a fake version of a real service. But why would an attack method that’s been around since the late 1980s still be a threat today? To put it simply: because it works. Unit 42, the threat intelligence team at Palo Alto Networks, estimates that between 15 and 19 percent of phishing attacks succeed, even after an employee has received training on spotting and avoiding them. Fortunately, a three-pronged approach to cybersecurity – one that accounts for people, processes and technology – is a reliable way to block the majority of phishing attacks.


One of the easiest ways to cut down on credential-based attacks, including phishing, is education. Regular training sessions and real-time testing should be required of all staff. Even for relatively technology savvy companies, it’s important to take the time and explain methods like phishing, why it’s important to lookout for them, and practical ways to identify and flag potential phishing attempts for IT security staff. Never assume that everyone in your organization has the education to take the right action. This training can’t be a one-time event, and even quarterly is not enough. New employees are constantly joining, and current ones need regular, perhaps even weekly, testing to keep them updated on the latest tricks and techniques they may encounter. Training is also the ideal time to reinforce good credential habits with employees. Be sure to enforce a policy of changing their credentials every three months, as well as using different passwords for all their different apps and services.


Credential-based attacks must be addressed from a process perspective as well. Some process-level questions that organizations should consider include:

• How do employees initiate the workflow to investigate potential phishing attempts?

• If a data breach occurs on services used by employees in their personal time (possibly due to sharing passwords, which should be against policy), should company passwords be reset?

• Can you automatically block phishing websites or email?

• Is automation in place to block indicators of compromise (IoCs) extracted from investigations?

• How am I protecting sensitive resources if attackers gain access to legitimate credentials?

Remember, the best way to orchestrate the prevention of credential-based attacks is through an informed policy driving the right processes.


Much of the work involved in identifying and mitigating the theft or use of stolen credentials can be automated if you’re using the right technology on the right security platform. There are three essential use cases that automated platforms can solve for:

• Automatically identify and prevent employees from visiting credential phishing sites. This approach must be powered by threat intelligence informed by a global network of sensors with the analytics to identify new malicious sites, blocking them without human intervention.

• Look for the leakage of password-based credentials to unknown sites, which may not be categorized as phishing at the time. When identified, the platform must be able to block the user from transmitting credentials to these non-approved locations.

• Use policy-based multi-factor authentication enforced at the network level to protect critical applications and stop attackers from using stolen credentials to conduct lateral movement within the network.

Training your people to be aware of credential-based attacks and how to avoid them, as well as adopting the right prevention-based measures, can have a material impact on stopping one of the most common and effective attack techniques. Even better, it’ll keep your stress levels down by giving you the peace of mind that comes from knowing you no longer have to worry about finding and resolving every attack manually.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.