In our previous blog post, we explored the dangers of clear text credential discovery. Today, we’re delving into another cybersecurity concern that has been making waves in recent years – credential stuffing, or as it’s more accurately understood, “credential overlap.” At Elliott Davis, our penetration testers have encountered and exploited this issue in numerous tests, shedding light on its significance in today’s threat landscape.
Credential Stuffing vs. Credential Overlap
Before we proceed, it’s essential to clarify the terminology. While the term “credential stuffing” is commonly used, it can be somewhat misleading. The issue is better understood as “credential overlap.” This occurs when individuals reuse passwords across multiple accounts. When one of these accounts is compromised, malicious actors can exploit the overlap by attempting to use the stolen username and password combinations on other accounts, successfully gaining unauthorized access and potentially elevating access.
Elliott Davis Penetration Test Insights
During our penetration tests for our customers, we’ve seen firsthand how dangerous credential overlap can be. Numerous times we have discovered password shared between accounts of different levels, including third party managed accounts with privileged access. Here are some key insights:
The Massachusetts Institute of Technology Research and Engineering Adversarial Tactics Techniques, and Common Knowledge (MITRE ATT&CK®) framework classifies this threat under T1110 – “Brute Force.” Tactics, Techniques and Procedures (TTP) T1110 encompasses a range of brute force methods used by adversaries to gain unauthorized access.
Mitigation Strategies: People, Process, and Technology
To combat the threat of credential overlap effectively, organizations should adopt a multi-faceted approach involving people, processes, and technology:
Credential overlap, or credential stuffing as it’s commonly called, poses a significant threat to organizations. It exploits individuals’ unfortunate habit of password reuse. By following a comprehensive strategy of educating users, implementing stringent policies, and leveraging technology, organizations can significantly reduce the risk of falling victim to this malicious tactic. At Elliott Davis, we’re committed to helping our clients stay ahead of these threats through proactive testing and security guidance. Please reach out if you have questions. Stay vigilant, stay secure!
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.