The Art of Credential Stuffing

Adversaries leverage many different attack methods to infiltrate government networks. From phishing schemes to Distributed Denial of Service (DDoS) attacks to malware infiltrations, the varying tactics used by both nation-state and "lone wolf" actors are extreme and are causing significant challenges for agency security teams.  

Web applications remain one of the more popular areas to attack across industries. In fact, a recent report from The Cyentia Institute and F5 Labs reveals that web application attacks were the leading incident pattern among data breaches for six of the last eight years, and 56% of the largest incidents of the last five years tie back to some form of web application security issue, constituting 42% of all financial losses recorded.

One web application attack strategy that is becoming more prevalent is credential stuffing, the art of obtaining stolen or leaked login credentials such as username and password pairs for one account and using them to exploit other accounts of the same individual. Although not an overly sophisticated attack vector, the damage of this approach can be significant, and it can have significant impact on government agencies.

What is credential stuffing?

"Credential stuffing is an authentication attack that uses passwords that have been stolen from somewhere else and then those passwords are hashed," said Sander Vinberg, Threat Research Evangelist, F5 Labs during a recent episode of WWT's Public Sector Tech Talk series. "Because those passwords were used for a specific account somewhere else, attackers can guess — because users are very prone to re-using passwords — that these have a very high likelihood of succeeding in accessing other accounts."

Credential stuffing is considered one of the most successful methods of attack that targets authentication systems — brute force and dictionary attacks are other examples.

Why is credential stuffing a concern for the government?

From a government perspective, credential stuffing is becoming more popular because it is a technique that is often very hard to detect. It's really kind of a "set it and forget it" type of attack where malicious actors can program bots with these credentials and let them do their thing on a large scale, which is naturally an enticing concept for adversaries.

From an attacker perspective, malicious actors are getting more used to utilizing bots in attacks. Having the ability to now program them in more complex ways — such as inserting logic to cycle through common password variances — is leading to a more streamlined and effective attack profile. These bots are now able to adapt as agency security professionals attempt to detect them, resulting in a real issue for agencies and a real opportunity for attackers.  

Additionally, many defense technologies look for multiple attributes when an individual is logging into an application, such as GPU, audio, canvas, plug-ins, fonts and cookies, but attackers now have access to purpose-built browsers through the dark web where they can easily alter those attributes. So now they have the ability to buy the browser configuration files along with the username and passwords making it easier to circumvent those defense technologies.

How to prevent credential stuffing

The easiest answer to the question — "how do you prevent credential stuffing?" — is to be more cyber vigilant, but that's not feasible given the fact that users continue to leverage passwords across accounts. "We talk a lot about authentication as an inherent vulnerability," noted Vinberg. "We can patch all kinds of vulnerabilities, but we can't patch access control for human users."

Given the human element, what steps can agencies take to detect and protect their systems from credential stuffing? Vinberg provides the following recommendations:

• Look for a dedicated, anti-fraud solution that can collect a large number of signals and fingerprints
• Improve situational awareness by calculating a success ratio for authentications
• Conduct more detailed monitoring and analysis of system logs

The final take

When considering a credential stuffing attack against a government network, it's important to look at the technology, but it's even more important to look at the human element.

How can agencies implement technologies, processes and procedures into their environment to better protect against this evolving attack? And what should agencies do if and when an effective credential stuffing breach does occur? 

For answers to these questions and more, access and stream the on-demand version of WWT's Public Sector Tech Talk Series, Episode 15: Credential Stuffing: A Real Risk to Government Security or connect with me on the WWT Digital Platform.