March 28, 2019
Credential Stuffing: Why Password Reuse is not a Good Idea
Are you truly defending your enterprise or simply distracted?
In today’s cyber threat landscape, an effective e-mail security capability is big deal. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), 98% of all incidents and 93% of all breaches analyzed during its last reporting period involved phishing and pretexting (i.e. creation of a false narrative to obtain information or influence behavior). If nearly 19 out of every 20 successful data breaches leveraged e-mail as an attack vector then the bad guys certainly know what works!
Given this reality, enterprise defenders must then focus on building an effective email security architecture and user awareness program. More often than not, security departments get overly tactical when dealing with these two very important areas of enterprise cyber defense. With email security, using Robert Lee’s Sliding Scale of Cyber Security Model is a solid way of limiting the success rate of threat actors.
Going by this model, the first thing to do is plan, design and implement your enterprise email infrastructure with security in mind. Next, identify and correctly deploy a secure email gateway solution that meets your requirement, which in this case is to prevent unsolicited inbound emails from getting to your end users. Then, obey the “prevention is ideal but detection is a must” rule by promptly detecting and containing email-based security events of concern. If you do these first 3 phases (Architecture, Passive Defense and Active Defense) well, you should be well covered as far as e-mail security goes.
As Robert stated in his paper, the understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. Security departments that pay more attention to Active Defense and Intelligence are simply distracting themselves and other stakeholders; doing so much without really getting much done.
As seen in the image above, and within the context of enterprise email security, Intelligence – rated 4th most important activity – relates to collecting data about spam capitals of the world and blocking specific IP addresses and/or countries. This offers very little return on (time) investment.
There are so many reasons why demonizing certain countries is laughable. Here are just four examples:
3. 60% of the Top 10 Worst Spammers, per Spamhaus’ Register of Known Spam Operations (ROKSO), are based in the United States. Here is how Spamhaus described these threat actors:
This TOP 10 chart of ROKSO-listed spammers is based on Spamhaus views of the highest threat, least repentant, most persistent, and generally the worst of the career spammers causing the most damage on the internet currently.
Going by this information, any US-based company that spends useful time blocking inbound emails that originated from some foreign countries whilst neglecting the threat within its own geographical boundary is simply distracted. An African proverb says “one does not ignore leprosy to treat a rash”, meaning: more serious problems deserve more immediate attention.
Conversely, any non-US based company that blocks inbound emails originating from within the United States’ IP space because of its top ROKSO players might as well disconnect itself from the Internet. When your head aches, you don’t simply cut it off else you just might struggle to stay alive. In a situation like this, SABSA’s concept of the “duality of risk” comes to mind. Security professionals should always take a balanced approach to risk management – the likelihood of threat materializing vs the likelihood of opportunity materializing.
In today’s threat landscape, if you block emails by country of origin, you’re reducing the likelihood of business opportunity materializing whilst not necessarily reducing the likelihood of threat materializing.
4. In his book: Spam Nation, Brian Krebs wrote: “several bad guys in the underground will sell purloined usernames and passwords for working accounts at overstock.com, dell.com, and walmart.com, all for two dollars each, for example. Other sellers peddle accounts at fedex.com and ups.com for five dollars a pop, and Apple iTunes accounts starting at eight dollars. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.” The last sentence in this excerpt is pretty telling. While you’re busy blocking emails by country of origin, the average bad guy, impersonating the victim of stolen account credentials, sends you a carefully crafted email from within your trusted IP space and you let it through (especially if the motive is fraud and the email carries no malicious file or link).
At the risk of oversimplifying the motives of email scammers and spammers, I will say there are three main end games: credential harvesting, malware infection and fraud. Each of these motives has well documented (protect, detect and respond) mitigations. Rather than chase shadows and get lulled into a false state of security, do some research, model email-based threats and develop holistic countermeasures.