Anonymity is a coveted commodity among cybercriminals. It goes a long way toward helping them commit their crimes without being caught. But little pieces of forensic evidence can turn the tables. A few clues here and there can help security analysts piece together a profile that ultimately unmasks a previously unknown threat actor.
It turns out that stolen credentials can act as forensic evidence under certain conditions. So even though they represent a potential data breach, the way credentials are stolen and traded leave behind evidence that helps analysts take a proactive stance against any attacks that might result from a data breach.
3 Levels of Sophistication
An analyst finding leaked or stolen credentials on the dark web is immediately faced with a long list of questions. At the top of the list is how the data made it to the dark web. This is important because the nature of a data leak provides important clues about a hacker’s level of sophistication:
- Low-Level – Stolen credentials appearing as part of a massive list represents low-level sophistication. The threat is likely from a script kiddie or bot utilizing automated credential stuffing to break in.
- Mid-Level – Mid-level sophistication is suspected when stolen credentials are fresh, verified, and offered on the dark web with a link to a specific company name. The type of individual selling such credentials is likely an Initial Access Broker.
- High-Sophistication – A high level of sophistication is indicated when credentials belonging to a high-value target are being offered despite never having appeared in any other public breaches. It suggests and Advanced Persistent Threat or possibly a state-sponsored threat actor.
The level of sophistication represented by stolen credentials tells security analysts how to proceed. A high-level attack requires an immediate and equally sophisticated response. Meanwhile, a low-level attack is less urgent. It could probably be cleaned up fairly easy and without terribly aggressive strategies.
Linking Credentials to a Threat Actor
Understanding threat sophistication goes beyond protecting vulnerable networks to help security analysts proactively identify previously unknown threat actors. And, truth be told, threat actor identification is one of the hardest tasks in cybersecurity.
Threat intelligence experts, like DarkOwl, specialize in creating tools and techniques that equip security analysts to link stolen credentials back to individuals or groups. Here are just a few examples:
- Monitoring Tools – Dark web monitoring tools (think things like Telegram monitoring as well) are able to analyze stolen databases to uncover threat actor behavior. By developing and archiving behavioral patterns, they provide analysts with data that can be cross linked and correlated within current investigations.
- Tracking Tools – Tools capable of tracking passive DNS and IP reputation can reveal the locations where stolen data was uploaded. This provides a form of infrastructure correlation that could reveal a previously unknown group or threat actor as the same entity behind the current incident.
- Canary Tokens – Threat intelligence experts sometimes recommend that their clients embed fake credentials, known as canary tokens, in their databases. Finding such tokens on the dark web points analysts to specific database breaches and the entry points hackers used to get in.
These things combined create a pool of forensic data that analysts can piece together as they seek to identify threat actors. Ideally, companies don’t want employee usernames and passwords stolen and leaked on the dark web. But when it happens, the silver lining is that skilled analysts can turn stolen data into clues that could eventually help them thwart future attacks.
Cybersecurity is a game of cat-and-mouse. So analysts use every tool at their disposal to identify their adversaries. Analyzing stolen credentials is a big part of it.
