Blog

What is Credential Stuffing and How Can Cybersecurity Teams Use Existing Tools to Minimize the Threat?

5 minute read

  • Lior Tenne

By Lior Tenne – Senior Security Researcher

At Nagomi, we’ve seen that 80% of breaches could have been prevented with the tools customers already have. And the recent Okta warning of unprecedented credential stuffing attacks is a great example: with the right configurations in place, our existing tools can minimize the threat, making us more proactive.

Why is This in the News?

Okta’s Identity Threat Research team identified a worrying trend: a sharp rise in credential stuffing attacks between April 19th and 26th. This coincided with the release of Cisco’s Talos security team’s report.

What is Credential Stuffing and How Do Threat Actors Compromise User Accounts?

Imagine a thief attempting to open your door with a million different keys that they stole in advance, hoping that one of them will fit. That’s essentially what credential stuffing attacks do. Cybercriminals exploit this method by automating the process of testing vast lists of usernames and passwords, usually acquired from previous data breaches or underground markets, in an attempt to gain unauthorized access to user accounts. What makes credential stuffing particularly tricky is its simplicity; with the aid of tools like the TOR anonymization network and residential proxies, attackers can hide their origin and automate large-scale login attempts on unsuspecting users.

How to Protect Your Organization from Credential Stuffing

Credential stuffing attacks exploit vulnerabilities in common user practices. Many companies aren’t using Multi-Factor Authentication (MFA), rely on weak passwords, and reuse login credentials across multiple services. This creates a prime target for attackers.

Here are two key steps you can take to significantly improve your defense against this threat.

Credential Stuffing Prevention Step One: Enforce Multi-Factor Authentication (MFA) on Sign-On

MFA requires an additional verification step beyond your password, such as a code sent to your phone or a fingerprint scan. Even if an attacker steals your password, they wouldn’t have this additional factor needed for access. This significantly strengthens your account security.

Credential Stuffing Prevention Step Two: Set a Strong Password Policy

Preventing users from making poor password choices is a success. But let’s face it, sometimes convenience wins, and users end up setting weak passwords that are easy to guess or crack. Forcing them to set a strong password is the key. By setting clear password requirements that include minimum length, character variety, and disallowing common phrases, you significantly bolster your defenses against credential stuffing attempts.

How to Strengthen Your Okta Configuration to Mitigate Credential Stuffing Attacks

While enforcing MFA and setting a strong password policy apply to any organization, the following is specific to Okta customers. 

Disable Weaker MFA Factors

To truly strengthen your organization’s security posture, consider disabling weaker MFA factors within your Okta factor enrollment policies. A severe, high profile cybersecurity incident recently was reportedly facilitated by a social engineering attack involving SMS and voice calls aimed at harvesting credentials.

Strong FactorsWeak Factors
Okta Verify OTP (one-time password)Security Questions
Okta Verify PushSMS
Google AuthenticatorEmail
WebAuthn – FIDO2Voice
physical USB key – U2F, YubiKey and Google’s TitanPassword
Biometric Factors

To implement this security measure in the Okta platform, navigate to Security MultifactorFactor Enrollment → Choose your policy → Edit → Set the factors of your choice as Required, Optional or Disabled.

Blocking Malicious Connection Attempts

Recent Credential Stuffing Attacks are hiding their origin using anonymizing services like TOR. This makes it harder to track them. Blocking access from these services can help prevent these hidden attacks.

To implement this security measure in the Okta platform, navigate to Settings Features → turn on Block all requests from anonymizers.

Enable Okta ThreatInsight Feature

Okta ThreatInsight aggregates data on sign-in activity across its customer base to analyze and detect potentially malicious or reputationally challenged IP addresses. Consequently, Okta denies access to the organization for users associated with such IPs.

Blocked requests are handled differently from failed user sign-in attempts, as Okta treats them as distinct from authentication failures.

To implement this security measure in the Okta platform, navigate to Security General Okta ThreatInsight settingsEdit → choose Log and enforce security based on threat level

Setting a Strong Password Policy

While Okta’s built-in password policies offer a solid foundation by enforcing strong password creation (including length, complexity, and the exclusion of common phrases), customizing these policies is crucial for maximum protection.

Before proceeding with implementation, it’s important to note that our recommendations are designed to adhere to the strictest standards of security. By following our best practices and cyber knowledge, you’re taking proactive steps to fortify your defenses.

Our recommendations also emphasize the importance of tailoring complexity requirements for different user groups, such as administrators and standard users, to further enhance your organization’s security posture.

To implement this security measure in the Okta platform, navigate to Security Authentication → choose your policy → Edit → fill according to the screenshot below:

Implementing Effective Self-Recovery Procedures

Traditional account recovery methods often rely on factors like SMS or phone calls, which can be vulnerable to SIM-swapping attacks or social engineering tactics. In contrast, email offers a more secure alternative.  While email accounts can also be compromised,  implementing email-based self-recovery provides a stronger layer of security compared to SMS or phone calls.

To implement this security measure in the Okta platform, navigate to Security Authentication → choose your policy → Edit Account Recovery → choose Email and set ‘Reset/Unlock recovery emails are valid for’ 1 hours.

The recent storm in credential stuffing attacks highlights the critical role proactive security measures play in today’s digital landscape. By implementing the strategies discussed and leveraging best practices like Okta’s advanced security features, you can significantly fortify your defenses. But remember, security is an ongoing journey, not a destination. 

Compensating Controls

But what if I can’t deploy everything? Sometimes the world is not ideal, and our business constraints such as business continuity or technical limitations prevent us from deploying the most aggressive preventive capabilities. Nagomi helps organizations by analyzing threat actors and the techniques they are using, and identifying relevant compensating controls that could reduce the residual risk caused by the limitation of our deployment.  

About Nagomi Security

At Nagomi Security, we’re passionate about empowering security teams to navigate this ever-evolving threat landscape. We equip them with the insights and plans needed to make informed decisions, optimize defenses, maximize existing tools’ features and strengthen their cybersecurity posture. Nagomi automatically assesses your defenses and provides you with prescriptive remediation on how to fix them.

Author

Cybersecurity News, Nagomi News

More like this
nagomi infrared

Blog

Leading the Charge in Proactive Security, Nagomi Security Joins Elite Ranks of Cloud Infrastructure Innovators

FacebookLinkedInTweetEmail Nagomi Security, the leader in proactive security and threat exposure management, proudly announces its inclusion ...

Read the post: Leading the Charge in Proactive Security, Nagomi Security Joins Elite Ranks of Cloud Infrastructure Innovators
nagomi infrared 100

Blog

Heavy Hitter: Nagomi Named to Redpoint’s InfraRed 55 Days After Emerging from Stealth

FacebookLinkedInTweetEmail Since emerging from stealth in April, Nagomi Security has swiftly captured attention as one of ...

Read the post: Heavy Hitter: Nagomi Named to Redpoint’s InfraRed 55 Days After Emerging from Stealth

Blog

This Week in Cybersecurity News: New York Times Olympic Auto Parts Edition

FacebookLinkedInTweetEmail NYT source code leaks, Advance Auto Parts customer data for sale, Frontier warns of data ...

Read the post: This Week in Cybersecurity News: New York Times Olympic Auto Parts Edition