A Different Kind of Stuffing

Thanksgiving is NEXT WEEK! My favorite holiday and family time of the year… along with my favorite food: stuffing! But I’d like to discuss a different type of stuffing: Credential Stuffing (T1110.004), a sub-technique of Brute Force, which resides under the Credential Access tactic in the MITRE ATT&CK Framework. The fact that most of us use a common password across our digital properties further perpetuates this Bad Actor technique.

I attended ATT&CKCON4 a few weeks back (awesome) and the fine folks at MITRE released v14 of the MITRE ATT&CK Framework on Halloween. Utilizing a common framework is a key pillar of Threat-Informed Defense. The other key pillars of a TID posture are understanding the threat landscape and radical collaboration.

This Threat-Informed Defense article focuses on three things:

1) Passwords: Get you to change your password, stop reusing passwords, and consider a password tool (one that hasn’t been breached).

2) Raise Awareness of the Cost of Inaction:

• The cost of inaction may be significant as your personal digital life may be wide open.
• If you’re a CISO, most breaches involve Bad Actors logging into your enterprise with compromised credentials. And of course, the SEC Cybersec Rule will force you to reveal your cybersec practices in your annual reports after December 15.

3) A Gift of Goodness: Provide you with the World’s Best Stuffing recipe from my family.

Credential Stuffing 101

Credentials refer to a combination of a username and a password. They are akin to a key and a lock; the username identifies the lock (account), and the password is the key that grants access. This duo is used across various platforms to verify the identity of a user. Attackers acquire credentials via data breaches and ransomware events, then hack the passwords offline. Once the credentials are obtained, attackers use methods like brute force, dictionary attacks, or rainbow tables to crack passwords offline. Credential stuffing has emerged as a much more practical way to break into user accounts than through brute force. In a brute force attack, hackers simply cycle through every possible password combination until they stumble on the correct one.

PSA: this is where your 12-digit passphrase password comes in handy!

The effortless way to acquire credentials is to buy them on the dark web from Initial Access Brokers (IABs). Access to a bank account or an Admin user at a significant enterprise will sell for a high price, whereas access to a Netflix account is cheap.

Credential stuffing is a subtype of brute force attacks where cybercriminals use automated scripts to test previously breached username and password combinations across multiple websites or services. Unlike traditional hacking methods that target system vulnerabilities, credential stuffing exploits user behavior, specifically password reuse.

Attackers commonly target management services on well-known ports (like SSH, Telnet, and FTP), as well as SSO and cloud-based applications, and external email services like Office 365. The technique underscores the risk of using a single password across different digital assets.

Why do we continue to put ourselves in harm’s way?

I’ve accidentally shocked myself once or thrice, but I understand the pain and now turn the circuit breaker off prior to working on outlets and switches. But there are other aspects in life that we continue to place ourselves in harm’s way – is it because we don’t realize the immediate consequences of our actions? We consume non-food items (coloring dyes, addictive High Fructose Corn Syrup, yummy potassium bromates, weed killer glyphosate, and flame-retardant Brominated Vegetable Oil). We floss our teeth with Per- and polyfluoroalkyl substances (PFAS). We buy into the exercise movement via membership or home exercise equipment, but don’t utilize them. And the majority of us continue to reuse the same password across our digital properties. This last point is a CISOs nightmare and has brought enterprises to its knees. It may also be the primary reason how China is lurking in our critical infrastructure.

Password Reuse

Why does a CISO care on the password you use to read this article? Or bank with? Or the one you haven’t reset on that one website you forgot about? Okta can tell you. One third of all attempted logins are credential stuffing attacks. Retail platforms were most affected by credential stuffing attacks: the average rate of credential stuffing of login attempts for the retail industry is 80%. The FBI warned about credential stuffing last year.

A sampling of companies that have attributed credential stuffing in their breach reports: 23andMe, Chick-fil-A, TurboTax, North Face, Basecamp, Nintendo, Uber, Zoom, Marriot, Reddit, and Dunkin' Donuts. North Face went above and beyond by advising their account holders to change their passwords to other sites where they have used the same password credentials.

The easiest and most prevalent way to initiate a security breach is to log in with compromised credentials. APT29 didn’t care about SolarWinds, they viewed them as the weak link in a supply chain that provided access to the world (U.S. DoD, The White House, and 499 of the Fortune 500 companies). You don’t need to hack a fortress, just hack into the services provided to said fortress.

Mitigation

You:

• Visit https://haveibeenpwned.com to check if your credentials have been involved in a breach (most likely they have).
• As you kick off your Black Friday / Cyber Monday shopping, freshen up your passwords on every site you visit. Stop using a common password. Use a different browser in December to visit each site and that’ll force you to remember/change your password.
• Use passphrase passwords ‘J3ffsStuffingRecipeISdaB@MB!’
• Multi-Factor Authentication (MFA/2FA) – don’t use services that don’t offer MFA!
• Can’t use long passwords or symbols in your password choice? Change services. They don’t care about security.
• Use password managers (and be alert to their breaches)

CISOs/Enterprises:

• Just do the basics to secure your company’s digital posture. Basic blocking and tackling. Please. That’s all I want for Christmas. Thank you for your support.
• If your organization can’t patch an externally facing asset, shut it down until you can. That’ll get you some budget and mindshare.
• If you really want more budget, help with vulnerability prioritization, and spread your awesome cybersec knowledge and passion, #HireMe and I’ll manage a Bug Bounty Hunt for you. All bug bounty hunt payouts would come from the organization hosting the offending digital asset. This is a culture changing strategy and all you do is smile.
• Account Use Policies: Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial-of-service condition and render environments unusable, with all accounts used in the brute force being locked out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges. (MITRE)
• Use Multi-Factor Authentication. Where possible, also enable multi-factor authentication on externally facing services. (MITRE)
• Use Password Policies (MITRE)
• Proper User Account Management (MITRE)
• Don’t forget about Service Accounts as they outnumber employees by a factor of 3-5 times. They don’t have MFA, they get forgotten over time, and are orphaned after RIFs.

Credential stuffing attacks are a stark reminder of our interconnected vulnerabilities. It's high time we all—organizations and users alike—take the necessary steps to protect not just ourselves but the entire digital ecosystem. Only then can we turn this vicious cycle of breaches into a virtuous cycle of security.

And just as I was about to publish this article, a message popped up on the McLaren Health Care data breach, which impacts 2.2 million people. Ransomware gang BlackCat/ALPHV claimed responsibility for the cyberattack in October. The ransomware gang maintained unauthorized access to McLaren’s systems for an extended three-week period. This prolonged dwell time indicates a shift in the cybersecurity landscape, as cybercriminals adapt tactics to minimize risk and optimize their efforts.

McLaren provides services to several hospitals across Michigan and has around 28,000 employees. So, my mom’s data has been exposed.

Reminder: a ransomware event is the last stage of a cyberattack and is representative of a poor cybersecurity posture.

The Hanson Family Sausage Stuffing Recipe (circa early 1900s, England)

My grandfather immigrated to America from England in 1923 and got a job at Ford in Highland Park, Michigan as a steel analyst for 62 ? cents an hour. His girlfriend, who would become my grandmother, came over in 1924. My grandfather became an assistant to the manager of the Chemical & Metallurgical Laboratory in 1925. The laboratory was set up adjacent to Henry Ford’s private office and afforded my grandfather multiple run-ins with him. My grandfather provided this quote in his memoir:

“Added to the uniqueness of the building and its many attractions was the ever-present probability that the ‘boss’ (Ford) would drop in through his private door. We never really could make up our minds whether it was to dodge someone he didn’t want to see or whether it was to catch us napping or goofing off! Sometimes he would stay quite a while and sometimes I saw him looking for something or someone and then suddenly go back into his office. Many times, we could except to see some of the World’s most famous figures (Edison, Firestone) with Mr. Ford passing through on the way to the museum or into some private office or into the private dining room.”

My family grew up with several English traditions, like tea, Yorkshire pudding, and… sausage stuffing!

I have been advised by the family that I cannot call this the family heirloom recipe as I’ve modified (improved) it but have noted the changes below. ??

Hanson Thanksgiving Sausage Stuffing

Ingredients:

• 1 lb sourdough bread, cubed (change: sourdough)
• 1 lb breakfast sausage
• 1 cup celery, finely chopped
• 1 large onion, diced
• 1/2 cup unsalted butter
• 2 cups turkey broth (use Better Than Bouillon)
• 1/4 cup fresh parsley, chopped
• 1 tsp dried sage
• 2 garlic cloves (I add garlic to everything… vampires y’all!)
• 1 tsp dried thyme
• Sea salt and smoked peppercorn to taste (Sea salt over table salt and smoked peppercorn is my enhancement)

Instructions:

1. Preparation: Preheat your oven to 300°F (175°C). Grease a 9x13-inch baking dish.
2. Bread Cubes: Spread sourdough bread cubes on a baking sheet and toast in the oven for about 10 minutes or until lightly golden.
3. Sausage Cooking: In a large skillet over medium heat, cook the sausage, breaking it into small crumbles. Once fully cooked, remove the sausage but keep ~3 tbsp of the rendered fat in the skillet.
4. Sauté Veggies: In the same skillet, add butter, onions, and celery. Cook until the vegetables are softened, about 5-7 minutes.
5. Combine: In a large mixing bowl, combine toasted bread, cooked sausage, and sautéed veggies.
6. Spice It Up: Add parsley, sage, thyme, garlic, salt, and smoked pepper to the bread mixture. Pour in the broth over the bread mixture and toss until well combined. (some folks add in 2 raw eggs here, we do not)
7. Bake: Transfer the mixture to your greased baking dish, cover with aluminum foil, and bake for an hour. (we used to finish the stuffing in the turkey)
8. Final Touch: Remove the foil and bake for an additional 10-15 minutes, or until the top is crisp.
9. Serve and Enjoy: Let the stuffing stand for a few minutes before serving.

While enjoying this delicious stuffing next week, use this time to ask your friends and family about their passwords. Ensure that they are using strong passphrase-type passwords utilizing symbols. Go a step further before grabbing seconds on the stuffing and ensure that they use different passwords across their various digital properties. Before your third helping of stuffing, introduce mom and dad to password managers.

Why? Because our democracy depends on it.