Compromised Credentials Monitoring

C
Written By Threat NG Staff

Compromised Credentials Monitoring in the context of cybersecurity is the continuous process of searching for and alerting on exposed or stolen login credentials—such as usernames, email addresses, and passwords—belonging to an organization's employees, customers, or systems.

This process is a vital component of an organization's digital risk protection strategy. Its primary goal is to gain visibility into the dark web, hacker forums, paste sites, and other illicit online locations where threat actors buy, sell, or share credentials obtained through data breaches, malware, or phishing attacks.

When a credential set belonging to an organization is discovered outside of the secured corporate environment, it signals an immediate and critical risk. These stolen credentials can be used by malicious actors for various purposes, including:

  • Initial Access: Using valid credentials to bypass perimeter defenses and gain unauthorized access to corporate networks, applications, or cloud services.

  • Account Takeover: Impersonating a legitimate employee or customer to conduct fraudulent transactions or steal data.

  • Lateral Movement: Using a compromised account to move deeper into the network and gain access to more sensitive systems.

Effective monitoring involves gathering intelligence on known breaches and using sophisticated techniques to correlate exposed credentials with the target organization, enabling security teams to quickly force password resets, revoke access tokens, and prevent a potential breach before it occurs.

ThreatNG is uniquely positioned to automate and contextualize Compromised Credentials Monitoring by integrating profound external discovery with dedicated dark web intelligence, enabling rapid response to identity-related threats. It views leaked credentials as a critical vulnerability in the external attack surface.

External Discovery and Assessment

ThreatNG uses purely external, unauthenticated discovery to map the organization's digital footprint continuously. This is the foundation for identifying compromised credentials, as it identifies all public-facing assets—such as subdomains and mobile apps—where credentials might be used or exposed.

The platform then generates high-certainty Security Ratings that directly incorporate credential risk:

  • BEC & Phishing Susceptibility Security Rating (A-F): This rating is heavily influenced by findings across Compromised Credentials (Dark Web Presence) and is determined by correlating those leaks with available or taken domain permutations, as well as Domain Name Record Analysis (missing DMARC/SPF).

    • Example: If an organization's employee email address and password are found on the Dark Web, and ThreatNG also discovers an available domain permutation perfect for a phishing attack (e.g., a "vowel-swap" of the official domain), the BEC & Phishing Susceptibility rating will drop significantly, indicating high, actionable risk.

  • Data Leak Susceptibility Security Rating (A-F): This rating directly accounts for Compromised Credentials as a contributing factor.

  • Breach & Ransomware Susceptibility Security Rating (A-F): This rating is based on findings across Compromised Credentials and Ransomware Events.

Continuous Monitoring and Reporting

ThreatNG provides Continuous Monitoring of all organizations, ensuring that newly exposed credentials are found and acted upon immediately.

The platform's Reporting capability converts this continuous intelligence into priority-driven action:

  • Prioritized Reports (High, Medium, Low, and Informational): Leaked, high-value credentials are automatically flagged in reports as a high-priority risk, enabling the security team to focus resources effectively.

  • Knowledgebase: The embedded knowledge base in reports provides Risk levels to prioritize efforts, reasoning to understand the context of the credential leak, and Recommendations on reducing the risk, such as forcing password resets.

Investigation Modules and Intelligence Repositories

ThreatNG uses specialized modules and repositories to ensure comprehensive compromised credential visibility:

  • Dark Web Presence Investigation Module: This module actively monitors for Associated Compromised Credentials linked to the organization and associated Ransomware Events.

  • Sensitive Code Exposure Investigation Module: The Code Repository Exposure feature finds hardcoded credentials and secrets within public code repositories.

    • Example: ThreatNG would find an exposed AWS Access Key ID and Secret Access Key, a Stripe API key, or a PostgreSQL password file in a public GitHub repository, providing high confidence of a credential exposure that could lead to cloud or application takeover.

  • Mobile Application Discovery: This feature scans mobile app marketplaces and app content for Access Credentials (such as Google API Key, Facebook Secret Key, or AWS Access Key ID) and Security Credentials (such as RSA Private Key).

    • Example: A finding that a developer accidentally left a Twitter Secret Key in the code of a production mobile app available on the Apple App Store is a high-certainty, high-impact credential leak.

The platform's Intelligence Repositories (DarCache) provide the source of the compromised data:

  • Compromised Credentials (DarCache Rupture): This is the constantly updated repository of leaked credentials that ThreatNG checks against.

  • Dark Web (DarCache Dark Web): This repository is continuously updated and searched for mentions related to the organization.

Cooperation with Complementary Solutions

ThreatNG's external focus and high-certainty credential discovery make its data highly valuable for internal identity security solutions.

  • Working with Identity and Access Management (IAM) Solutions: ThreatNG provides the necessary external threat intelligence. The moment ThreatNG's Dark Web Presence module finds a high-value employee credential in DarCache Rupture (Compromised Credentials), the system can alert the IAM solution.

    • Example: ThreatNG finds a CEO's corporate email and password on the dark web. It provides this high-certainty finding to the IAM system via Legal-Grade Attribution, which can then automatically force an immediate, non-negotiable password reset for that specific user and potentially suspend their access until they use a new password. This closes the exposure before a threat actor can use the compromised identity to pivot into the network.

  • Working with Security Orchestration, Automation, and Response (SOAR) Solutions: ThreatNG can automatically feed a confirmed credential leak directly into a SOAR playbook.

    • Example: The Sensitive Code Exposure module detects a Slack Token in a public repository. The SOAR platform can ingest this confirmed exposure data from ThreatNG, validate that the exposed credential has a "High" priority, and automatically trigger the response, which could involve opening a high-priority ticket with the development team and initiating an automated API call to revoke the exposed Slack token.

Threat NG Staff
Previous

Continuous Security Validation
Next

Certainty Intelligence