Following the news that:
FBI warns of residential proxies used in credential stuffing attacks
FBI warns of residential proxies used in credential stuffing attacks (bleepingcomputer.com)
The August 18, 2022 FBI notification about the use of residential proxies should serve as a good reminder to all that protection against a credential stuffing attack requires more than just an IP reputation check. Organisations should employ adequate contextual runtime detection capability in order to quickly identify nefarious client behaviour, regardless of where the request originated. Advancements in AI security technologies allow security teams to detect and block behaviours that deviate from the norm in near real-time, before any damage is done. The ability to rapidly discern client intent and identify threats based on behaviour has been a game changer for many organisations. In many cases, threats are identified during reconnaissance stages, before an actual attack is carried out. The notification specifically calls out the threat to Mobile Applications, which typically leverage APIs to transfer data between the mobile app itself and application servers. As it relates to mobile app security, and securing the APIs they leverage, contextual runtime protection, as explained previously, is essential. Additionally, organisations should look to complement with appropriate API access controls such as service specific rate limits where appropriate, and requiring MTLS authentication between the mobile app and the underlying APIs it leverages.
As much as we would like to get rid of passwords, we must admit that this form of authentication will be around for the foreseeable future. Because passwords are still a primary way to authenticate to computers and websites, it is important to educate people about the dangers of reusing passwords across multiple accounts, and to provide them a way to easily manage the multiple passwords that the typical person has.
Cybercriminals know that it is human nature to come up with a single strong password, then reuse it across multiple platforms. Without tools to help manage multiple passwords, there is simply no way for a person to memorize them, which leads to this reuse. Bad actors know that if they can extract the username and password from a breach, that the odds are good that many of them will also be used in other places, so they try them at major banks, email providers, social media platforms and even large retailers.
Enabling Multi-Factor Authentication (MFA) can help protect accounts, however, modern attackers can bypass these controls, so it should not be considered a fix to the problem. Password vault application can be very useful for creating and securing strong, unique passwords for accounts, helping significantly with the reuse problem. It is critical to secure the password vault with a unique and strong passphrase, and MFA whenever possible, and to be very protective of that password.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics