Contactez-nous Suivez-nous sur Twitter En francais English Language
Last events



Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Fighting credential theft with automation The answer to the CISOs puzzle

November 2022 by Jérôme BEAUFILS, dirigeant de la société SASETY

More than 24 billion stolen credentials are available on the Internet and the Dark Web. Their exploitation by cybercriminal groups represents the first attack vector, far ahead of phishing and vulnerabilities exploits. By using these credentials, attackers take control of user accounts and expose organizations to breaches, ransomware, and data theft.



Although CISOs are aware of this threat and often have tools to reduce this risk, daily news show that their application is largely insufficient. A structured and continuous approach reduces risk exposure, but it is too much of a burden for often limited security teams. Automating the detection and identification of real risks to the organization is the only appropriate response to cyber threat dynamics.


Nature of risk


80% of web application violations involve compromised identities. Attackers use techniques like social engineering, brute force, and buying credentials on the dark web to compromise identities and gain access to organizations’ resources.


They often take advantage of the following weaknesses:

Same password between multiple applications

Same password between personal and business applications

Passwords stored in browsers

Password reuse or long lifespan

Unused identifiers (employees who have left the company, service providers, service accounts, etc.)

Passwords shared between different users


The main challenge for the organization is that attackers only need one valid ID to break in.


Risk mitigation


To reduce their risk exposure, organizations need to focus on what is exploitable from the attackers’ perspective.


An effective methodology is based on the following steps:

Collect stolen credentials


To start fixing the problem, security teams need to collect data on credentials that have been stolen from various locations on the web and on the dark web. Tools like HaveIBeenPwned or the Hass-Platner Institute are useful. This step provides an initial status report and identifies individual accounts that need to be updated.

Identify the actual risk of exposure


Once the data is collected, security teams need to determine which credentials can actually be leveraged.

To do this, they must use techniques similar to those of attackers:

Check whether credentials allow access to external resources, such as web services and databases
Attempt to crack captured password hashes
Validate matches between stolen credentials and the organization’s identity management tools, such as Active Directory
Test variants to identify new identities that could be compromised: users typically using the same password patterns


Reduce the risk of exposure


After validating stolen credentials that actually expose the organization, security teams must take targeted actions to mitigate the risk.

For instance:
Remove disclosed inactive accounts from Active Directory

Initiate password changes for active users

Review password management processes and policy (hardening, lifecycle)


Implement a continuous validation process


Attackers’ techniques as well as organizations’ attack surfaces are constantly evolving, especially in terms of user accounts. Therefore, a one-time effort to identify, verify and reduce the risk of exposure of identifiers is insufficient. To sustainably combat this risk, organizations must adopt a continuous treatment approach. However, the burden of these manual actions is too great for security teams with limited resources.


The only way to effectively manage the threat is to automate the validation process.




Since 2021, Gartner has introduced this automation through the concepts of "Automated Penetration Test and Red Team Tool" and "External Attack Surface Management". These concepts bring together techniques to continuously identify risks exposing the attack surface of organizations in order to focus remediation work on proven risks.


Among the players, Pentera is now the leader in automated cyber validation.

Using the latest and most advanced attack techniques, their solution allows automatic and continuous ethical attacks to highlight static and dynamic vulnerabilities. These tests are run from both outside and inside the organization, covering the entire attack surface.


Among the features, the "Leaked Credentials" module automates the steps of discovery of stolen identifiers and the verification of the exposure they represent for the organization:

On external services (SaaS, websites, messaging)

On internal services (applications, workstations, servers, infrastructure elements)


The result of these investigations presents the complete attack vectors as well as the description of the remediation actions to be carried out by the security teams. Communication with SIEM or ITSM tools makes it possible to integrate this process into the overall cybersecurity risk management process. These solutions are the future of threat monitoring, detection, and prevention.


See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts