Adversary Intelligence – Exposed Credentials

Introduction

Criminal underground digital economies are hidden throughout the recesses of the internet. To find the activity of these malicious actors, not only do you need to search the open web, but the deep web and dark web as well.

CrowdStrike Falcon Intelligence Recon protects organizations by allowing security teams to conduct investigations into underground activity.

Security teams can proactively uncover fraud, data breaches, and phishing attacks while also protecting their brand from other online threats to their organization.

Let’s start by taking a look at recon notification. You can customize the notifications to search for identifying terms or phrases, such as domains, on the deep web and dark web and surface them automatically.

 

Walkthrough

In this scenario, we’ll search for potentially exposed data for a fictional company called Travel Airlines.

First, we’ll create a filter for exposed data.

This will show just any notifications with exposed data from our example company.

It looks like there’s just one result.

The details show that the source and author of the dark web post was LockBit.

In the date origination details tab, we can see the domain connected with the exposed data was travelairlines.com and that Bitwise Spider was the adversary that had obtained these credentials.

The File Details tab shows information about the file, including its size which could indicate the scope of the exposed data.

Finally, the event details shows information about the breach event.

Also listed are the contents of the exposed data file. These contents can include elements such as login id, password, phone number, or other identifiable information.

CrowdStrike obfuscates passwords upon viewing the page, but all the passwords can be made visible as well by clicking on “Show all passwords” button or individually with the eye icon.

The “Send Passwords to Identity Protection” button will send the compromised passwords to Falcon Identity Threat Protection and automatically force password changes for any user that is using one of the compromised passwords.

This can also be automated and will render the exposed passwords useless to an adversary.

CrowdStrike Falcon Intelligence Recon is the premier tool for digital risk reconnaissance. With continuous monitoring that goes beyond just the open web, security teams can easily identify when data has been exposed and protect the organization from threats on the deep web and dark web.