April 14, 2023 By Alan O Dwyer 3 min read


Information-stealing malware has become extremely pervasive in recent years. This malware harvests millions of credentials annually from endpoint devices and enterprises across the globe to devastating effects.

Using highly automated and orchestrated attack methods, threat actors and initial access brokers provide an endless supply of compromised credentials to cyber criminal syndicates who use those credentials as early points of entry into company networks, databases and critical online applications.

Due to evolving tactics and variants, this type of malware has proven to be highly evasive against many current security solutions. Most victim organizations only become aware of credential theft after those credentials appear for sale on dark market sites or as part of credential-based intrusions. Consequently, the overall mean time to detect (MTTD) allows ample opportunity for threat actors to put the stolen credentials to use, greatly increasing the likelihood of data access, network compromise or ransomware.

In times of ever-increasing risk, organizations must find new ways to protect their credentials against the plague of info-stealers.

An alternative solution

Knowing that information-stealing malware will likely bypass security tools and successfully steal user credentials, I recently proposed an alternative detection method.

CredInt is both OS and device-agnostic. It employs readily available technologies and a systematically created credential pair saved onto each end-user device. In addition, it also utilizes a web-accessible login portal used to initiate alert logic when those specific credentials are attempted.

Following the attack cycle

From the attacker’s perspective, the millions of credentials that are harvested will always require some validity checking (at scale) to verify that the stolen credentials are active and marketable. This becomes the reliable constant in the attack cycle where malicious activity can be instantly observed.

By purposely creating a unique credential pair tied specifically to an end-user device for immediate identification, the “CredInt” pair can be used to trigger an alert when attempted against a corresponding web portal registered for the specific credential combination.

Uses, limitations and expectations

The concept of CredInt poses no actual harm or risk to the end user or the organization that deploys this method. It only comes into action once attackers have already successfully extracted credentials and attempted to use them.

Additionally, this method is not overly complicated to deploy or manage. Current web-app technology could be tailored for this specific controlled functionality and to protect the anonymity of both the web portal and the backend collection servers. It is scalable and retroactively compatible with all devices.

In a traditional honeypot implementation, a system is purposely exposed to entice and attract attacker activity. Unfortunately, false positives are a frequent result. CredInt is different: it’s a detection method only. No direct interaction is expected or provided on the end user device. It is designed as an alerting function based on anticipated external attack-chain events of compromised credential validation.

CredInt will also provide incredibly high-quality cyber intelligence and forensic value on the identified victim machine. That data can be shared across other security platforms and internal security teams to further bolster protection.

Finally, many organizations run OTP or MFA and password manager authentication solutions to provide enhanced access controls. CredInt will still provide an observable security event if a victim machine suffers browser-sourced information-stealer malware, which may have gone undetected. This includes detection on devices that store other critical data such as Crypto Wallets, Tokens or API Keys.

It’s clear that organizations must start implementing new methods of securing their data. To combat info-stealing malware, CredInt proposes one possible solution.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today