California-based cybersecurity firm Shape Security recently released Blackfish, an AI system that proactively protects companies from credential stuffing prior to an attack happening. From the moment a criminal tries to use stolen usernames and passwords, Blackfish starts to monitor and protect matching accounts at other companies. This lessens the cybercriminal’s chances of matching the stolen password to other accounts that re-used the same password.
Data breaches have been on the rise in recent years with high profile incidents like the Yahoo and Equifax data breaches making front-page news. Last year alone, over 3 billion passwords were reported stolen through such breaches. Credential stuffing is a new kind of attack, which is aimed at account takeover through automated web injection. It automatically enters breached username/password pairs to try to gain access to user accounts on other websites on which the same password has been used. Successful log-ins (around 0.1-0.2% of total log-in attempts) let the attacker take over the accounts that match the stolen credentials, and then drain them of stored value, credit card numbers and other personal data.
According to Blackfish CTO, Shuman Ghosemajumder, credential stuffing attacks are now at “pandemic proportions”. They account for a huge amount of traffic. Over 90% of the log-in attempts on the largest retail sites come from credential stuffing, Ghosemajumder said.
The National Institute of Standards and Technology (NIST) issued recent guidelines advising companies to examine stolen password breach corpuses to make sure that their users were not using the same passwords. Many companies have begun to undertake dark web research to acquire stolen passwords and protect their users from them. However, much of the stolen data never appears on the dark web, and that which does can take months or years to get there.
Blackfish is unique because it identifies recently stolen credentials by detecting where they are being used. Blackfish AI sensors can automatically determine when a password is in the hands of a cybercriminal, and invalidates those passwords across the entire network. Blackfish is built on Shape’s machine learning platform, which autonomously detects credential stuffing attacks and protects the logins to the most valuable accounts that cybercriminals are likely to target, such as the largest banks, airlines and retailers.
In order to operate securely, Blackfish incorporates multiple layers of encryption and access control. Most crucially, it doesn’t actually store the usernames and passwords it looks up. It is able to do this through the use of Bloom filters, a probabilistic data structure that enables the process of performing lookups without storing a table of passwords.
On an individual level, users should stop re-using passwords across sites. One way of managing this is through the use of a password manager; however, you still risk that being breached.
Shuman Ghosemajumder says that the critical moment which is currently unaddressed by the security community is straight after the breach has happened, which often the company itself doesn’t realize for some time. Yahoo didn’t become aware that they were breached for an entire two years. There’s also a period of time in which a company discovers they have been breached, and disclosing it to the public.
“Blackfish is providing a kind of protection that isn’t possible, if all you’re doing is looking at data on the Dark Web. You still can’t download the entire corpus of the Yahoo breach from the Dark Web”, says Ghosemajumder. He added, “What we see on the Dark Web are rapidly atrophying credentials… so the most valuable ones are the credentials that aren’t on the Dark Web yet.”
Gartner analyst Tricia Phillips said the technology could have a major impact if Shape’s biggest clients sign up for it. “Shape has big clients facing big attacks,” she says. “Blackfish’s success will depend on whether they are able to use the data from it” to stop hackers.