Top Questions During Onboarding
- 11 Sep 2023
- Print
- DarkLight
Top Questions During Onboarding
- Updated on 11 Sep 2023
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
How will Credential Intelligence work?
- Once the integration is up and running, every request with credentials (to a configured path which can include account creation, password change, and account login), will be checked against the collection.
- Once the credentials are deemed compromised, a response header will be sent in real time to the enforcer with the value true.
On which paths should Credential Intelligence be configured?
- Every authentication path is password-based, including account log in, new account creation, and password reset/change.
- Account log in with compromised credentials is a potential account takeover - it is essential to monitor those and remove the vulnerability from the account
- We recommend that new/updated accounts will not reuse compromised credentials to avoid a future account takeover.
What is the collection comprised of?
- The collection includes credentials extracted from live credential-stuffing attacks by threat actors against one or more of our customers. Since these pose a clear and present danger from global attacks and are in actual use by threat actors, they are reported as compromised.
- The collection also includes dark web, deep web, and open web data vetted by the Threat Intelligence team.
- By default, all Credential Intelligence customers enjoy the network effect and access to the collection of real-time global attacks.
- The system will learn from targeted credential stuffing attacks only while Bot Defender is installed and tuned.
What will I see once the integration is complete?
- Compromised credential usage - traffic using identified compromised credentials will be flagged as such.
- The number of successful logins with compromised credentials, i.e., vulnerable accounts potentially already taken over, will be available.
Why is it important to configure the additional s2s activity?
- Additional s2s is a method to retrieve the response status (fail/pass)
- It offers a closed list of options to extract/determine the server response, e.g., status code 302 is a successful login vs. 200 is a failed one
- This configuration allows us to quantify the number of compromised accounts that were observed active on the app
- Without this data, we are only able to quantify the amount of compromised credentials that don't necessarily correlate to the attack surface risk
Was this article helpful?