Top Questions During Onboarding
  • 11 Sep 2023
  • Dark

Top Questions During Onboarding

  • Dark

Article summary

How will Credential Intelligence work?

  • Once the integration is up and running, every request with credentials (to a configured path which can include account creation, password change, and account login), will be checked against the collection.
  • Once the credentials are deemed compromised, a response header will be sent in real time to the enforcer with the value true.

On which paths should Credential Intelligence be configured?

  • Every authentication path is password-based, including account log in, new account creation, and password reset/change.
  • Account log in with compromised credentials is a potential account takeover - it is essential to monitor those and remove the vulnerability from the account
  • We recommend that new/updated accounts will not reuse compromised credentials to avoid a future account takeover.

What is the collection comprised of?

  • The collection includes credentials extracted from live credential-stuffing attacks by threat actors against one or more of our customers. Since these pose a clear and present danger from global attacks and are in actual use by threat actors, they are reported as compromised.
  • The collection also includes dark web, deep web, and open web data vetted by the Threat Intelligence team.
  • By default, all Credential Intelligence customers enjoy the network effect and access to the collection of real-time global attacks.
  • The system will learn from targeted credential stuffing attacks only while Bot Defender is installed and tuned.

What will I see once the integration is complete?

  • Compromised credential usage - traffic using identified compromised credentials will be flagged as such.
  • The number of successful logins with compromised credentials, i.e., vulnerable accounts potentially already taken over, will be available.

Why is it important to configure the additional s2s activity?

  • Additional s2s is a method to retrieve the response status (fail/pass)
  • It offers a closed list of options to extract/determine the server response, e.g., status code 302 is a successful login vs. 200 is a failed one
  • This configuration allows us to quantify the number of compromised accounts that were observed active on the app
  • Without this data, we are only able to quantify the amount of compromised credentials that don't necessarily correlate to the attack surface risk 

Was this article helpful?