Cyberseer Discovers Exposed Corporate Credentials by Integrating Digital Shadows Intelligence into Exabeam Managed Service Offering - Exabeam

Cyberseer Discovers Exposed Corporate Credentials by Integrating Digital Shadows Intelligence into Exabeam Managed Service Offering

August 22, 2022


Reading time
4 mins

Account compromise — an increasing risk

Compromised credentials have become an ever-increasing threat over the past few years. The recent Digital Shadows Account Takeover in 2022 report shows they’ve found a whopping 24 billion exposed credentials online and, since 2020, the amount of hacked credentials available on the dark web has increased by 65%. Once a credential is exposed, malicious actors will rush to use it to try and compromise an account. As organizations also move to modern authentication mechanisms like SAML (where one credential provides access to multiple systems in an organization) a compromised credential becomes a very lucrative approach for hackers to gain a foothold in an environment — so much so that dark web subscriptions exist solely to broker exposed credential information to malicious actors and crime organizations.

What can Cyberseer do about this?

Cyberseer is a UK-based MSSP focused on taking a smart approach to cybersecurity, adopting machine learning and behavioral analytics toolsets. As a longstanding partner of both Exabeam and Digital Shadows, Cyberseer built a bespoke integration between the two platforms. Within Cyberseer’s managed Exabeam service, Cyberseer uses threat intelligence from Digital Shadows, which continually monitors an organization’s external digital footprint, particularly on the dark web. An effective use case to combat ransomware and groups like Lapsus$ is to monitor for exposed corporate credentials available online. Cyberseer’s automation proactively searches for exposed credentials discovered by Digital Shadows, feeding any that are found directly into the Smart Timelines in Exabeam Advanced Analytics.

Harnessing Exabeam Advanced Analytics and Rule Engine

Once Digital Shadows has been integrated, Cyberseer inserts compromised credential alerts directly into the Exabeam timeline to show alongside other user activity within the session, adding additional risk to the user or device’s total. With Digital Shadows alerts now visible within a user’s session, Cyberseer has multiple rules to detect anomalous Digital Shadows behavior, using the associated rule scores to easily show the severity of an event. A user or device becomes “notable” within Exabeam when they have scored 90 points of risk or more, automatically triggering an alert on the Advanced Analytics landing page. This alert is very visible to an analyst, reducing the time to respond when compromised credentials are discovered.  

The advantage of putting Digital Shadows alerts into the timeline is that an analyst can use Exabeam’s User Risk Trend, quickly identifying any sessions with indicators of compromise (IOCs), where an exposed credential may have been compromised and then used maliciously. Commonly, the systems where a compromised credential can be used maliciously (such as email or Active Directory) are already sending log data into Exabeam, meaning that compromised credential misuse, such as account creation or email forwarding changes, can quickly be identified by looking at high-scoring rules. The upshot is that Cyberseer customers receive context-rich reports with accurate levels of severity for the exposed credential. 

Harnessing Exabeam Advanced Analytics and Rule Engine
Figure 1. The User Risk Trend makes it easy to identify other high-risk sessions where malicious activity may have occurred because of an exposed credential — providing further pivot points for the investigating analyst.

Bolstering the approach

As Cyberseer has customized rules that look for Digital Shadows alerts, Exabeam Incident Responder can be used to start orchestrating an automated response, helping reduce the mean time to detect and respond, lowering the risk exposure of an exposed credential.

In an example below, an Exabeam Playbook can be customized, so that when Cyberseer’s rule fires for a credential compromise, Cyberseer can orchestrate a response to lock that account, or send an email requesting the user reset their account password. Using Cyberseer’s rules, there are many possibilities for how Incident Responder can react to this.

Bolstering the approach
Figure 2. Using decision trees in Exabeam Playbooks to automatically disable a user account

Using Exabeam to process Digital Shadows alerts streamlines the process of handling anomalous events and minimizing the risk when credentials get exposed.

About Cyberseer:

Cyberseer offers a wide range of smart security solutions to protect your business data, systems, and people. We can offer you the right solution and service to suit your individual needs.

With Cyberseer you get complete comfort with a rock-solid SLA. We provide a rapid response to incident management, real-time monitoring, coupled with process-led incident teams, reducing the time between incident awareness and remediation.

Cyberseer offers highly tailored and customized expert advice, technology solutions, and service offerings, so that you can be confident in what happens next when a cyber incident occurs.

For more information on Digital Shadows or Cyberseer service:

Similar Posts

What’s New in Exabeam Product Development – September 2022

Exabeam News Wrap-up – Week of September 19, 2022

Exabeam News Wrap-up – Week of September 12, 2022

Recent Posts

What’s New in Exabeam Product Development – September 2022

Exabeam News Wrap-up – Week of September 19, 2022

The 4 Steps to a Phishing Investigation

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!