Hello everyone, I would like to integrate a system that allows to directly detect Credential Stuffing attacks.
For those who don’t know, credential stuffing is an attack where the attacker uses an army of botnets to test credentials on a connection portal.
Those credentials typically come from data breaches from other websites, and the attack revolve around the fact that users tends to have the same username (typically their mail) and password combination everywhere.
The most effective solution proposed by organism like the OWASP is using a multifactor authentication, that way, knowing the credentials of a user doesn’t guarantee that you will access his account.
The problem is that when talking about client access management, enforcing Ma policy such as MFA can be hard or even impossible for several reasons, the major being resistance to change.
I’m therefore looking for alternate solutions that can block credential stuffing attack, but one of the major issue I encountered is detecting such an attack.
The problem is that a credential stuffing attack is usually detected because of the DoS it can generate, and there aren’t many identifiable symptoms to differentiate it from a DDoS.
Thus far, I’ve tried to identify a list of breached database tools to try to detect when a group of user suspiciously uses credentials from those databases to connect to a large amount of accounts. Those databases like HaveIBeenPwned or DeHashed do have API where you can verify if an email or a password have been leaked, so it’s not a purely philosophical idea.
My question is How do I integrate it ? All the plugin I’ve encountered seems to act on identity management as a tool to enforce a password policy. Is there a project that does approximately what I want out there, or do I have to code it from scratch ?
Another question would be : Is there a better way to do it with Forgerock AM ? I’m fully aware that I’m not infallible and that I’ve forgotten a hundred of parameters that might be evident to you.
I’m also aware that there is a specific node for it in Identity Cloud, but the systems I’m working with uses AM, so it’s sadly out of the picture for me.
If you have some ideas, do not hesitate, I’m open to read even the craziest ones.
In an ideal world, if you are using ForgeRock Identity Cloud (Saas) Credential Stuffing (alongside automated user agent aka ‘bot detection’) is an OOTB signal in Autonomous Access (integrated into AM Trees, so it’s a no-code journey).
There are a few ways though to battle not only credential stuffing, but password spraying and other credential based attacks in your own deployment of AM.
You have mentioned Have I Been Pwned database, so let’s take that example. One way is to use a scripted decision node in the tree (journey) to check if the password has leaked - at the time of login (HIBN is a simple REST call, with a bit of logic after). If you encounter breached password, you go down the MFA route and ask the user to change it JIT (just in time).
If you wanted to have Autonomous Access - like protection for cred stuffing, you can start tracking IP addresses as well in a custom IDM object (if you use IDM) against accounts/password combinations used (regardless if they come from a breach or not, it’s the number of attempts from a specific IP/network). You can set the threshold for, say 10 accounts in any 5 minute period. That is bound to generate false positives on an overloaded IP addresses (NAT’ed), but still better than nothing. If you couple device fingerprinting with the attempts/combination counters, it suddenly becomes really effective against automated agents trying out credentials. If the attack is done at a scale of DoS, no magic dust will help you, you’ll need a proper DoS-network level protection solution.
If you want to try out HIBP in a scripted node, I am happy to share the PoC script (you will need to register for HIBP service, but it’s free). Hope this helps!
Ok, first, thank you so much for your detailed answer.
Now, just a quick question, how do I set up autonomous access in AM ? I made a test ForgeRock installation, but I don’t see any “Autonomous Access” nodes, and I can’t find any documentation about it.
The account threshold is a very clever idea, especially since I already considered and applied a device fingerprinting tree. Is there any node to apply it in AM or do I really have to use IDM for that ? And in any case, do you have any link to the documentation about that ?
And of course I will be more than interested in the PoC for a HIBP scripted node since I’m clearly not expert in Java development.
Again, thank you for your help !