Attackers love credentials. Creds are often the key to objectives - the long-fought initial foothold, that much-needed lateral movement, or the final privilege escalation that can mean the difference between a lucrative return-on-investment, or burned time, effort, and resources. And as defenders, it isn't always easy to tell who is behind the credential. After all, all we have are logs, right...?

But logs can be extremely valuable, and we know a lot about credentials; from their creation, to their usage, and subsequent invalidation. And we know a lot about how they are issued, where they are (or should be) stored, and to which systems they are provided. So how do we pull the badness from the noise, and detect/prevent those we defend from being pwned?

This talk will discuss core detection concepts targeting credential abuse, including useful detection patterns, the Impossible Travel problem, and credential binding violations. We will also contemplate the trade-offs in controls, the challenges in pulling the needle from the haystack, and the need to consider the user when hardening or responding to suspected credential abuse.