Recent threat intelligence has demonstrated a rise in account and credential abuse attacks. This trend suggests the information security industry is behind the curve when it comes to detecting and preventing credential abuse at scale, and that attackers continue to be successful in both the large-scale, and targeted compromise of user accounts across many systems, organisations, and identity providers.

Therefore, this talk serves to increase awareness, exposure, and understanding of risks around user account compromise, specifically via credential abuse. Notably, in order to further our collective security posture, and make life holistically harder for the attacker, we need to collectively understand what we are up against, how to address these risks, and how best to collaborate to raise the bar for the would-be attacker.

At a high-level, this talk looks to:

• Equip blue teamers with an understanding of the credential attack surface, to help drive wider credential detection/control improvements.
• Build an understanding of the core concepts and challenges of implementing high fidelity credential abuse detections, for those who may be less familiar with identity-related threats/risks, or with detection engineering more generally.
• Instill the importance of:
• Considering the human in security engineering (particularly in any investigation/response).
• Working with users to harden the credential attack surface, and making the most secure path, the path of least resistance.
• Making security transparent; removing the onus on the individual to secure themselves, and ensuring codified security controls do so on their behalf.

More specifically, this talk will discuss:

• What we mean by credential abuse, the motivations behind attackers targeting credentials, and how compromised credentials are used to achieve an attacker's objectives.
• The basics of what credentials are, some core tenets of how they are used, and what they represent.
• The importance of logging appropriate events, and the ingestion of these logs from relevant sources to support a strong detection posture.
• Some specific credential abuse detection use cases:
• The "Impossible Travel" problem; what it is, the importance of choosing the right indicators, and some challenges in implementing this kind of detection pattern.
• Credential binding violations; how credential binding controls generally work, and which binding criteria are more/less useful.
• Credential forgery (using a real-world scenario from the 2023 Storm-0558 case); a typical attack path, and how to implement an appropriate detection pattern to detect such attacks.
• Post-detection concepts, including considerations on what and where to detect threats, asking the right investigative questions, and the importance of being cognisant of the user, having strong investigative proof to support a conclusion, and of a blameless security culture.
• Controls which can support a stronger credential security posture, and how security through obscurity can help to a certain degree, despite the contradiction.

It is worth noting that this talk will not discuss Google-specific infrastructure, tooling, or processes; the content is applicable to the general identity threat detection use case.