Adding the "Credential Stuffing" attack pattern to CAPEC

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Adding the "Credential Stuffing" attack pattern to CAPEC

rpiazza
Administrator

The article “New Disney Plus Streaming Service Hit By Credential Stuffing Cyber Attack was recently published in CPO magazine.  

 

As part of the CAPEC team’s routine work, we monitor the media for articles that we think might have some impact on CAPEC content, e.g., describing an attack pattern that is not yet published in CAPEC.  

 

This article discusses a recent attack on the Disney+ streaming service, using a technique similar to lateral movement called Credential Stuffing.  Here is a quote from the article:

 

“And, indeed, this credential stuffing attack appears to be what happened with the new Disney+ streaming service – hackers had obtained access to some database of usernames and passwords from a previous hack pre-dating the launch of the new Disney offering, and then systematically attempted to find out if any of those username/password combos would work with the Disney+ streaming service.”

 

One of the uses of this mailing list is to discuss with the community ideas for improving the CAPEC attack pattern corpus.  This will be the first of a series of posting to discuss potential new CAPEC content.

 

Here are our thoughts on Credential Stuffing:

 

At first glance, this attack might seem related to brute forcing (CAPEC-49: Password Brute Forcing). However, if you notice, CAPEC-49 is under CAPEC-223: Employ Probabilistic Techniques. This attack pattern is more about using probabilities of password content - like a dictionary attack (real words are more probable than random characters). Credential stuffing is more like lateral movement (CAPEC-560: Use of Known Domain Credentials) or perhaps identity spoofing (CAPEC-151: Identity Spoofing).  Neither of these are a perfect fit, though.  CAPEC-560 seems more based on using credentials that have already been trusted by the system, and is more associated with lateral movement in a local area network, where endpoints are often accessible using the same credentials. CAPEC-151 seems more like the outcome of using credential stuffing. 

 

Based on these considerations,  our team thinks that a new CAPEC entry should be created for this attack pattern.  It should be in the CAPEC-21: Exploitation of Trusted Credentials sub-hierarchy. The text for CAPEC-560 should be edited to not be restricted to a local area network.  The new CAPEC entry could then be added as a detailed child of CAPEC-560.  Additionally, CAPEC-151 could be related to the new CAPEC entry using the Can Proceed/Can Follow relationship.

 

We will consider these changes for the next release of CAPEC.

 

What are your thoughts?  Do you agree or do you think there is another solution?  

 

Also, if you read about a new cyber-attack and think it is not covered by one of the existing CAPEC entries, post a link to the article and any suggestions to this mailing list so the community can consider it.

 

Once again, thank you for your interest in CAPEC.

 

            Rich

 

-- 

Rich Piazza

The MITRE Corporation

781-271-3760

 

signature_1179553494

 

 

 

Reply | Threaded
Open this post in threaded view
|

[EXT] Re: Adding the "Credential Stuffing" attack pattern to CAPEC

Colin Watson
Rich

"Credential Stuffing" is one of 21 automated threats to *web applications* which OWASP has identified. Other names which have been used for this attack are:

Account checker attack; Account checking; Account takeover; Account takeover attack; Login Stuffing; Password list attack; Password re-use; Stolen credentials; Use of stolen credentials

The original 20 (now 21) were notified to the CAPEC mailing list in October 2015 (see message copied in below). The 21 are, in alphabetical order:

OAT-020 Account Aggregation
OAT-019 Account Creation
OAT-003 Ad Fraud
OAT-009 CAPTCHA Defeat
OAT-010 Card Cracking
OAT-001 Carding
OAT-012 Cashing Out
OAT-007 Credential Cracking
OAT-008 Credential Stuffing    <-------------------
OAT-021 Denial of Inventory
OAT-015 Denial of Service
OAT-006 Expediting
OAT-004 Fingerprinting
OAT-018 Footprinting
OAT-005 Scalping
OAT-011 Scraping
OAT-016 Skewing
OAT-013 Sniping
OAT-017 Spamming
OAT-002 Token Cracking
OAT-014 Vulnerability Scanning

The latest version is 1.2 and since the original 1.0 release we have maintained a cross-reference with CAPEC and WASC:


We will update our cross-references as CAPEC is updated.

We hope our information on credential stuffing and other automated threats to web applications is of use.

Regards

Colin Watson


=======

---------- Forwarded message ---------
From: Colin Watson <[hidden email]>
Date: Thu, 15 Oct 2015 at 14:38
Subject: Automated Threats to Web Applications
To: <[hidden email]>


Hello List Members

Recently I worked on creating a list of automated threats to web applications:

   PDF
   https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

   In print
   http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22295560.html

It was presented at AppSec USA last month:

   https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx

The threat events are mapped to CAPEC:

   https://www.owasp.org/index.php/File:Ontology-chart-capec-wiki.png

They mostly fall within the existing CAPEC-210: Abuse of Functionality. I hope they might be a useful enumeration of automated threats that are not simply the result of exploitation of a vulnerability, and be useful for the classification of threat intelligence. There is further discussion on the scope and intended use cases in the document.

I am working on related guidance for developers and defenders.

Regards

Colin Watson
OWASP Automated Threats to Web Application project leader

https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

=======


On Mon, 30 Dec 2019 at 16:59, Piazza, Rich <[hidden email]> wrote:

The article “New Disney Plus Streaming Service Hit By Credential Stuffing Cyber Attack was recently published in CPO magazine.  

 

As part of the CAPEC team’s routine work, we monitor the media for articles that we think might have some impact on CAPEC content, e.g., describing an attack pattern that is not yet published in CAPEC.  

 

This article discusses a recent attack on the Disney+ streaming service, using a technique similar to lateral movement called Credential Stuffing.  Here is a quote from the article:

 

“And, indeed, this credential stuffing attack appears to be what happened with the new Disney+ streaming service – hackers had obtained access to some database of usernames and passwords from a previous hack pre-dating the launch of the new Disney offering, and then systematically attempted to find out if any of those username/password combos would work with the Disney+ streaming service.”

 

One of the uses of this mailing list is to discuss with the community ideas for improving the CAPEC attack pattern corpus.  This will be the first of a series of posting to discuss potential new CAPEC content.

 

Here are our thoughts on Credential Stuffing:

 

At first glance, this attack might seem related to brute forcing (CAPEC-49: Password Brute Forcing). However, if you notice, CAPEC-49 is under CAPEC-223: Employ Probabilistic Techniques. This attack pattern is more about using probabilities of password content - like a dictionary attack (real words are more probable than random characters). Credential stuffing is more like lateral movement (CAPEC-560: Use of Known Domain Credentials) or perhaps identity spoofing (CAPEC-151: Identity Spoofing).  Neither of these are a perfect fit, though.  CAPEC-560 seems more based on using credentials that have already been trusted by the system, and is more associated with lateral movement in a local area network, where endpoints are often accessible using the same credentials. CAPEC-151 seems more like the outcome of using credential stuffing. 

 

Based on these considerations,  our team thinks that a new CAPEC entry should be created for this attack pattern.  It should be in the CAPEC-21: Exploitation of Trusted Credentials sub-hierarchy. The text for CAPEC-560 should be edited to not be restricted to a local area network.  The new CAPEC entry could then be added as a detailed child of CAPEC-560.  Additionally, CAPEC-151 could be related to the new CAPEC entry using the Can Proceed/Can Follow relationship.

 

We will consider these changes for the next release of CAPEC.

 

What are your thoughts?  Do you agree or do you think there is another solution?  

 

Also, if you read about a new cyber-attack and think it is not covered by one of the existing CAPEC entries, post a link to the article and any suggestions to this mailing list so the community can consider it.

 

Once again, thank you for your interest in CAPEC.

 

            Rich

 

-- 

Rich Piazza

The MITRE Corporation

781-271-3760

 

signature_1179553494

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: Adding the "Credential Stuffing" attack pattern to CAPEC

rpiazza
Administrator
In reply to this post by rpiazza

Thanks Colin for creating this mapping between OWASP and CAPEC.  We will certainly look into including it in the “Taxonomy Mappings” section of the related CAPEC entries in the next release!

 

From: Colin Watson <[hidden email]>
Date: Monday, December 30, 2019 at 1:25 PM
To: Rich Piazza <[hidden email]>
Cc: CAPEC Researcher Discussion <[hidden email]>
Subject: [EXT] Re: Adding the "Credential Stuffing" attack pattern to CAPEC

 

Rich

 

"Credential Stuffing" is one of 21 automated threats to *web applications* which OWASP has identified. Other names which have been used for this attack are:

 

Account checker attack; Account checking; Account takeover; Account takeover attack; Login Stuffing; Password list attack; Password re-use; Stolen credentials; Use of stolen credentials

 

The original 20 (now 21) were notified to the CAPEC mailing list in October 2015 (see message copied in below). The 21 are, in alphabetical order:

 

OAT-020 Account Aggregation

OAT-019 Account Creation

OAT-003 Ad Fraud

OAT-009 CAPTCHA Defeat

OAT-010 Card Cracking

OAT-001 Carding

OAT-012 Cashing Out

OAT-007 Credential Cracking

OAT-008 Credential Stuffing    <-------------------

OAT-021 Denial of Inventory

OAT-015 Denial of Service

OAT-006 Expediting

OAT-004 Fingerprinting

OAT-018 Footprinting

OAT-005 Scalping

OAT-011 Scraping

OAT-016 Skewing

OAT-013 Sniping

OAT-017 Spamming

OAT-002 Token Cracking

OAT-014 Vulnerability Scanning

 

The latest version is 1.2 and since the original 1.0 release we have maintained a cross-reference with CAPEC and WASC:

 

 

We will update our cross-references as CAPEC is updated.

 

We hope our information on credential stuffing and other automated threats to web applications is of use.

 

Regards

 

Colin Watson

 

 

=======

 

---------- Forwarded message ---------
From: Colin Watson <[hidden email]>
Date: Thu, 15 Oct 2015 at 14:38
Subject: Automated Threats to Web Applications
To: <[hidden email]>



Hello List Members

Recently I worked on creating a list of automated threats to web applications:

   PDF
   https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

   In print
   http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22295560.html

It was presented at AppSec USA last month:

   https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx

The threat events are mapped to CAPEC:

   https://www.owasp.org/index.php/File:Ontology-chart-capec-wiki.png

They mostly fall within the existing CAPEC-210: Abuse of Functionality. I hope they might be a useful enumeration of automated threats that are not simply the result of exploitation of a vulnerability, and be useful for the classification of threat intelligence. There is further discussion on the scope and intended use cases in the document.

I am working on related guidance for developers and defenders.

Regards

Colin Watson
OWASP Automated Threats to Web Application project leader

https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

 

=======

 

 

On Mon, 30 Dec 2019 at 16:59, Piazza, Rich <[hidden email]> wrote:

The article “New Disney Plus Streaming Service Hit By Credential Stuffing Cyber Attack was recently published in CPO magazine.  

 

As part of the CAPEC team’s routine work, we monitor the media for articles that we think might have some impact on CAPEC content, e.g., describing an attack pattern that is not yet published in CAPEC.  

 

This article discusses a recent attack on the Disney+ streaming service, using a technique similar to lateral movement called Credential Stuffing.  Here is a quote from the article:

 

“And, indeed, this credential stuffing attack appears to be what happened with the new Disney+ streaming service – hackers had obtained access to some database of usernames and passwords from a previous hack pre-dating the launch of the new Disney offering, and then systematically attempted to find out if any of those username/password combos would work with the Disney+ streaming service.”

 

One of the uses of this mailing list is to discuss with the community ideas for improving the CAPEC attack pattern corpus.  This will be the first of a series of posting to discuss potential new CAPEC content.

 

Here are our thoughts on Credential Stuffing:

 

At first glance, this attack might seem related to brute forcing (CAPEC-49: Password Brute Forcing). However, if you notice, CAPEC-49 is under CAPEC-223: Employ Probabilistic Techniques. This attack pattern is more about using probabilities of password content - like a dictionary attack (real words are more probable than random characters). Credential stuffing is more like lateral movement (CAPEC-560: Use of Known Domain Credentials) or perhaps identity spoofing (CAPEC-151: Identity Spoofing).  Neither of these are a perfect fit, though.  CAPEC-560 seems more based on using credentials that have already been trusted by the system, and is more associated with lateral movement in a local area network, where endpoints are often accessible using the same credentials. CAPEC-151 seems more like the outcome of using credential stuffing. 

 

Based on these considerations,  our team thinks that a new CAPEC entry should be created for this attack pattern.  It should be in the CAPEC-21: Exploitation of Trusted Credentials sub-hierarchy. The text for CAPEC-560 should be edited to not be restricted to a local area network.  The new CAPEC entry could then be added as a detailed child of CAPEC-560.  Additionally, CAPEC-151 could be related to the new CAPEC entry using the Can Proceed/Can Follow relationship.

 

We will consider these changes for the next release of CAPEC.

 

What are your thoughts?  Do you agree or do you think there is another solution?  

 

Also, if you read about a new cyber-attack and think it is not covered by one of the existing CAPEC entries, post a link to the article and any suggestions to this mailing list so the community can consider it.

 

Once again, thank you for your interest in CAPEC.

 

            Rich

 

-- 

Rich Piazza

The MITRE Corporation

781-271-3760

 

signature_1179553494

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: [EXT] Re: Adding the "Credential Stuffing" attack pattern to CAPEC

NETWAR DEFENSE-GOV
In reply to this post by Colin Watson

UMBC Cyber | Cync Prog Research & Tech Park

5520 Research Park Drive, Suite #100

Catonsville, MD 21228 | POB 679 Glenn Dale, MD 20769

 

 

This is fantastic! Thank you.

 

Regards,

 

Paul A. Wells | President & CEO |

NETWAR DEFENSE CORPORATION

National Security & Intelligence

 

New Office Line: 301-651-4578

Corporate FAX: 301-576-7630

Email: [hidden email]

  https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSbaZS0iSc3ev_Rs880uvO-cL1a7e6MMMplumDsjMix9v6jxYuu9wcid:image009.png@01D34C23.B82C1760cid:image010.jpg@01D34C23.B82C1760cid:sigimg1@197d314065efe267157116675d4fe5dfcid:image008.jpg@01D3740F.95DC4A90cid:image012.jpg@01D3740F.95DC4A90

  

Please visit us:  www.netwardefense.com 


PRIVILEGED AND CONFIDENTIAL

 

NETWAR DEFENSE (USA) allows reasonable personal use of the e-mail system. Views and opinions expressed in these communications do not necessarily represent those of NETWAR DEFENSE (USA).

 

NETWAR DEFENSE PROPRIETARY INFORMATION DISCLAIMER

The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to [hidden email], and delete this e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing NETWAR DEFENSE client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.

 

NETWAR DEFENSE cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses or malware.

 

 

 

From: Colin Watson <[hidden email]>
Sent: Monday, December 30, 2019 1:25 PM
To: Piazza, Rich <[hidden email]>
Cc: CAPEC Researcher Discussion <[hidden email]>
Subject: [EXT] Re: Adding the "Credential Stuffing" attack pattern to CAPEC

 

Rich

 

"Credential Stuffing" is one of 21 automated threats to *web applications* which OWASP has identified. Other names which have been used for this attack are:

 

Account checker attack; Account checking; Account takeover; Account takeover attack; Login Stuffing; Password list attack; Password re-use; Stolen credentials; Use of stolen credentials

 

The original 20 (now 21) were notified to the CAPEC mailing list in October 2015 (see message copied in below). The 21 are, in alphabetical order:

 

OAT-020 Account Aggregation

OAT-019 Account Creation

OAT-003 Ad Fraud

OAT-009 CAPTCHA Defeat

OAT-010 Card Cracking

OAT-001 Carding

OAT-012 Cashing Out

OAT-007 Credential Cracking

OAT-008 Credential Stuffing    <-------------------

OAT-021 Denial of Inventory

OAT-015 Denial of Service

OAT-006 Expediting

OAT-004 Fingerprinting

OAT-018 Footprinting

OAT-005 Scalping

OAT-011 Scraping

OAT-016 Skewing

OAT-013 Sniping

OAT-017 Spamming

OAT-002 Token Cracking

OAT-014 Vulnerability Scanning

 

The latest version is 1.2 and since the original 1.0 release we have maintained a cross-reference with CAPEC and WASC:

 

 

We will update our cross-references as CAPEC is updated.

 

We hope our information on credential stuffing and other automated threats to web applications is of use.

 

Regards

 

Colin Watson

 

 

=======

 

---------- Forwarded message ---------
From: Colin Watson <[hidden email]>
Date: Thu, 15 Oct 2015 at 14:38
Subject: Automated Threats to Web Applications
To: <[hidden email]>



Hello List Members

Recently I worked on creating a list of automated threats to web applications:

   PDF
   https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

   In print
   http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22295560.html

It was presented at AppSec USA last month:

   https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx

The threat events are mapped to CAPEC:

   https://www.owasp.org/index.php/File:Ontology-chart-capec-wiki.png

They mostly fall within the existing CAPEC-210: Abuse of Functionality. I hope they might be a useful enumeration of automated threats that are not simply the result of exploitation of a vulnerability, and be useful for the classification of threat intelligence. There is further discussion on the scope and intended use cases in the document.

I am working on related guidance for developers and defenders.

Regards

Colin Watson
OWASP Automated Threats to Web Application project leader

https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

 

=======

 

 

On Mon, 30 Dec 2019 at 16:59, Piazza, Rich <[hidden email]> wrote:

The article “New Disney Plus Streaming Service Hit By Credential Stuffing Cyber Attack was recently published in CPO magazine.  

 

As part of the CAPEC team’s routine work, we monitor the media for articles that we think might have some impact on CAPEC content, e.g., describing an attack pattern that is not yet published in CAPEC.  

 

This article discusses a recent attack on the Disney+ streaming service, using a technique similar to lateral movement called Credential Stuffing.  Here is a quote from the article:

 

“And, indeed, this credential stuffing attack appears to be what happened with the new Disney+ streaming service – hackers had obtained access to some database of usernames and passwords from a previous hack pre-dating the launch of the new Disney offering, and then systematically attempted to find out if any of those username/password combos would work with the Disney+ streaming service.”

 

One of the uses of this mailing list is to discuss with the community ideas for improving the CAPEC attack pattern corpus.  This will be the first of a series of posting to discuss potential new CAPEC content.

 

Here are our thoughts on Credential Stuffing:

 

At first glance, this attack might seem related to brute forcing (CAPEC-49: Password Brute Forcing). However, if you notice, CAPEC-49 is under CAPEC-223: Employ Probabilistic Techniques. This attack pattern is more about using probabilities of password content - like a dictionary attack (real words are more probable than random characters). Credential stuffing is more like lateral movement (CAPEC-560: Use of Known Domain Credentials) or perhaps identity spoofing (CAPEC-151: Identity Spoofing).  Neither of these are a perfect fit, though.  CAPEC-560 seems more based on using credentials that have already been trusted by the system, and is more associated with lateral movement in a local area network, where endpoints are often accessible using the same credentials. CAPEC-151 seems more like the outcome of using credential stuffing. 

 

Based on these considerations,  our team thinks that a new CAPEC entry should be created for this attack pattern.  It should be in the CAPEC-21: Exploitation of Trusted Credentials sub-hierarchy. The text for CAPEC-560 should be edited to not be restricted to a local area network.  The new CAPEC entry could then be added as a detailed child of CAPEC-560.  Additionally, CAPEC-151 could be related to the new CAPEC entry using the Can Proceed/Can Follow relationship.

 

We will consider these changes for the next release of CAPEC.

 

What are your thoughts?  Do you agree or do you think there is another solution?  

 

Also, if you read about a new cyber-attack and think it is not covered by one of the existing CAPEC entries, post a link to the article and any suggestions to this mailing list so the community can consider it.

 

Once again, thank you for your interest in CAPEC.

 

            Rich

 

-- 

Rich Piazza

The MITRE Corporation

781-271-3760

 

signature_1179553494