Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

3 Steps to Disrupt Threat Actors Selling Access to Your Environment

Unmasking a threat actor at an individual level could help you to gain more context, determine why the attack occurred, and quantify future risk

Unmasking a threat actor at an individual level could help you to gain more context, determine why the attack occurred, and quantify future risk

Imagine law enforcement reaches out to a security team to tell them a threat actor is selling employee credentials or private access keys to a sensitive business application. Even though there is no confirmation that these threat actors accessed or stole data, it is very troubling. This type of threat is growing increasingly common in today’s threat landscape. To make sure these types of events don’t become full-blown breaches and damage the company’s reputation, sophisticated enterprises know that they need to take timely action and have visibility outside their perimeter. That action typically consists of external threat hunting, forensics, and the unmasking of the actors using open-source intelligence (OSINT). Successfully attributing the actor goes a long way to determining if the company is the victim of a targeted attack or just a target of opportunity. 

However, there are three steps that organizations can follow to ensure confidentiality, integrity, and availability of data systems.

Step 1: Initial Internal and External Triage

The first step is making sure you have a coordinated response.  This should include the legal, human resources, information technology, and security teams. The top priority should be ensuring the confidentiality, integrity, and availability of your data systems.  You can do this by determining the origin of leaked credentials. If law enforcement or a third-party vendor initiates contact, they may hold those user credentials or private keys while engaging directly with the threat actor(s). 

Generally speaking, law enforcement will have the account names of the forum users attempting to sell the credentials. Once you have this information, you should research the threat actors to assess their technical skills and how prolific they are in underground forums. For example, the dark web sellers may not have the same technical acumen as the actual malicious actor who obtained access into the environment. At this stage of the investigation, the extent of the damage often remains unknown and three paths should be pursued: 1) removing access, 2) determining the extent of the damage, and 3)  deciding if the threat justifies unmasking the actors to understand the nature of the attack.

Step 2: Remove Unauthorized Access and Identify Damages

Advertisement. Scroll to continue reading.

Cyberattack Attribution

After confirming credentials and proper account access, you need to determine the damage. This includes identifying evidence of unauthorized access, lateral movement, the use of malicious tools, malware deployment, and whether or not data was accessed and exfiltrated. Implementing a combination of proper logging through a data acquisition strategy, two-factor authentication (both on the edge and internally), endpoint and network monitoring, some type of segmentation strategy–even if just hardened access control policies– and patch management, is likely to keep the security event or incident from converting to a full-blown breach. 

Hopefully, the attacker’s time in your network only resulted in malicious authentication and no further damage occurred. If you have not implemented those proactive threat deterrents, it makes sense to reevaluate your security stack or engage with an expert for an overall security assessment.  

In response to a specific attack, it’s important to do external threat monitoring and threat actor engagement to determine if the actors are attempting to exploit or monetize the security event. During this stage, it may not be necessary to unmask the individual responsible for the attack.   If an assessment determines that the attackers gained access via re-used credentials scraped from third-party repositories, brute force spraying for the proper password, or discovered a re-used password from a previous data breach; it’s possible no further malicious activity occurred inside the environment. 

If, on the other hand,  the investigation leads you to suspect an insider or former employee is responsible for the attack, unmasking and attribution can provide critical context and help you avoid a breach, and possibly take legal action. 

Step 3: The Case for Unmasking Attribution 

If you are a victim of a targeted attack and not merely a target of opportunity, unmasking the threat actor at an individual level will help you to gain more context, determine why the attack occurred, and quantify future risk. Making the determination does not need to be a resource-intensive effort. The intelligence, forensics, and execution cycle of an event determined in the previous steps will indicate whether a security incident rises to the level of a breach. If the investigation determines one of the following, then unmasking may be warranted:  

1. Sold credentials from an insider 

2. Default credentials left in place

3. Account created by the former employee remains active

4. Account not rotated for more than 6 months intentionally or accidentally shared 

Over the past decade, attribution was largely focused at a nation-state or actor level, but depending on attack context, it is becoming increasingly important to do attribution at an individual level. Remember, you can only secure what you see. While it’s always important to ensure confidentiality, integrity, and availability of your network through perimeter and internal insight, it’s increasingly critical to have the same visibility outside your firewalls. 

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.