Push Security introduces verified stolen credentials detection capability

Push Security unveiled verified stolen credentials detection capability, a new feature designed to reshape how security teams combat identity threats.

By analyzing threat intelligence (TI) on stolen credentials and comparing it against active credentials in customer environments, the Push platform eliminates false positives, delivering only actionable alerts to help organizations protect compromised workforce identities.

This paradigm shift promises to drastically reduce the noise security teams face, empowering them to act swiftly on verified threats without wading through unreliable or redundant TI data.

Some of the general challenges that security teams face when using TI to identify stolen credentials include:

• Stolen passwords may appear in intelligence as new breaches, but the data is actually a recycled combolist (aggregated list of lists) rather than a new incident.
• Infostealer threat intel can stem from a personal device that was compromised and once accessed corporate assets, but is no longer active or using that password.
• TI sources may alert on stolen credentials for a specific app following a breach, but the creds are no longer in use there; however, with password reuse being a common practice, they could still be used on a different high-value app.

“Many TI vendors excel at collecting data from hard-to-access sources, but security teams are often overwhelmed by false positives,” said Jacques Louw, CPO at Push Security. “With low actionable intelligence rates and recycled credentials muddying the waters, alerts are frequently ignored or feeds disabled. Our verified stolen credentials detection capability cuts through the noise, providing only verified threats that teams can act on immediately.”

Push Security’s approach is to create fingerprints of potentially stolen passwords by salting, hashing and truncating them and then sending these fingerprints to the browser agent for comparisons. In this way no password material ever leaves the secure browser context.

Push Security’s approach is to create fingerprints of potentially stolen passwords by salting, hashing and truncating them and then sending these fingerprints to the browser agent for comparisons. In this way no password material ever leaves the secure browser context.

The rise of credential-based cyberattacks has reached alarming levels in the past few years:

• IBM reports a 71% year-over-year increase in cyberattacks leveraging stolen or compromised credentials, making them the top initial access method for cyber intrusions.
• Recorded Future observed a 135% increase in harvested credentials last year and a 166% spike in those bundled with cookies, enabling attackers to bypass MFA protections.
• Meanwhile, Mandiant’s last two M-Trends reports found that stolen creds were the third and fourth most-used initial intrusion method of the last two years.
• And, Cisco Talos researchers found that the use of valid accounts was the second-most common attack technique in their 2023 findings.

Despite the critical nature of this threat, security teams often face overwhelming volumes of stolen credential alerts, many of which are inaccurate, recycled, or outdated. Push Security’s verified stolen credentials detection addresses this challenge head-on.

Push Security finds TI false positive rates at 99.5%

A recent review of TI data by Push Security researchers found that less than 1% of threat intelligence in a multi-vendor dataset on stolen credentials was actionable for its customer base. In other words, more than 99% of the stolen credentials checked were false positives at the time of the review. Push researchers evaluated threat intelligence data from several popular vendors and found 5,763 username and password combinations that matched Push customer employees.

After analyzing threat intelligence data from multiple vendors, the company found:

• Out of 5,763 stolen username and password combinations matching customer domains, only 0.5% were still valid in customer environments.
• TI sources frequently flagged recycled credential lists or data from inactive accounts, diluting the actionable intelligence.

“By focusing on only true positives, Push Security’s new verified stolen credentials feature enables organizations to respond to this intelligence with confidence they aren’t chasing another dead end, upping the odds of taking action in time to prevent impact,” said Louw. “This capability is a game-changer for security teams facing an ever-growing wave of credential-based identity attacks. The Push platform ensures that teams spend their time addressing verified, actionable alerts rather than sifting through endless false positives.

“As credential theft continues to rise, this new feature complements the important work of threat intelligence vendors and provides a clear path for security teams to stay ahead of attackers and protect their organizations,” added Louw.

Availability and integration

This new capability is included at no additional cost for Push Security customers and is seamlessly integrated into the existing platform, making it easier than ever to leverage powerful TI data without adding operational burden.