2016 DBIR – Stolen Credentials Pivotal In Modern Attacks

Verizon Data Breach
Back to Blog
July 17, 2016
Stephen Cox

Each year, Verizon releases its Verizon Data Breach Investigations Report, or DBIR. The report details findings Verizon has collected throughout the year regarding incident response activity undertaken by the company. The report is highly anticipated and offers a wealth of information on attackers and their tactics, techniques and procedures (TTPs).

The 2016 report, Verizon’s ninth DBIR, detailed findings from over 64,000 incidents that occurred in 2015. One thing is clear among Verizon’s findings. Stolen credentials are at the core of a startling number of breaches, and serve as a pivot point for attackers to gain access to your organization or embed themselves deeper once they are in. In many cases, credentials were the target of the attacks themselves.

Stolen Credentials: A Core Tactic

Verizon makes a startling statement that 63% of attacks it studied leveraged stolen credentials at some point in the attack. In addition, attackers are increasingly upping their game, often combining the use of stolen credentials with other attack methodologies.

One example detailed by the report is the technique of issuing credentials via a pre-existing foothold within the network, as opposed to from the internet, to increase the chances of avoiding detection. This technique is affirmed in a fascinating recent data dump released to pastebin by a black hat, around the breach of “Hacking Team”, an Italy based security company. A key turning point in that breach involved the use of stolen credentials proxied through an exploited embedded device at the perimeter of the organization.

In some cases, credentials themselves are the target of the attackers, either directly or opportunistically, to be used in later attacks. The report details evidence that attackers will often harvest credentials using malware or other means, exfiltrate them, and use them to attack other organizations.

The Human Element

It’s important to remember that ultimately, there are humans involved on both sides of a breach. Humans are creatures of habit, with behaviors that can be studied, analyzed and in many cases, influenced. So what is behavior anyway? Read this great blog post by SecureAuth CTO Keith Graham.

The DBIR report makes the human element very clear, detailing that phishing is still very much a problem. “Human assets” within an organization are targeted, and a “vector” is selected for which to influence the behavior of the targeted human into doing something they normally wouldn’t do. The attack is then carried out. In the same vein, we can use the human element against attackers. We can analyze the behavior, logical and physical, of our user base and search for deviations. One way to study physical deviations in behavior is through the use of behavioral biometrics. Behavioral biometrics can detect variances in keyboard, mouse and touch dynamics as users interact with systems and devices.

Turning the Tide: Protect, Detect and Respond

The DBIR describes the use of two-factor authentication as a “bar worth raising” to hinder the rising tide of credential abuse. This is sound advice, but two-factor is only part of the journey. As attackers raise the bar, so must we, and that means a multi-layered, adaptive approach to authentication and identity security. We must look at all available attributes of an authentication, both logical and physical.

The report provides disconcerting evidence that the mean time to detection of breaches may also be inching back up, after a decline reported in the 2015 report. A conclusion raised is that the time to compromise, i.e. the time it takes from the launch of an attack campaign to the initial compromise, has become lightning fast. Attackers move to obtain credentials very quickly, and perimeter defenses often lose sight as attackers begin to move laterally within the organization.

Identity security is key to today’s security lifecycle. It is equal in importance to network and endpoint security. It must be considered in all aspects of security: protection through the implementation of strong and adaptive authentication including behavioral biometrics, and detection/response through analysis and correlation of rich data provided by an adaptive authentication engine.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

The Value of Deploying Multi-Factor Authentication in a Digital World

Value of Deploying Multi-Factor Authentication in a Digital World

Read this white paper to gain insights and understanding of why passwords create risk and blind spots for organizations and their users.


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Analyst Reports



Recorded Webinars

Innovation Labs

Support Portal

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth