395,000 Compromised Credentials and Counting: How Texas A&M Leverages Flashpoint To Mitigate Risk
Created by the Texas Legislature in 1948, the Texas A&M University System (TAMUS) is one of the largest higher education networks in the nation: 11 statewide universities, a comprehensive health science center, eight state agencies, and the RELLIS Campus, a research and testing engineering facility.
The Texas A&M University System educates more than 153,000 students and each year makes more than 22 million additional educational contacts through service and outreach programs each year.
The mission of TAMUS’s Security Operations Center is to protect the integrity of student, employee, and alumni accounts, as well as third-party partners and vendors. To accomplish this, the SecOps team, led by Deputy CISO Nick McLarty, partnered with Flashpoint to more rapidly identify risk exposures across seven domains, which roll up into three threat vectors:
- Internal networks
- Ransomware and extortion
- Hacktivism (e.g. website defacement)
One portal, lots of access
All TAMUS students use university portals to access homework assignments and their grades in the same way they do student loan data and other sensitive personal identification information (PII). The same is true of faculty, administrators, and other TAMUS employees, who may have access to confidential student and human resources-related data, including home addresses, phone numbers, paystubs, and personal health information (PHI).
Unlike corporate accounts, university emails are often used for personal matters. But colleges don’t always age off email addresses, giving them an extended chance of becoming compromised.
“We’re a heavy user of SSO,” said McLarty. “And because of the pervasiveness of password reuse, one set of stolen credentials could open numerous risk apertures.”
Stolen education credentials could be used by threat actors to access third-party apps used within the TAMUS ecosystem.
The same stolen credentials can also grant a threat actor access to marketplaces that offer student, faculty, Veteran or alumni discounts as well as portals outside the university system, including banks and other accounts that may not have added security layers, such as two-factor authentication (2FA), set up. A threat actor could potentially access the TAMUS system with a set of credentials that was stolen elsewhere.
The SecOps team at Texas A&M University System leverages Flashpoint’s Compromised Credentials Monitoring – Enterprise product to gain up-to-date breach data and alerting capabilities, which enables them to rapidly identify and mitigate threats that occur via compromised credentials.
“Flashpoint’s platform allows us to uncover stolen credentials, flag accounts, reset employee passwords, identify IOCs, filter false positives, understand password complexity and quality, restrict permissions, set up alerts to legitimate compromised accounts, and ultimately prevent account takeover faster than ever before,” said Cody Autrey, a Security Analyst on the front lines of the CTI team.
“Remember Me” policy changes
From a strategic level, the SecOps team changed its policy on multi-factor authentication (MFA); it now forces users to re-authenticate MFA every five days, down from legacy standards that in some cases exceeded 60-days.
Operational and tactical impact
The SecOps team has changed its specific intel requirements (SIRs) because they now know not only how they’ve been compromised but also where it has occurred: an end-user device, from within the network, or from compromised third-parties.
The SecOps team can leverage Flashpoint’s Technical Intelligence feeds to monitor for specific types of malware or info stealers, thereby focusing their efforts to identify threats they know to be a risk.
“Our previous compromised credential discovery methods were not quick enough to efficiently prevent account takeover,” said McLarty.