395,000 Compromised Credentials and Counting: How Texas A&M Leverages Flashpoint To Mitigate Risk

The Challenge

The mission of TAMUS’s Security Operations Center is to protect the integrity of student, employee, and alumni accounts, as well as third-party partners and vendors. To accomplish this, the SecOps team, led by Deputy CISO Nick McLarty, partnered with Flashpoint to more rapidly identify risk exposures across seven domains, which roll up into three threat vectors: 

• Internal networks

• Ransomware and extortion

• Hacktivism (e.g. website defacement)

One portal, lots of access

All TAMUS students use university portals to access homework assignments and their grades in the same way they do student loan data and other sensitive personal identification information (PII). The same is true of faculty, administrators, and other TAMUS employees, who may have access to confidential student and human resources-related data, including home addresses, phone numbers, paystubs, and personal health information (PHI).

Unlike corporate accounts, university emails are often used for personal matters. But colleges don’t always age off email addresses, giving them an extended chance of becoming compromised. 

“We’re a heavy user of SSO,” said McLarty. “And because of the pervasiveness of password reuse, one set of stolen credentials could open numerous risk apertures.”

Third-party risk

Stolen education credentials could be used by threat actors to access third-party apps used within the TAMUS ecosystem. 

The same stolen credentials can also grant a threat actor access to marketplaces that offer student, faculty, Veteran or alumni discounts as well as portals outside the university system, including banks and other accounts that may not have added security layers, such as two-factor authentication (2FA), set up. A threat actor could potentially access the TAMUS system with a set of credentials that was stolen elsewhere.

The Solution

The SecOps team at Texas A&M University System leverages Flashpoint’s Compromised Credentials Monitoring – Enterprise product to gain up-to-date breach data and alerting capabilities, which enables them to rapidly identify and mitigate threats that occur via compromised credentials.

“Flashpoint’s platform allows us to uncover stolen credentials, flag accounts, reset employee passwords, identify IOCs, filter false positives, understand password complexity and quality, restrict permissions, set up alerts to legitimate compromised accounts, and ultimately prevent account takeover faster than ever before,” said Cody Autrey, a Security Analyst on the front lines of the CTI team.

“Flashpoint has become an integral part of our security infrastructure and threat response workflows, impacting what we do day-in, day-out.”

Cody Autrey, Texas A&M University System SecOps Team

The Results

“Remember Me” policy changes

From a strategic level, the SecOps team changed its policy on multi-factor authentication (MFA); it now forces users to re-authenticate MFA every five days, down from legacy standards that in some cases exceeded 60-days.

Operational and tactical impact

The SecOps team has changed its specific intel requirements (SIRs) because they now know not only how they’ve been compromised but also where it has occurred: an end-user device, from within the network, or from compromised third-parties.

The SecOps team can leverage Flashpoint’s Technical Intelligence feeds to monitor for specific types of malware or info stealers, thereby focusing their efforts to identify threats they know to be a risk.  

“Our previous compromised credential discovery methods were not quick enough to efficiently prevent account takeover,” said McLarty.

“Flashpoint has allowed us to become more efficient in our investigations and provided us the ability to dedicate more time and focus to complex security challenges.”

Nick McLarty, Deputy CISO, Texas A&M University System SecOps