Stolen Credentials Analysis using SpyCloud

CyberDefenses Academy



Available on Request


Available on Request

Delivery Method



Certification of Completion

Audience / Level





Laptop required

Course Details

Program Introduction

Passwords are the classic “something you know” authentication factor and when combined with usernames, they form the credentials that are now everywhere in our digital age. Everything online requires credentials. Email, bank or credit card accounts; a video game or streaming music; even kitchen appliances, your thermostat and, strangely, your toothbrush needs credentials.

You don’t need a zero-day attack or to be an advanced actor to empty a bank account, compromise a network, or cripple a company. All you need are the right credentials. Legitimate credentials are a ticket through the front door of every account and organization, regardless of whether the person using them is their owner or someone who stole them.

Stealing credentials doesn’t necessarily require any level of technical ability. Attackers can even rent the necessary tools, like keyloggers and Trojans, in underground forums, as well as, purchase already stolen—and in many cases verified as working—credentials for every type of account. Credential theft is rampant.

In this course, students will be introduced to what can be done with credentials, how they are being used, how they could be used and what having credential spill means and then guided through analysis, authentication, evaluation, and reporting.

Course Objectives

  • It’s designed for those with a background in threat intelligence with a need for greater understanding of stolen credentials analysis.
  • It conveys the necessary concepts, principles and terms to lay down a solid foundation.
  • It is a comprehensive course for those with an interest in stolen credential analysis.

Target Student

  • Individuals new to or desiring a better understanding of Stolen Credential Analysis.
  • Professionals who deal with technical issues, but feel they do not have enough background in analyzing stolen or compromised credentials.
  • Technical professionals that need to be armed with greater knowledge of incident response, stolen credentials, and their role in resolving incidents.


Monty St John
Monty St John is a computer science and information security expert, U.S. Navy and U.S. Air Force veteran, certified instructor, and author of dozens of classes for CyberDefenses. He has assisted numerous companies build and accredit laboratories, threat teams, and security operations centers. He’s also a prolific writer with two upcoming technical volumes set for 2018; Game Designer and Speaker. Learn more about Monty St John

Additional Information

  • Laptop required
  • Requires basic knowledge of computers, technology and command line interface (CLI)
    • Open and operate browsers
    • Find and use command line
    • Execute scripts
  • Prior threat intelligence, incident response, infosec, or forensics experience a plus
  • Understanding of virtual machines (VM) and how to use one.
    • Understand how to import and power on a VM

Course Outline

SpyCloud Credential and Account Takeover Prevention Training Syllabus
  • Introduction and Overview
  • Stolen Credentials, Aliases, and PII
  • Breaches and Hacks
  • Link Analysis Basics
    • LAB: Diagramming a small network
  • Visualizing with Maltego
    • LAB: Visualizing Stolen Credentials with Public Sources
  • Limits of Public Sources
  • SpyCloud Difference
  • Importing Data into Maltego
    • LAB: Public Sources versus SpyCloud
  • Network Footprint
    • How data leaves your network
    • Where data entering your network gets stolen
  • Enterprise and Personal Credentials
    • LAB: Pivoting off Email
    • LAB: Pivoting off IP
  • Credential Data Pivots
    • LAB: Pivoting off the Password
    • LAB: Pivoting off Aliases
    • LAB: Count Stacking Credentials
  • Lessons Learned: Lock Down Your Login
  • Infected Users and Botnet
    • LAB: Finding “where” their data is being stolen
  • 10 Stolen Credential Checks to Consider
  • Lessons Learned: Abode, Ebay, Target, JPMorgan Chase, and Home Depot
  • Investigation and Analysis
    • LAB: Pivoting off PII
    • LAB: Analyzing Breach information to define Center of Gravity of attacks
  • Wrap up/Questions