CREDENTIAL-BASED ATTACKS:
Exposing the Ecosystem and Motives Behind Credential
Phishing, Theft and Abuse
REPORT BY JEN MILLER-OSBORN
PALO ALTO NETWORKS | 4401 Great America Parkway | Santa Clara, CA 95054
www.paloaltonetworks.com
Introduction
Passwords are the classic “something you know” authentication factor and have
been used for centuries to verify a person. Initially a password was given in a face-toface exchange and was intended to ensure the person meant no harm or was on the
same side. Using passwords, sentries would challenge those attempting to access
a military encampment; speak-easies would try to keep out law enforcement; and
children would keep grown-ups out of clubhouses.
When passwords are combined with usernames, they form the credentials that are now
everywhere in our digital age. Nearly everything you do online requires you to create
credentials. Whether it’s one of your email, bank or credit card accounts; a video game
or other streaming service; your new refrigerator or thermostat; or even an electric
toothbrush, each and every one of these accounts requires a username and password.
To be secure, you’re expected to give each of these accounts a strong, unique password
that you change regularly and store in such a way that attackers could not make use of it
if stolen. And frequently you’re supposed to create a unique username as well.
That’s the theory. Unfortunately, the reality is much different.
Too many usernames are hard to remember. Strong, unique passwords are difficult
to both create and remember without specialized software. Changing these
passwords regularly only compounds that problem exponentially. When most of us
need to keep track of more than five sets of unique credentials, the task becomes
almost impossible. Add to this challenge the many issues faced by applications
and organizations to store passwords properly, and you have a much more difficult
security situation.
The 2016 Adults’ media use and attitudes study by Ofcom, the U.K. communications
watchdog, shows how bad the password reality is. They note that “[f]our in ten
internet users say they tend to use the same passwords for most websites.”
They’re not just saying they reuse passwords, but that they use the same passwords
for most websites. In reality, this means that many users are using one or two
passwords for most of their online credentials.
Given that reality, it’s perhaps not surprising that the Verizon 2014 Data Breach
Investigations Report (DBIR) said two out of three attacks involved compromised
credentials. And in 2016 the DBIR noted 63 percent of confirmed data breaches
leveraged credentials; use of stolen credentials is the most common approach in
web-app attacks.
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
2
Hacking:
Use of stolen creds
1,095
Malware:
Export data
1,031
Malware:
C2
980
Social:
Phishing
847
Malware:
Spyware/keylogger
841
Incident count
Figure 1 + Top threat action varieties within incidents involving credentials
You don’t need a zero-day attack or to be an advanced persistent threat (APT) to
empty a bank account, compromise a network, or cripple a company. All you need
are the right credentials. Legitimate credentials are a ticket through the front door of
every account and organization on the planet, regardless of whether the person using
them is their owner or someone who stole them.
Stealing credentials doesn’t necessarily require any level of technical ability,
and attackers can even rent the necessary tools, like keyloggers and Trojans, in
underground forums, as well as purchase already stolen – and in many cases verified
as working – credentials for every type of account imaginable.
Arguably the most crucial component in the success of any malicious digital activity
is the ability to obtain and use legitimate credentials. When attackers are developing
the playbook they will execute in an attack, credentials are often involved either as a
target of theft or as a means to furthering access in a network at every phase of the
attack lifecycle. Credentials are the oxygen of malicious activity: nearly always there,
nearly always necessary, and nearly ever noticed. Rob Joyce, the head of the U.S.
National Security Agency’s Tailored Access Operations (TAO) group gave a public talk
at a security conference in January 2016 and noted stolen credentials are primarily
how he and his team get into networks, versus the use of zero days.
Publicly reported, high-profile data breaches support the idea that stolen credentials
are far more common a cause for a successful attack than zero days or APTs. The
most recent information on credential theft is also reportedly how hackers breached
the Target Corporation and The Home Depot in 2014, and the U.S. Office of Personnel
Management in 2015. Stolen credentials have even played a role in “hackers hacking
hackers”: the hacktivist who broke into the Italian zero-day and hacking tool provider
Hacking Team used stolen credentials. The next year, 2016, saw more massive breaches
at Dropbox, LinkedIn, Weebly and even MySpace. One breach in 2016 alone consisted of
over 1 billion records for multiple large email providers.
Credential reuse across accounts is such a prevalent issue that Amazon took
proactive steps to reset users’ passwords when user credentials were discovered
to have been compromised – and the credentials hadn’t been stolen from Amazon.
In addition, the recent Shamoon attacks relied on stolen credentials to gain access,
spread throughout the network, and wipe computers.
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
3
A study published in 2016 by Bitglass demonstrated how quickly stolen credentials
are exploited. Bitglass researchers created a decoy Google Apps for Work profile for
a fictitious bank employee at a fictitious bank. The researchers then leaked Google
credentials related to Google Drive for this fictitious employee on the dark web as
though they had been phished. Within the Google Drive account, the researchers also
stored legitimate-looking files containing fictitious credit card information and work
data. Within 24 hours, not only had the decoy bank portal and Google Drive accounts
been accessed by hackers, but hackers also used credential stuffing to access other
decoy accounts created with the leaked credentials, including decoy social media and
personal bank accounts.
It’s no wonder then that a survey conducted in 2015 of security professionals around
the world by Rapid7 found 60 percent of companies felt they did not have security
measures in place capable of detecting or mitigating credential-stealing attacks.
That intent of restricting access to all but those authenticated, authorized few has
carried through into the digital age. However, as most of these transactions now
take place virtually, it is even more difficult to detect when the individual using them
is not the trusted person but an impostor. Credential theft has been a big problem;
how to detect and stop this digitally is a longstanding issue that cannot be addressed
with legacy security approaches. But, like any threat or attack, credential theft can be
prevented: new technology and software holds promise to finally, effectively prevent
credential theft.
This paper is meant to help defenders fight back against credential theft by outlining
how credential theft happens and what can realistically be done to prevent it.
How Attackers Steal Credentials
The first step toward preventing credential theft is to understand how it happens
in the first place. There are five primary techniques that attackers use for stealing
credentials:
1. Social engineering
2. Credential phishing and spam
3. Reusing stolen passwords or shared credentials
4. Brute force
5. Security question reuse
Below, we go into more detail on each of these.
Social Engineering
The Oxford English Dictionary defines social engineering as “the use of deception to
manipulate individuals into divulging confidential or personal information that may be
used for fraudulent purposes.” All manner of attackers use social engineering, from
hacktivists to criminals to spies. Social engineering typically occurs over email, with
leading email subjects and texts designed to encourage the user to click a link or
open an attachment.
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
4
In some cases, attackers will use online chat with fake profiles to go after their targets,
attempting an additional layer of legitimacy. In 2015 Dell SecureWorks reported on suspected
state-sponsored activity that created fake LinkedIn profiles, which were in use by attackers.
A more recent report in The Washington Post showed the fundamentalist organization
Hamas using fake Facebook profiles to target Israeli soldiers. Attackers have also used social
engineering to obtain illicit account access by pretending to be the account owner, even calling
help desks to try to obtain legitimate credentials. This vector is successful enough that pen
testers often employ it when testing the security of a network. It was used in the notorious
HBGary Federal hack in 2011 and the 2015 hack of social networking site Xat.com, where the
hackers stole intellectual property as well as wiped servers and logs.
Credential Phishing and Spam
The most common way attackers steal credentials is via phishing, in which an email
message attempts to lure its recipient into logging into an account. The 2016 DBIR
noted roughly 30 percent of phishing messages are opened, and of those, 13 percent of
recipients opened the malicious file or clicked the hyperlink. The malicious links lead to
websites that look the same as the legitimate site, and often use a similar URL with one
or more typos as shown in Figure 2. Credential phishing has proven very effective and is a
staple tactic of the Sofacy threat actor group. Successful credential phishing is also widely
believed to be behind the well-publicized attacks against the United States Democratic
National Committee (DNC) in the summer of 2016.
Page mimicking legitimate site
https://mail.academl.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f2mail.as
Operation Pawn Storm
User enters credentials into phishing site
Sent to attacker
Figure 2 + Example of credential phishing attack
Attackers will also use phishing’s close relative – spam – to get people’s credentials. In
this case, attackers will use malware in spam email messages as their means of obtaining
usernames and passwords. For the victims who open malicious attachments, the malware
itself will often employ a keylogger, which records every keystroke made and sends them
to the attacker as shown in Figure 3. The Sofacy threat actor group has also targeted
credentials through malware like their XAgent tool against both Microsoft® Windows® and
Apple® macOS™ systems. Beyond simple keyloggers, attackers will also use a credentialharvesting program, such as Mimikatz or gsecdump, to steal any additional credentials
stored in memory on the device. It’s important to note that stealing credentials stored
within a system also applies to credentials saved in a web browser as attackers have tools
designed to steal those as well.
One important thing to consider is that when credentials are stolen through either
phishing or malware like keyloggers, the benefit offered by complex passwords is
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
5
debatable, and offers no protection. It doesn’t matter if yours is a 35-character
random password with letters, numbers and extended characters or just “password”;
once it’s stolen in this way, the attacker has it, and the protections its complexity may
otherwise give you are not valid.
Attacker
DOC
DOC
DOC
You
Phishing Email
Exploit Document
Bac
kdo
o
DOC
DOC
DOC
Ex
r Ac
ces
s
fil
to
Att
a
ck
er
Backdoor Trojan
DOC
DOC
DOC
Decoy Document
DOC
DOC
DOC
Figure 3 +Example of malware attack that drops keylogger
Reusing Stolen Passwords or Shared Credentials
For those who lack the time for or interest in stealing credentials on their own,
there’s a booming business buying and selling them online. Attackers don’t just steal
credentials to use for themselves anymore; they steal them to sell that access to
others. Credentials are priced by their potential profitability in underground forums
and are often sold in bulk as shown in our recent Unit 42 report on underground
markets. In addition, it’s becoming more and more common for some hackers to
simply post stolen credentials to the internet for anyone to use.
The chief reason credentials have any monetary value is that most people rarely
change them and often reuse passwords across multiple accounts. That means
these credentials can remain valid for months or years. As shown in Figure 4, when a
shared password is stolen from one set of credentials, it can easily be used in attacks
against other credentials.
Compromised Server
Credentials
joe: abc123
sue: password1
bob: MyP0n3y
Stolen Credentials
joe: abc123
sue: password1
bob: MyP0n3y
sue: password1
joe: abc123
https@//site.com/login
Figure 4 + Stolen credentials from one service used to attack another service
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
6
Once attackers acquire credentials, they begin “credential stuffing”: putting as many
credentials as possible into as many sites as possible, to gain access to as many
accounts as possible, as quickly as possible. In some cases, the original thieves will
do this themselves to test the credentials so they can sell them as “known good for
access” for more money.
Another risk with shared credentials is around credentials shared between people. These
days, it’s not unheard of for people to share credentials with others. Whether it’s for
online movie services or shopping, there are some good, practical reasons (like a family
only wanting to pay for one movie subscription account) and bad reasons (such as theft
for illicit access) why credential sharing happens. When people share credentials with
one another, that opens another avenue of potential credential theft. You may be careful
about creating strong, unique passwords that are different for every account, which you
regularly change, following every best practice – but is the person with whom you shared
your account information? Sharing passwords with others can potentially expose your
credentials to a weaker link that ultimately puts everyone at risk.
Brute Force
As noted before, the number of passwords people need to maintain, coupled with
the need (in theory) to change them regularly, together work against password
complexity. Attackers know this and rely on the fact that many people use weak
passwords. Password complexity protects primarily against scenarios where an
attacker can take a stolen hash and subject it to offline, brute-force attacks.
In some cases, the lack of strong passwords is the fault of the organization, when
it doesn’t enforce the use of strong passwords and instead allows accounts to have
weak passwords. In most cases, it’s human error, as people are incapable of creating
truly random, unique passwords even in the best of cases. The problem of weak
passwords is compounded by the fact that, as computers exponentially increase in
power, they can crack passwords that were previously considered strong.
There are software programs to both help create and store strong, unique
passwords, which have gone far in securing accounts for those who use them. But
they aren’t perfect and can be prime targets for hackers; one of these programs,
LastPass, was itself hacked in 2015, with user account information stolen.
Security Question Reuse
While security questions aren’t part of credentials, usernames and passwords, per
se, they form a critical piece of the credential security – and theft – puzzle. Security
questions have settled in, becoming a layer of authentication in addition to, or instead
of, passwords. They are another form of “what you know” authentication. In this case,
the questions are typically centered around information that (in theory) only the actual
persons themselves would know.
Security questions are a nearly ubiquitous feature of account recovery capabilities. If
you’ve ever lost or forgotten a username or, especially, a password, odds are you’ve
had to answer a security question to reset or recover your username and/or password.
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
7
Increasingly, though, security questions are being used as a second layer of
authentication. Financial services sites, in particular, are making increasingly regular
use of security questions as an extra layer of security after the password. In this
latter capacity, security questions can be considered an extended part of credentials.
Unfortunately, security questions are a weak second factor of authentication.
First, it’s the same category of authentication factor as passwords: something you
know (as opposed to something you have, like a one-time-password fob; or someone
you are, like a biometric factor).
Second, security questions tend to ask questions whose answers attackers can
gather from online research, especially in an era of social media. Typical security
questions are predictable and their answers, easy to research: a parent’s maiden
name, your first school mascot, where you met your spouse, or your children’s
birthdays. All of these can be collected online or “brute forced.” While security
questions do offer an extra layer of protection, it is an ephemeral one.
Because security questions are designed to be easy things for people to remember,
it also tends to make them static, like school mascots or attendance dates, and
noteworthy events or people in a person’s life, making them even more likely to be
documented online. Family trees on public genealogy sites and public social media
profiles are treasure troves for attackers, and so are searchable public records.
Because the same questions are used across most sites, attackers only need to
compromise this data once, like many passwords. The added enrichment affords
entrance to more accounts and opens the door to identity theft.
Security questions also suffer from another problem: they’re now getting caught up
in credential theft within data breaches. One of the most notable things in Yahoo’s
disclosure in the fall of 2016 of a data breach affecting over 1 billion accounts is
that, in addition to obtaining usernames and passwords, the attackers also obtained
unencrypted answers to security questions. Since security questions tend to be the
same ones across sites, and the answers are supposed to be facts, compromised
answers to security questions are essentially permanently compromised. The only
real recourse in this case is to decide on a fake answer for a commonly used, and
compromised, security question, like deciding on a new, fictitious answer for the
question “where were you born.” But this is only a partial solution because these
questions and answers can later become compromised as well. Unless someone is
willing to try and move to unique security questions and answers per site, there will
always be inherent weaknesses with this method.
What Attackers Do With Stolen Credentials
So far we’ve focused on how attackers steal credentials, but we haven’t talked much
about what they do with them, other than sell them. But what do the people who
buy stolen credentials, or attackers who steal them for their own use, do with them?
Credentials are the digital keys to the kingdom, allowing attackers to masquerade as
legitimate users and aiding the illicit users in hiding their identity. The stolen credentials
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
8
grant attackers the power to do everything and access everything the legitimate user
can. The most obvious use for stolen credentials is for profit, whether to profit from
the sale of the stolen credentials or to steal money from a bank, PayPal, bitcoin, online
trading, or any other account holding funds. But credentials are also important for
other attacker goals, especially espionage and causing damage to networks. Some
ransomware attackers, such as those behind SamSa, also rely on stolen credentials to
gain access, move laterally, and then encrypt only the most valuable data to which they
have access. But there are other ways attackers use stolen credentials, including:
•Remote Access – Attackers can use stolen credentials to gain remote
entry into networks using Virtual Private Networks (VPN) and Remote Access
Protocols, like RDP and VNC.
•Lateral Movement – Stolen credentials (especially domain admin
credentials) are a massive benefit to attackers who need deeper penetration
into a network.
•Cloud Access – Cloud services are often defended only by user credentials,
and the data inside them is invaluable, especially as organizations move more
and more information off-premises and into the cloud.
Remote Access
An ever-increasing number of workers can access work networks, email and other
resources while not physically in a corporate office. Letting employees always work
from wherever they are, whenever they want, has opened up a world of opportunity
for attackers. When credentials are stolen, the same flexibility that gives workers
access from anywhere is given to attackers. Stolen remote access credentials also
render null and void any physical controls and countermeasures you may have in
place to protect your network and resources at the perimeter.
Beyond the risk posed by stolen remote access credentials is the fact that cloudbased remote access service providers can themselves become the victim of a data
breach where remote access credentials are stolen. In 2016, TeamViewer and Citrix’s
GoToMyPC, both popular options for remote computer access, had an undisclosed
number of accounts successfully attacked using credentials stolen elsewhere.
Regardless of how attackers gain remote access credentials, once they have them,
they have access to everything the actual account owner does, and will try to gain
higher privileges and move to additional systems, servers, or networks, spreading
malware and stealing credentials as they go.
Lateral Movement
Lateral movement is a key stage that differentiates a more sophisticated data breach
or network compromise from a simple malware attack. For more advanced attacks,
attackers almost never get access to the desired system or systems on the first try.
Once in a network, however, attackers will spread to as many systems as they can
with a prime goal of acquiring administrative-level credentials. In addition to gaining
administrative credentials, they also move laterally to learn more about the network
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
9
and its resources, and find ways to solidify their presence in the network to be able
to successfully fend off attempts by defenders to eject them from it.
Administrative credentials have permission not only to access more systems but also
alter those systems. Administrative credentials give full control to attackers and enable
them to “own” systems and networks. It’s important to note that having or obtaining
the right credentials will decide an attacker’s success at this point. Once inside a
network, the only way to spread easily and quietly within it is with the right credentials.
This is where attackers will employ a tool designed to collect all passwords stored
within from the current system – often Mimikatz, pwdump, or a similar tool. By using
tools like these to steal administrative credentials, attackers can “upgrade” from more
limited privilege user accounts to administrative privilege accounts.
Cloud Access
The use of cloud services has exploded over the past few years, both for corporate and
personal use. Unfortunately, the ability to secure data in the cloud has not kept pace
with its use. While organizations may have robust policies and technologies protecting
credentials internally, their cloud accounts may be defended solely by simple username
and password credentials. This is in spite of the fact that the data in the cloud may be
as valuable (if not more so) as data stores on internally protected systems.
The risks around cloud access are similar to those posed by remote access. Just
like with remote access used to log in virtually to an organization, no one physically
confirms the people entering the credentials for cloud access are who they say they
are. But where remote access may only give an attacker access to the network and
not the data stores on it, cloud access can give an attacker access directly to the
data itself. In this way, cloud access can be more serious than remote access. This is
why everyone should at least enact two-factor authentication (discussed later in this
paper) on every account that provides access to sensitive data.
Recommendations
Ultimately, the point of understanding how credential theft can happen and what
attackers can do with stolen credentials is to enable the prevention of credential
theft. If credential theft is the oxygen of attacks, then preventing credential theft can
cut off the oxygen for attacks and prevent them.
Effective prevention of credential theft can and should focus on three major areas:
1. Two-Factor/Multi-Factor Authentication (2FA/MFA) and One-Time
Passwords (OTP)
2. Password Managers
3. User Education
The shift toward both two-factor authentication (2FA)/multi-factor authentication
(MFA) and one-time passwords (OTP) is potentially game-changing for the use
of stolen credentials by altering the nature of credentials from the simple, static
username/password combination into something more difficult to attack.
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
10
Two-factor authentication is currently the most widely adopted, with many sites,
vendors and solutions offering it. When activated, a user must supply both the
account username and password, and one of the following:
•Something you know, such as a personal identification number (PIN).
•Something you have, such as a mobile device, certificate or OTP token.
•Something you are, such as a biometric identifier like a fingerprint.
The power of 2FA/MFA’s effectiveness lies in the fact that it accepts and mitigates
the current reality: that passwords are weak or stolen. 2FA/MFA introduce additional
authentication requirements so that an attacker who has only one of the authentication
factors has no more access than the attacker with none of the authentication factors.
An OTP is a password that is valid for only one login or transaction, and most of
them are valid for a limited amount of time before they are replaced by a new one
as well. Because of this, OTPs avoid most weaknesses associated with traditional
passwords. Many of the implementations also incorporate two-factor authentication
by ensuring that the OTP also requires access to something a person has (such
as a small digital token with an OTP calculator built in, or specific mobile device,
or an OTP generator) as well as something a person knows (such as a PIN). This
frees people from the need to create, memorize and manage multiple complicated
passwords, and removes one of the most abused vectors in hacking. This approach
has the possibility to end the reuse of stolen credentials.
While password managers aren’t game-changing, they do represent a realistic and
practical way to mitigate the complexity of today’s password regimen. Password
managers make it practical for users to have unique, strong passwords like they
should. The best password managers manage the complexity for the user by
generating and storing unique, strong passwords on a per-site basis. Generally, a user
need only remember one set of master credentials for the password manager itself
and that, in turn, unlocks the user’s “vault” of stored, unique, complex passwords.
Of course, because password managers store all of a user’s passwords behind
a single set of credentials, they are also targets for precisely this reason. This
means that users need to exercise exceptional caution and vigilance to protect
their password manager credentials. The loss of password manager credentials can
essentially represent a total loss of all of a user’s passwords stored in their vault.
User education to train people to recognize phishing, or at least “fail safe” and not take
potentially dangerous actions (like clicking on links) when in doubt, is another valuable
approach when used in tandem with others. Ensuring users are familiar with what
phishing looks like, and which data points can help decide whether an email is legitimate,
significantly cuts into phishing’s success. As we mentioned in the “Credential Phishing”
section, it is also important that users never store their login credentials or other personal
data in their web browser or anything other than a password manager. Anytime you
receive a request to save credentials, credit cards, name and address, or any personal
data from a web browser, always click “no.” The ephemeral convenience it affords users
also makes them much more vulnerable to losing their data.
PA L O A LT O N E T W O R K S
+
C R E D E N T I A L - B A S E D AT TA C K S
11
Of course, the most valuable lesson in user education is to treat any and all requests
for credentials as inherently suspicious and default to not providing credentials unless
and until the requestor has proven the request is legitimate.
While user education is often looked at as putting the burden of security on the user,
rather than on the technology, the fact is that the user represents the final, most
effective and potentially advanced layer of security there is.
Conclusion
Credential theft is a critical element for successful attacks, arguably the most-critical
element. Consider a possible counterfactual: if the credentials that were involved in
the two-thirds of successful attacks the 2014 Verizon DBIR outlined hadn’t been stolen,
how many of those attacks still would have succeeded? We can never know for sure,
but reasonable supposition says only a fraction of them, if any.
Credential theft is a threat like any other. And like any other threat, it can be mitigated
and oftentimes prevented.
Like all threats, the path to effective mitigation and prevention starts by understanding
the threat landscape: what credential theft is, how it happens, and what attackers do
with credentials once they’ve stolen them.
With this understanding, you can then look at recommendations on how to meet
that threat: in this case, two-factor/multifactor authentication (2FA/MFA), one-time
passwords, password managers and user education.
While password managers are a good Band-Aid for the current situation, and user
education is a constant need and best practice in security, the real progress in
preventing credential theft will be made, and is being made, in the areas of 2FA/MFA.
These fundamentally change the threat landscape in a way that enables defenders to
gain the upper hand once again and successfully prevent credential theft.
We don’t have to treat credential theft as the unknown, inevitable X-factor in successful
attacks. Just as we can fight against threats like attacks against vulnerabilities, spam
and phishing, we can fight against and prevent credential theft.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:
+1.866.320.4788 Support:+1.866.898.9087
www.paloaltonetworks.com
© 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at http://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. Palo Alto Networks
assumes no responsibility for any inaccuracies in this document or for any
obligation to update information in this document. Palo Alto Networks
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. credential-based-theft-032717