Identity has become the new security perimeter in the modern threat landscape. This may not come as a surprise to those who follow the trends showing that an overwhelming majority of security breaches are the result of identity-based attacks. Recent research has shown that more than 90% of breaches involve an identity component in the attack chain.
Cybersecurity professionals have long understood that human behavior is a core security issue. The latest Verizon Data Breach Investigations Report shows that 74% of confirmed breaches involve the human element, and this data has been consistent for years.
What is changing? The way malicious actors take advantage of people as the weakest link in the attack chain.
Consider the Scattered Spider attacks and the increased number of attacks on identity service providers in recent months. These events indicate that threat actors are expanding on proven tactics, such as phishing and credential theft, and targeting the supply chain. Compromising the supply chain can potentially yield a very high return on investment. So malicious actors are throwing their weight behind their most successful tactic – attacking identity – to maximize that return.
The 2024 State of the Phish report shows that 66% of phishing attacks faced by UK organizations in 2023 were successful. Nearly a third (30%) of these successful attacks resulted in credential theft or account compromise, giving attackers access to organizations’ accounts or identities. Once threat actors have successfully compromised even one identity, they can easily move laterally through the organization.
At this point they have almost won the battle. Escalating privileges, gathering intelligence, distributing payloads, and carrying out other objectives is a simple exercise from there.
They can achieve all this without touching your traditional perimeter defenses. And without much technical knowledge and effort.
According to research from the independent nonprofit Identity Defined Security Alliance, 90% of organizations surveyed have experienced an identity-related breach in the past 12 months. It is imperative that organizations adapt to this new reality and develop their defense mechanisms.
Senior director at Proofpoint.
The three biggest types of identity risks
Many organizations have invested substantially in strengthening their identity infrastructure. But they miss the most vulnerable components, such as stored and cached credentials, session cookies, access keys, shadow privileged accounts, and various misconfigurations related to accounts and identities.
Understanding how cybercriminals attack identity within your organization is the first step to protecting the new attack surface and breaking the attack chain.
First, you need to know which human entry points are the most vulnerable and most targeted in your organization. You can’t mitigate every risk, which means you have to set priorities.
Threat actors typically focus on three areas of identity:
• Unmanaged Identities: These include identities used by applications (service accounts) and local administrators. Recent threat research found that 87% of local administrators are not enrolled in a privileged account management solution. Yet these types of identities often go undiscovered during deployment or are forgotten after completing their purpose. Many of these accounts use default or outdated passwords, further increasing the risk.
• Misconfigured identities: “Shadow admins,” identities configured with weak or no encryption, and accounts with weak credentials are examples of misconfigured identities. The Human Factor 2023 report shows that as many as 40% of misconfigured identities or shadow administrators can be exploited in just one step, for example by resetting a domain password to escalate privileges. The report also shows that 13% of shadow administrators already have domain administrator rights, allowing malicious actors to collect credentials and infiltrate the organization.
• Exposed identities: This category includes cached credentials stored on different systems, cloud access tokens stored on endpoints, and open sessions for remote access. One in six endpoints contains exposed passwords for privileged accounts, such as cached credentials. This practice is just as risky as allowing employees to leave sticky notes with usernames and passwords on their devices, but it is often overlooked.
Whatever type of identity malicious actors compromise, it only takes one vulnerable account to provide unfettered access to your organization. And the longer they go unnoticed, the more devastating the potential consequences.
Manage risk with identity threat detection and response
Combating each type of threat requires several core activities: detecting and identifying threats in real time, prioritizing them, and immediately remediating the situation by automating responses as much as possible. This is where best practices in threat detection and response come into play.
However, organizations typically only implement threat detection and response to their technology. And this is not enough in today’s human-centric threat environment.
As the human perimeter has become the most vulnerable component, identity threat detection and response (ITDR) has become a critical part of identifying and mitigating gaps in identity-driven exposure.
ITDR requires a combination of comprehensive security processes, tools and best practices. Treat identities the same as you would any other type of asset, including your network and endpoints.
Start with proactive, preventative controls so you can discover and mitigate identity vulnerabilities before cybercriminals can exploit them. Continuous detection and automated remediation are your best way to keep malicious actors out.
Next, you need the ability to quickly neutralize threats if they slip through defenses. Because no control is foolproof, you must consider the entire attack chain. Quickly stopping the escalation of privilege is paramount because threat actors will take this step once they gain initial access. If they can’t get anywhere, they’ll have to give up and move on.
Advanced tools that provide capabilities such as machine learning or analytics to detect unusual or suspicious events and behaviors, along with automated responses, increase your success.
Like tools such as endpoint detection and response and comprehensive detection and response, robust ITDR solutions provide a deep approach to limiting exposure. Cybercriminals simply move too quickly for security teams to keep up with identity threats without the right tools for the job.
Finally, effective ITDR relies on best practices, such as ensuring good cyber hygiene. After all, people are your biggest security hole. Human-centric defenses won’t work if you don’t enable employees to break the attack chain by changing their behavior and habits. And improving hygiene is a simple activity that doesn’t require many resources.
One of Proofpoint’s security predictions for 2024 was that identity-based attacks will dominate breaches. Cybercriminals will focus on these lucrative attacks. Don’t just commit to it. Make identity-related risks your priority and prepare to adapt your strategies as these risks evolve.
We have offered the best protection against identity theft.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro