Identity has become the new security perimeter in the modern threat landscape. This may not come as a surprise to those who follow the trends showing that an overwhelming majority of security breaches result from identity-based attacks. Recent research has found that over 90% of breaches involve an identity component in the attack chain.
Cybersecurity practitioners have understood for a long time that human behavior is a core security vulnerability. The most recent Verizon Data Breach Investigations Report shows that 74% of confirmed breaches involve the human element, and this data has been consistent for years.
So, what’s changing? The way malicious actors are taking advantage of humans as the weakest link in the attack chain.
Think about the Scattered Spider attacks and the increased number of attacks on identity service providers in recent months. These events indicate that threat actors are extending proven tactics such as phishing and credential theft and targeting the supply chain. Compromising the supply chain can potentially yield a very high return on investment. So malicious actors are throwing their weight behind their most successful tactics—attacking identity—to maximize those returns.
The 2024 State of the Phish report shows that 66% of phishing attacks experienced by UK organizations in 2023 were successful. Almost a third (30%) of these successful attacks resulted in credential theft or account compromise, providing attackers access to organizations' accounts, or identities. Once threat actors have successfully compromised even a single identity, they can move laterally throughout the organization with ease.
At this point, they have nearly won the battle. Escalating privileges, gathering intelligence, distributing payloads, and carrying out other objectives are a simple exercise from there.
They can achieve all of this without touching any of your traditional perimeter defenses. And without much technical knowledge and effort.
According to research from the independent nonprofit Identity Defined Security Alliance, 90% of surveyed organizations have experienced an identity-related breach in the past 12 months. It’s imperative for organizations to adapt to this new reality and evolve their defenses.
The three biggest types of identity risks
Many organizations have invested substantially in fortifying their identity infrastructure. But they are missing the most vulnerable components, such as stored and cached credentials, session cookies, access keys, shadow privileged accounts, and various misconfigurations associated with accounts and identities.
Understanding how cybercriminals are attacking identity within your organization is the first step to protecting the new attack surface and breaking the attack chain.
First, you need to know which human entry points are the most vulnerable and the most targeted in your organisation. You can’t mitigate every risk, which means you’ll need to prioritize.
Threat actors typically target three identity areas:
• Unmanaged identities: These include identities used by applications—service accounts—and local admins. A recent threat research found that 87% of local admins are not enrolled in a privileged account management solution. Yet these types of identities are often undiscovered during deployment or are forgotten after serving their purpose. Many of these accounts use default or outdated passwords, further increasing the risk.
• Misconfigured identities: “Shadow” admins, identities configured with weak or no encryption, and accounts with weak credentials are examples of misconfigured identities. The Human Factor 2023 report shows that as many as 40% of misconfigured, or shadow admin identities can be exploited in just one step—for example, by resetting a domain password to escalate privileges. The report also found that 13% of shadow admins already have domain admin privileges, enabling malicious actors to harvest credentials and infiltrate the organization.
• Exposed identities: This category includes cached credentials stored on various systems, cloud access tokens stored on endpoints, and open remote access sessions. One in six endpoints contain exposed privileged account passwords, such as cached credentials. This practice is just as risky as allowing employees to leave sticky notes with usernames and passwords on their devices, yet it’s commonly overlooked.
Whatever type of identity malicious actors compromise, it only takes one vulnerable account to provide unfettered access to your organization. And the longer they go undetected, the more devastating are the potential consequences.
Managing risks with identity threat detection and response
Combating any type of threat necessitates several core activities: detecting and identifying threats in real-time, prioritizing them, and promptly remedying the situation by automating responses as much as possible. This is where the best practices of threat detection and response come into play.
However, organizations typically only implement threat detection and response for their technology. And this is not enough in today’s people-centric threat environment.
As the human perimeter has become the most vulnerable component, identity threat detection and response (ITDR) has emerged as a critical part of identifying and mitigating gaps in identity-driven exposure.
ITDR requires a combination of comprehensive security processes, tools, and best practices. Treat identities the same way you treat any other asset type, including your network and endpoints.
Start with proactive, preventative controls so you can discover and mitigate identity vulnerabilities before cybercriminals can exploit them. Continuous discovery and automated remediation are your best way of keeping malicious actors out.
Next, you need the ability to swiftly neutralize threats should they slip through defenses. As no controls are foolproof, consider the full attack chain. Stopping privilege escalation quickly is paramount because threat actors will attempt that step as soon as they’ve achieved initial access. If they can’t get anywhere, they’ll have to give up and move on.
Advanced tools that offer capabilities such as machine learning or analytics to detect unusual or suspicious events and behaviors, along with automated response, increase your degree of success.
Similar to tools such as endpoint detection and response and extended detection and response, robust ITDR solutions provide an in-depth approach to mitigating exposure. Cybercriminals are simply moving too fast for security teams to keep up with identity threats without the right tools for the job.
Finally, effective ITDR relies on best practices such as ensuring good cyber hygiene. After all, people are your biggest security hole. People-centric defenses don’t work if you don’t empower employees to break the attack chain by changing their behaviors and habits. And improving hygiene is a simple activity that doesn’t require a lot of resources.
One of Proofpoint’s security predictions for 2024 was that identity-based attacks will dominate breaches. Cybercriminals will concentrate on these lucrative attacks. Don’t just brace for it. Make identity-centric risks your priority — and prepare to adapt your strategies as these risks evolve.
We've featured the best identity theft protection.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro