The Rise of Identity-Based Attacks

“Who am I?” is more than an existential question to security professionals. As more of us live and work online, the number of digital identities each person can claim has proliferated, along with the logins and passwords attached to them. The cybercriminal cottage industry of credential theft has expanded into a whole new front for bad guys looking to breach systems — especially since many users reuse their passwords across a number of services.

More than eight out of 10 cybersecurity attacks are now enabled by stolen or compromised credentials, according to a recent report by Mimecast partner Crowdstrike.[1] More alarming yet: the bad guys are doubling down on identity, as companies expand their use of cloud resources and support remote work.

Bad actors may engage in credential harvesting by stealing usernames and passwords via phishing, social engineering, or infecting networks with malware. They can also easily buy stolen credentials; ads on the dark web selling access to networks more than doubled in the last year.[2] Armed with these identities, hackers can break in and reset an individual’s user profile to add more access privileges so they can move around the network undetected and perform all sorts of malicious activity.

Some proven best practices like good password hygiene, multi-factor authentication, solid permission governance, and effective cyber awareness training can help reduce the risk of identity-based attacks. An identity access management (IAM) system can also help build a stronger defense, particularly when working in conjunction with a secure email gateway to block the phishing and social engineering attacks hackers can exploit to steal credentials.

The Identity Problem

During Mimecast’s SecOps Virtual 2023 event, John Grundy, senior strategic alliance manager at Okta, painted a picture of the size of the identity problem that security leaders must manage. He noted there are now an estimated 1.2 trillion digital accounts worldwide — from streaming services to online shopping to banking — creating hundreds of identities per person. 

“There’s so many people with so many identities. So many different organizations have different policies to run those identities,” Grundy said. “We’ve created a world where digital identities can potentially be really hard for individuals to understand and use.” That leads to not only a poor user experience and an inefficient workforce, by increased cyber risk.

Grundy cited research indicating that 89% of organizations were affected by an identity-based attack in 2022, and more than half of the organizations involved lost more than 10,000 identities.[3] That left hundreds of thousands of legitimate user credentials compromised and available for nefarious use, Grundy said. 

Types of Identity Attacks

Identity-based attacks come in many forms. As defenders develop counter strategies against these attacks, bad actors continue to evolve their tactics. Some of varieties now well-known to security pros include: 

• Phishing: This is still the biggest attack vector for identity-based attacks, noted Grundy. Thanks to social engineering, phishing has evolved into more sophisticated business email compromise, using tactics such as whaling, spear phishing, and angler phishing. Nearly all the companies in Mimecast’s State of Email Security 2023 (SOES 2023) report say they have been targeted. Some hackers are also using artificial intelligence (AI) and machine learning to craft more convincing phishing messages and deploying bots to head off automated defenses that would spot suspicious behavior. 
• Credential Theft: Like a thief making a copy of the key to the front door, many identity-based breaches are enabled by stealing the access of valid user identities. This is particularly damaging, since it makes the hackers almost undetectable as they move around the network, performing more malicious exploits. Data breaches due to credential theft cost companies an average $4.5 million last year.[4]
• Password Spraying: If a hacker is like a burglar breaking into a house, a password-spraying attack is like someone that rings all the buzzers at a building’s front door until someone is careless enough to let them in. Hackers take advantage of users who don’t practice good password hygiene and use bots to try common combinations like “password123” or “11111” across many user accounts until they find one that works. 
• Credential Stuffing: Okta’s Grundy noted that organizations have seen a recent rise in this type of attack. In this variant of password spraying, malicious actors use lists of compromised passwords — bought off the dark web or harvested in previous attacks — to brute-force their way into a number of sites. This takes advantage of many users’ weakness for recycling passwords. Recently, the data of more than 71,000 customers of a fast-food chain was extracted by hackers in one such attack.[5]
• Man-in-the-Middle Attacks: Also known as user-in-the-middle attacks, these tactics involve intercepting a communication between two parties, putting a bad actor in the position to collect all kinds of potentially useful information, including passwords. They might infect the user with spyware that can essentially look over their digital shoulder and record their online actions. Or they could install rootkit malware that takes over the victim’s workstation and then move around the network, posing as that user. A variant of these attacks, known as “man-in-the-browser” attacks, target financial communications and corrupt the user’s browser with a fake extension that conceals malware designed to intercept transactions and divert money to an account controlled by the cyberthieves. 
• Compromised Privileged Access: System administrator accounts and other privileged users are a prime target for cyber scammers since their credentials give them broad access to an organization’s systems. Once a crook gets control of a privileged identity, it can extract data, compromise systems, and harvest volumes of additional credentials for further exploits. One recent example is the teenager who got a hold of admin credentials for a major social media firm and commandeered the accounts of celebrities and politicians to post messages requesting cryptocurrency donations. The high-schooler racked up over $100,000 in Bitcoin — and a three-year prison sentence — in a little over an hour.[6]

“All of these attacks combined mean that identity is even more valuable than it was 10 to 15 years ago,” Grundy said.

How to Mitigate Identity-Based Risk

Managing the risk of identity-based attacks and containing the potential damage requires companies to step up their identity and access management while still enabling the ease of day-to-day business. A number of best practices can help: 

• Password Hygiene: Policies that require strong passwords that are changed regularly can strengthen an organization’s security posture and short-circuit attempts at password spraying and credential stuffing. A number of tools can automate enforcement.
• Multifactor Authentication: Yes, it can create some initial use friction, and “MFA fatigue” is an issue, but requiring a one-time code or (preferably) a biometric marker such as a fingerprint or facial recognition to authenticate a user can help prevent many identity-based attacks. 
• Security Awareness: This remains the first line of defense in cybersecurity. Preventing users from clicking on malicious links and downloads and reminding them to practice good password hygiene is one of the most effective ways to prevent credential compromise and the resulting identity-based attacks. 
• Right-Sized Permissions: Many identity-based attacks involve hackers upgrading their privileges in order to access more sensitive data. Making sure that users only have access to those resources they need to do their jobs and only for as long as they need them can stop bad guys in their tracks. 
• Identity Lifecycle Management: Dormant identities of departed staff or services no longer in use are a gold mine for malicious actors, as are users with excessive permissions due to changing job functions. Just like right-sizing permissions, security needs to stay on top of privileges as employees shift responsibilities and delete any identities that are not in use.
• Behavioral Analytics: Hackers using valid credentials can hide in the network, evading detection and causing damage. It can take up to 250 days to ferret out a malicious actor using compromised identities, according to Crowdstrike.[7] But if that user is spotted behaving in an uncharacteristic manner, requiring the user to verify their identity can act as a roadblock. Automated tools that leverage machine learning and behavioral analytics can make this viable without adding to the security staff’s workload.

A unified identity and access management platform is a useful tool to coordinate defenses across the entire network and automate identity governance and incident response. It can bring together protection for all apps, servers, and users into one holistic source of visibility to enable both risk management and proactive threat hunting. 

The Bottom Line

Identity-based attacks are the biggest concern for defenders of network security. Impersonating users is an effective tactic for cybercrooks, and selling stolen identities is big business on the dark web. But a number of best practices to prevent the misuse and abuse of credentials can make these cybercriminal activities more difficult or less profitable. Find out more about identity-based attacks and the importance of protecting credentials by viewing the Mimecast SecOps 2023 session: “Knock, Knock: Should identity be at the heart of your digital puzzle?” 

[1] “CrowdStrike 2023 Global Threat Report,” Crowdstrike

[2]Ibid 

[3] “Report: 89% of organizations have been hit by an identity-based attack in the past year,” VentureBeat

[4] “Cost of a Data Breach Report 2022,” IBM

[5] “Chick-fil-A hack spells indigestion for 71K customers,” SC Media

[6] “Tampa Twitter hacker agrees to three years in prison,” Tampa Bay Times

[7] “CrowdStrike 2023 Global Threat Report,” Crowdstrike