Over 80% of cyber attacks involve identity compromise. This includes malware threats, Ransomware, and advanced persistent threat (APT) actors. Attackers leverage identities for Lateral Movement and to escalate privileges as part of an offensive campaign.
Cyberattacks have become a persistent threat to organizations across sectors. As the cyber threat landscape grows more complex, attacks are becoming larger and more scalable. Attackers are making use of superior digital and economic resources, allowing them to develop attacks that are increasingly sophisticated stemming from a large variety of attack vectors. In this blog series, we look at identity-based attacks, the identity ecosystem, and the importance of identity security.
Understanding the Identity Ecosystem
Identities are among the most important, key assets in any enterprise. Identities can represent users, computers, or applications. The identity ecosystem consists of components that perform specific functions. The provisioning component is responsible for the creation and management of users and service accounts, the authentication component such as Identity Providers (IdPs), MFA, and SSO, the access control component including PAM, and catalog services such as Active Directory and Azure AD.
The many connected components that make up a typical identity ecosystem invariably create a large attack surface. By targeting the identity subsystems, attackers can steal credentials and access tokens of users and service accounts. They can target misconfigurations or weak policy settings. Identity-related cyber threats such as credential stealing, Pass-the-Hash, unauthorized access to user and service accounts, and attacks against the identity ecosystem such as Golden Ticket attack are all referred to as identity-based attacks.
What is an Identity-Based Attack
An identity-based attack is a type of cyberattack that focuses on exploiting or compromising credentials. The objective of such attacks is to gain unauthorized access to sensitive data, systems, resources, or privileges by impersonating or manipulating the target’s identity.
These attacks often exploit vulnerabilities in authentication, authorization, and access control mechanisms. Identity-based attacks can take various forms and can be carried out through multiple vectors, including social engineering, phishing, malware, and more. The ultimate goal is to compromise the confidentiality, integrity, or availability of digital assets by exploiting weaknesses in identity management and security practices.
Why is there an Increase in Identity-Based Attacks Today?
Identities are as old as enterprises themselves, and they’ve existed all along. Identity-based attacks have been prevalent for several decades. For example, Phishing is a type of identity-based attack that has been known since the mid-1990s. However, there is a renewed interest for attackers to go after identities today and use compromised identities to further their attack progress. There are multiple reasons contributing to this situation:
1. Identity as a Blind Spot
Identities are a blind spot for most security products. Widely deployed products such as vulnerability scanners, endpoint detection and response (EDR) solutions, network detection, and response (NDR) solutions, and log analytics solutions are unaware of applications and application-based identities. Many recent cyberattacks, including the Colonial Pipeline, Uber, and SolarWinds attacks, involved an identity compromise. Attackers often attempt to exploit the identities of the underlying infrastructure and the policies that govern it.
2. Privileged Access Exploitation
Identities provide a fast-track lane for attackers to get privileged access to resources and data. A few years ago, attackers leveraged phishing emails to compromise identities and gain access to the enterprise network. This allowed them to pivot through the network until they found the data that they were interested in. Today, however, attackers use spear phishing to target and compromise a privileged identity account and get direct access to other privileged accounts. This enables them to easily bypass security layers, establish persistence, move laterally across the network, and gain unauthorized access to data or control systems – while masquerading as legitimate traffic.
3. Lack of Protection for Service Accounts
The lack of visibility and protection of service accounts is a big motivator for attackers to launch identity-based attacks. Service accounts are typically privileged accounts. They are created by IT teams as part of application deployment for various IT projects. For example, the SolarWinds IT Management tool creates multiple privileged service accounts, but the Security team may be unaware of and may not track the protection of such privileged service accounts, because of lack of visibility. This was the basis for the SolarWinds attack in 2019.
Traditional security methods, such as multi-factor authentication (MFA), are primarily intended for human accounts and are not effectively deployable for service accounts. Consequently, the insufficient visibility and protection of service accounts create a significant incentive for attackers to plan their attacks based on identities.
4. Large Attack Surface and Misconfigurations
As discussed earlier, the identity ecosystem consists of many components and interoperations, creating a large attack surface. Attackers exploit this by focusing on the identity subsystems, enabling them to steal credentials and access tokens. They specifically exploit misconfigurations, over-permissioning, and weak policy settings, targeting services such as Active Directory Certificate Services (ADCS), protocols, or cryptography. The defense teams lack continuous visibility to misconfigurations in Active Directory, Azure AD, and Microsoft 365, thereby exposing a weakness that attackers can exploit.
5. Exploiting Password-Based Authentication Systems
Attackers exploit the limitations of password-based authentication systems. They go after password managers, as well as access control systems like role-based access control (RBAC). Even MFA has been attacked in the recent past. MFA fatigue is a new phenomenon observed in the last couple of years and is exploited by attackers. RBAC is a very coarse-grained access control system, resulting in many employees and contractors being over-permissioned. For example, there are several designated IT administrators, DBAs, and domain admins. Once an attacker gets access to the credentials of a valid user, they can use them even when that user is on vacation, off-hours, or even from a completely different city from where the user lives. The system does not block such access – which is completely legitimate. Stolen credentials allow attackers to easily pivot from cloud to on-premises and vice-versa.
6. Availability of Pen-Testing Tools
There is easy availability of powerful, free pen-testing tools related to identity threats, such as Mimikatz, Bloodhound, and Seatbelt. Mimikatz, developed by a knowledgeable security researcher specializing in Active Directory and authentication systems, stands out as an excellent tool. However, attackers have discovered its potential for dumping caches and exploiting specific protocols like DCSync, without requiring advanced development skills to create complex tools. These tools serve as strong motivators for attackers since they facilitate targeting identity-based attack vectors effortlessly. Attackers can seamlessly transition between cloud and on-premises environments, powered by stolen credentials, enabling them to pivot back and forth.
7. Lack of Visibility into Application Credentials
Defense teams lack visibility into application credentials or cached credentials on endpoints. For example, in Windows, Microsoft tracks caches to make it convenient and reduce the usability friction for users to log in even when they are not in the office. Insufficient visibility renders the defense teams incapable of detecting and responding to attacks.
In the next post in the Identity Security blog series, we will discuss the various components of the identity ecosystem—identity repositories, IAM, IGA, PAM, and IdP solutions.
FAQs on Identity-Based Attacks
1. How do hackers utilize stolen identities in their attacks?
Attackers can exploit stolen identities in various ways to carry out malicious activities. Here are some common ways attackers utilize stolen identities in their attacks:
- Financial Fraud
- Identity Theft
- Phishing and Social Engineering
- Credential Stuffing
- Account Takeover
- Ransom Attacks
- Cyber Espionage
- Blackmail and Extortion
2. What are the most common indicators of an identity-based attack?
Identifying an identity-based attack requires a keen understanding of the tactics used by cybercriminals to compromise personal information. Here are some of the most common indicators of an identity-based attack:
- Unusual login attempts
- Changes to your account settings
- Missing or lost personal information
- Phishing emails
- Unauthorized transactions