Exploring Identity Threats: Insights from an Expert

Over the last 10 years or so, the transformation into the digital age has led to a dramatic increase in cybersecurity threats. Despite security professionals fighting tirelessly to stop these attacks, criminals are always finding new avenues they can exploit.

A common avenue is identity focused threats.

Unfortunately, identity attacks continue to evolve in sophistication, leading to exposed credentials and hijacked accounts. Once compromised, these can act as a doorway into entire networks and systems, and the all-important data stored within.

As these attacks can lead to such enticing rewards for criminals and even allow hackers to take over entire IT environments, many threat actors have chosen to focus their efforts in this area.

How compromised identities offer easy access

It’s no secret that to get into an organization, cybercriminals now primarily target people, not systems. They rely on gaining their trust and exploiting their naivety to extract data, steal credentials, and launch ransomware campaigns.

That is why the term ‘people-centric’ is used so regularly in this industry.

That is also why industry leaders are increasingly focusing on human involvement and making individuals the center of their cybersecurity efforts.

The trouble is today’s cybercriminals are no longer satisfied with simply hacking into your systems; they want to elevate their access and cause maximum chaos to extract maximum value.

By compromising identities to gain greater access and privilege, they can then make lateral moves within networks and systems to gain sensitive information, launch bigger attacks, and steal as much data as possible.

Tools like Mimikatz and BloodHound have made stealing this information and escalating privileges far too easy. Using these platforms criminals can quickly extract information like passwords and PINS, as well as identify hidden relationships, user permissions, and more.

Understanding what makes an identity high-risk

To increase the likelihood of a successful attack, cybercriminals need two key pieces of information. Firstly, they need to know the location of the data they want to get hold of. Secondly, they’ll need to know which identity will give them the best access to this data.

For the most part service accounts are a key target because they are not always protected by privileged access management (PAM) solutions. Not only that, but they also often have static passwords that do nothing to protect the many different files and systems these accounts have access to.

Another high-risk identity is those who are shadow administrators. This is because, though they aren’t always known as privileged, they have specific sensitive permissions. Plus, in many cases, they can escalate privileges from within.

As a result, cybercriminals can exploit these permissions to get access to networks or systems, steal or tamper with sensitive data, or interrupt cloud-hosted services.

Recognizing where organizations are most vulnerable

Identity and access management (IAM) has been a big issue for businesses for many years now. To tackle IAM, organizations and their security teams need to understand what’s going on and address the key areas of concern that include: shared and stored credentials, as well as shared secrets.

With so much of our lives now online, most individuals will have multiple usernames and passwords for different accounts. And despite being frequently reminded of cybersecurity best practices, too many will use the same username and/or password across multiple accounts.

As a result, all it takes is just one successful attack for cybercriminals to gain unauthorized access to numerous accounts, putting organizations and their sensitive information at major risk.

What’s more, many of these identity attacks result from a drive-by hack, in which perpetrators steal credentials from data breaches and password dumps. They can then try their luck by password-spraying across several systems to see if they can get access.

Keeping this in mind, businesses must be cautious about how they store and manage passwords.

The importance of cybersecurity hygiene

Research has revealed that 89% of organizations were affected by an identity-based attack in 2022. Of those, more than half lost over 10,000 identities as a result. And these are just a couple of statistics that prove just how common identity attacks are, and the impact they can have on an organization.

As such, one of the biggest challenges facing cybersecurity professionals is staying ahead of this ongoing battle. It seems that every time a new defense is built, the criminals quickly figure out how to beat or bypass these new controls.

Perhaps most frustratingly, in too many of these cases, threat actors gain access to data by simply going through the front door. They find and target credentials that have more access and permissions than anyone was aware of, and get straight in.

What this comes down to is a hygiene issue. Too often tech teams and cybersecurity professionals become enamored with the latest and greatest technology and security capabilities and forget about security basics.

Getting cybersecurity hygiene and best practices in place is the most important place to start. Followed by a better understanding and greater visibility of the tech environment. 

How Proofpoint can help

It’s clear that today’s cybercriminals are increasingly focusing on compromised identities as a path to ransomware attacks, breaches, and stealing data.

These identities are an organization’s crown jewels and they must do all they can to protect them, starting with the basics.

Solutions such as Proofpoint Identity Threat Defense can help to discover and remediate identity vulnerabilities while also detecting active threats. Which, in turn, can stop lateral movement and privilege escalation before or as it is being attempted.