Navigating identity-based cyber threats

Apr 20, 2024 04:35 PM IST

Share Via

Copy Link

This article is authored by Fabio Fratucello, CTO International, CrowdStrike.

Many organisations still rely on passwords as a primary defence mechanism for safeguarding digital assets and accounts. However, the evolving threat landscape has rendered traditional password-based authentication inadequate against the sophisticated tactics employed by adversaries. The alarming rise of identity-based attacks, which leverage compromised credentials and exploit vulnerabilities in multi-factor authentication (MFA) and application programming interface (API) keys, has exposed a significant vulnerability that threatens organisations and individuals alike.

MFA, once considered a robust security measure, has become a prime target for cybercriminals. These adversaries employ sophisticated tactics to bypass this additional layer of protection, including the exploitation of vulnerabilities in authentication methods like one-time passwords (OTPs) via SIM swapping, SS7 attacks, or social engineering schemes aimed at tricking users into disclosing credential information. As a result, organisations and individuals alike face heightened risks in the digital realm.

After initiating a breach, adversaries waste no time in deploying tools or malware into a victim's environment, and are able to complete the process within seconds during interactive intrusions. One way to increase the speed of any intrusion is to rely on identity attacks; in doing so, adversaries often harvest credentials through phishing and social engineering and exploit vulnerabilities and trusted relationships, rather than use traditional malware. This shift is evident in the rise of malware-free activity, accounting for 75% of detections in 2023, up from 71% in 2022, according to the CrowdStrike Global Threat Report 2024.

Moreover, access brokers--who acquire access to organisations and sell it on to other criminal entities--contribute significantly to this trend, with the number of advertised accesses increasing by almost 20% in 2023 compared to the previous year.

The average breakout time for interactive eCrime intrusion activity has dropped from 84 minutes in 2022 to a mere 62 minutes in 2023. In some cases, adversaries have achieved initial access in as little as two minutes and seven seconds, highlighting the urgent need for organisations to uplift their defences and gain visibility across their entire system through an AI-native extended detection and response (XDR) platform.

Particularly concerning is the trend of stealing API keys, session cookies, other identifying data and Kerberos tickets, allowing adversaries to impersonate legitimate users and gain unauthorised access to resources. This ability to impersonate trusted entities significantly heightens the risk of data breaches, financial losses, and reputational harm. As cyberattacks become more sophisticated and swift, organisations must prioritise protecting identities in 2024.

As organisations increasingly embrace cloud computing for its agility and scalability, cloud environments have also become prime targets for identity-based attacks. In 2023, cloud-conscious intrusions surged by a staggering 75%, with eCrime actors accounting for 84% of these incidents.

Adversaries have demonstrated a deep understanding of cloud environments, exploiting identities and entitlements and leveraging legitimate tools to move laterally between on-premises and cloud infrastructures.

To address this growing threat of identity-based attacks, organisations must implement a comprehensive, multi-layered strategy that emphasises identity protection, robust cloud security measures, and unified visibility across the entire attack surface. Here are some essential steps organisations should consider taking:

● Protect identities: With the surge in identity-based attacks, implementing identity threat protection capabilities and deploying technology capable of detecting and correlating threats across identities, endpoints, and cloud environments is a must. It’s critical also to prioritise phishing-resistant MFA solutions and extend their coverage to legacy systems and protocols. Educate employees on recognising and responding to social engineering tactics.

● Secure cloud: As cloud adoption continues to accelerate, ensure full visibility into applications and APIs to eliminate misconfigurations and vulnerabilities. Cloud-native application protection platforms (CNAPPs) offer unified monitoring and protection to discover and map attack surfaces, threats, and critical business risks.

● Enhance visibility: Gain insight into critical areas of risk, by consolidating security solutions into a unified platform with AI capabilities. This allows organisations to detect and stop breaches more efficiently.

● Improve response time: Adversaries are becoming faster. If organisations want to win the race against the adversaries, they need to empower their security teams to respond swiftly and effectively to emerging threats. The best way to do so is by adopting a modern cyber security platform and by embracing generative AI capabilities.

● Promote cybersecurity culture: While technological solutions are crucial, human factors remain a critical component of effective cybersecurity. Organisations should empower users with awareness programmes to combat phishing and social engineering threats and conduct regular tabletop exercises and red/blue teaming to identify gaps and strengthen cybersecurity practices and incident response capabilities.

In the era of MFA hacks and API key vulnerabilities, relying solely on traditional security measures is no longer enough. By prioritising identity protection, cloud security, and unified visibility, and fostering a strong cybersecurity culture, businesses can fortify their defences against the ever-evolving threat landscape and mitigate the risks posed by identity-based attacks.

This article is authored by Fabio Fratucello, CTO International, CrowdStrike.