Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Identity-Based Attacks: A Breakdown of Types and Mechanisms

by Suril Desai | August 02, 2023

Over 80% of cyber attacks involve identity compromise. This includes malware threats, Ransomware, and advanced persistent threat (APT) actors. Attackers leverage identities for Lateral Movement and to escalate privileges as part of an offensive campaign.

Cyberattacks have become a persistent threat to organizations across sectors. As the cyber threat landscape grows more complex, attacks are becoming larger and more scalable. Attackers are making use of superior digital and economic resources, allowing them to develop attacks that are increasingly sophisticated stemming from a large variety of attack vectors. In this blog series, we look at identity-based attacks, the identity ecosystem, and the importance of identity security.

Understanding the Identity Ecosystem

Identities are among the most important, key assets in any enterprise. Identities can represent users, computers, or applications. The identity ecosystem consists of components that perform specific functions. The provisioning component is responsible for the creation and management of users and service accounts, the authentication component such as Identity Providers (IdPs), MFA, and SSO, the access control component including PAM, and catalog services such as Active Directory and Azure AD.

The many connected components that make up a typical identity ecosystem invariably create a large attack surface. By targeting the identity subsystems, attackers can steal credentials and access tokens of users and service accounts. They can target misconfigurations or weak policy settings. Identity-related cyber threats such as credential stealing, Pass-the-Hash, unauthorized access to user and service accounts, and attacks against the identity ecosystem such as Golden Ticket attack are all referred to as identity-based attacks.

What is an Identity-Based Attack

An identity-based attack is a type of cyberattack that focuses on exploiting or compromising credentials. The objective of such attacks is to gain unauthorized access to sensitive data, systems, resources, or privileges by impersonating or manipulating the target’s identity.

These attacks often exploit vulnerabilities in authentication, authorization, and access control mechanisms. Identity-based attacks can take various forms and can be carried out through multiple vectors, including social engineering, phishing, malware, and more. The ultimate goal is to compromise the confidentiality, integrity, or availability of digital assets by exploiting weaknesses in identity management and security practices.

Why is there an Increase in Identity-Based Attacks Today?

Identities are as old as enterprises themselves, and they’ve existed all along. Identity-based attacks have been prevalent for several decades. For example, Phishing is a type of identity-based attack that has been known since the mid-1990s. However, there is a renewed interest for attackers to go after identities today and use compromised identities to further their attack progress. There are multiple reasons contributing to this situation:

1. Identity as a Blind Spot

Identities are a blind spot for most security products. Widely deployed products such as vulnerability scanners, endpoint detection and response (EDR) solutions, network detection, and response (NDR) solutions, and log analytics solutions are unaware of applications and application-based identities. Many recent cyberattacks, including the Colonial Pipeline, Uber, and SolarWinds attacks, involved an identity compromise. Attackers often attempt to exploit the identities of the underlying infrastructure and the policies that govern it.

2. Privileged Access Exploitation

Identities provide a fast-track lane for attackers to get privileged access to resources and data. A few years ago, attackers leveraged phishing emails to compromise identities and gain access to the enterprise network. This allowed them to pivot through the network until they found the data that they were interested in. Today, however, attackers use spear phishing to target and compromise a privileged identity account and get direct access to other privileged accounts. This enables them to easily bypass security layers, establish persistence, move laterally across the network, and gain unauthorized access to data or control systems – while masquerading as legitimate traffic.

3. Lack of Protection for Service Accounts

The lack of visibility and protection of service accounts is a big motivator for attackers to launch identity-based attacks. Service accounts are typically privileged accounts. They are created by IT teams as part of application deployment for various IT projects. For example, the SolarWinds IT Management tool creates multiple privileged service accounts, but the Security team may be unaware of and may not track the protection of such privileged service accounts, because of lack of visibility. This was the basis for the SolarWinds attack in 2019.

Traditional security methods, such as multi-factor authentication (MFA), are primarily intended for human accounts and are not effectively deployable for service accounts. Consequently, the insufficient visibility and protection of service accounts create a significant incentive for attackers to plan their attacks based on identities.

4. Large Attack Surface and Misconfigurations

As discussed earlier, the identity ecosystem consists of many components and interoperations, creating a large attack surface. Attackers exploit this by focusing on the identity subsystems, enabling them to steal credentials and access tokens. They specifically exploit misconfigurations, over-permissioning, and weak policy settings, targeting services such as Active Directory Certificate Services (ADCS), protocols, or cryptography. The defense teams lack continuous visibility to misconfigurations in Active Directory, Azure AD, and Microsoft 365, thereby exposing a weakness that attackers can exploit.

5. Exploiting Password-Based Authentication Systems

Attackers exploit the limitations of password-based authentication systems. They go after password managers, as well as access control systems like role-based access control (RBAC). Even MFA has been attacked in the recent past. MFA fatigue is a new phenomenon observed in the last couple of years and is exploited by attackers. RBAC is a very coarse-grained access control system, resulting in many employees and contractors being over-permissioned. For example, there are several designated IT administrators, DBAs, and domain admins. Once an attacker gets access to the credentials of a valid user, they can use them even when that user is on vacation, off-hours, or even from a completely different city from where the user lives. The system does not block such access – which is completely legitimate. Stolen credentials allow attackers to easily pivot from cloud to on-premises and vice-versa.

6. Availability of Pen-Testing Tools

There is easy availability of powerful, free pen-testing tools related to identity threats, such as Mimikatz, Bloodhound, and Seatbelt. Mimikatz, developed by a knowledgeable security researcher specializing in Active Directory and authentication systems, stands out as an excellent tool. However, attackers have discovered its potential for dumping caches and exploiting specific protocols like DCSync, without requiring advanced development skills to create complex tools. These tools serve as strong motivators for attackers since they facilitate targeting identity-based attack vectors effortlessly. Attackers can seamlessly transition between cloud and on-premises environments, powered by stolen credentials, enabling them to pivot back and forth.

7. Lack of Visibility into Application Credentials

Defense teams lack visibility into application credentials or cached credentials on endpoints. For example, in Windows, Microsoft tracks caches to make it convenient and reduce the usability friction for users to log in even when they are not in the office. Insufficient visibility renders the defense teams incapable of detecting and responding to attacks.

In the next post in the Identity Security blog series, we will discuss the various components of the identity ecosystem—identity repositories, IAM, IGA, PAM, and IdP solutions.

FAQs on Identity-Based Attacks

1. How do hackers utilize stolen identities in their attacks?

Attackers can exploit stolen identities in various ways to carry out malicious activities. Here are some common ways attackers utilize stolen identities in their attacks:

Financial Fraud
Identity Theft
Phishing and Social Engineering
Credential Stuffing
Account Takeover
Ransom Attacks
Cyber Espionage
Blackmail and Extortion
Impersonation

2. What are the most common indicators of an identity-based attack?

Identifying an identity-based attack requires a keen understanding of the tactics used by cybercriminals to compromise personal information. Here are some of the most common indicators of an identity-based attack:

Unusual login attempts
Changes to your account settings
Missing or lost personal information
Phishing emails
Malware
Unauthorized transactions

Authors

Suril Desai

Suril is VP Engineering at Acalvio Technologies. Suril has led engineering for industry leading cybersecurity offerings. Suril has deep domain expertise in cybersecurity and holds multiple patents.