Two major organisations breached in 2023 — 23andMe and MGM Resorts — have one part of their hacks in common: identity.
Initial access in the 23andMe breach came from credential stuffing, and it was a lack of access control that allowed the threat actors to move deeper into the organisation, ultimately exfiltrating data from millions of user accounts. For MGM, a simple social engineering tactic to gain credentials was used to launch a massive ransomware attack that took down systems and cost the business millions in breach related costs and lost bookings.
Identity has risen in the ranks to become a top attack vector for threat actors in recent years. From targeting Microsoft Active Directory (AD) to utilising stolen credentials for privileged access, identity is now often the key to a cyber attack’s success.
But knowing that identity is a growing part of your attack surface isn’t the same as understanding what’s at risk and how to protect your users and their credentials. Organisations need to look at identity threats and use that data to evaluate their own security posture and take steps to harden their attack surface and improve their identity security.
What Are Identity Threats?
Identity threats are any cyber threat or attack tactic that targets a user’s individual identity or an organisation’s identity structure within their environment.
Identity threats are growing for several reasons including:
- Organisations are relying more on web applications, cloud-based environments, and remote users — increasing the number of credentials and points of access within a network
- A lack of password hygiene and security awareness training is making users’ credentials an easy target for threat actors
- The rise of data exfiltration and leak sites during ransomware attacks has created a treasure trove of credentials on the dark web for threat actors to use in subsequent attacks
Data backs up these trends. According to the 2024 Arctic Wolf Labs Threat Report, 39% of non-business email compromise (BEC) incidents investigated by Arctic Wolf involved an attacker using credentials to log into an external remote access application, while another 7.3% of non-BEC incidents leveraged previously compromised credentials to gain direct access to a victim’s environment. That’s almost half of all incidents. Additionally, according to IBM’s 2023 Cost of a Data Breach Report, “Phishing and stolen or compromised credentials were responsible for 16% and 15% of breaches, respectively,” and cost organisations an average of $4.76 million USD and $4.62 million USD, respectively.
These tactics are not only used in different phases of attacks — from initial access with a phishing attack to privileged escalation through AD compromise — they are gaining traction and costing organizations dearly.
Why Threat Actors Target Identity in Cyber Attacks
Identity is just one avenue threat actors can go down to gain access to an organisation, and relatively speaking, identity only makes up a minority of incident root causes. Vulnerabilities and external exploits far outweigh identity-based attacks. But that doesn’t mean identity shouldn’t be top of mind. This sector of attacks is growing as threat actors’ sophisticate their tactics, organisations move to the cloud, and organisations rely more heavily on web applications and remote users. All of this is compounded by cybercriminals stealing credentials through a variety of attacks, as well as exfiltrating and selling credentials during ransomware attacks.
Just like with social engineering, identity-based attacks continue to work, even as organisations work to harden their posture. Whether it’s to access a single user’s account with the hopes of phishing another user, utilising stolen credentials to gain privileged access to certain assets, or logging into AD to make moves from there, it’s a simple tactic with potentially massive results.
While the threats listed below are focused on external forces working to gain access, there are internal threats that exist within organisations due to poor identity and access management (IAM) and other identity security measures. An organisation without robust access controls, identity-based monitoring, or privileged access management (PAM) to protect privileged access is opening themselves up to identity threats — unlocking virtual doors threat actors can walk through to gain credentials, access, or valuable data and assets.
Top Identity Threats Facing Organizations
There is a myriad of ways threat actors can attack identities, and while the individual tactics may differ, they all contain the same goal of gaining access to enter or move deeper into an organisation’s environment to launch a sophisticated cyber attack.
Top identity threats include:
1. Credential theft and the use of compromised credentials. Credentials are the digital keys that unlock valuable doors within an organization. Having credentials equals movement for a threat actor, and if they can use legitimate credentials, their movements can fly under the radar of more traditional security tools or buy them time to launch a more sophisticated attack. In recent ransomware attacks, threat actors have taken to exfiltrating credentials, knowing they fetch a high price on the dark web and can be used for future attacks.
2. Social engineering attacks. These attacks, such as phishing or smishing, have moved beyond just targeting individuals for financial gain (though that is still a tactic) and are now more commonly used to gain initial access to an organisation, as seen in the MGM Resorts hack. In the 2024 Arctic Wolf Labs Threat Report, social engineering, including phishing, accounted for 11.3% of non-BEC incidents. According to Verizon’s Data Breach Investigations Report, 76% of social engineering attacks were used to compromise credentials, highlighting how identity threats often play into each other.
Learn more about different types of social engineering attacks.
3. Password-based attacks. These attacks include password spraying, where a threat actor tries the same password on multiple accounts;, brute-force attacks, where a threat actor tries to guess the credentials;, and man-in-the-middle attacks, where a threat actor intercepts and deciphers information sent between two users or devices. Man-in-the-middle attacks are often used to hack into Active Directory. Like many of these threats, a threat actor can use a password-based attack to gain initial access or try to gain privileged access once inside a network.
4. Active Directory attacks. Microsoft Active Directory (AD) is ubiquitous among organisations and industries, and often holds the proverbial keys to the kingdom for an environment, making it a lucrative target for threat actors. These hackers may use one of the tactics above, or another like a vulnerability exploit, to find their way into AD, steal credentials, and start making moves within the environment.
Learn more about AD attacks and how to defend against them.
5. Business Email Compromise (BEC). Like ransomware, BEC is often regarded as its own category of cyber attack, but at its heart it’s an identity-based attack. During a BEC attack, a threat actor gains access to a legitimate internal email account — often someone in payroll, HR, or the C-suite, and uses this access to commit financial fraud. BEC attacks, like all identity attacks, start with some form of credential or identity-based initial access, such as phishing or brute-force attacks. BEC incidents made up 29.7% of Arctic Wolf® Incident Response engagements in 2023, but that number may be higher as these attacks often do not result in insurance claims or full-scale incident response.
How Organizations Can Implement Identity Threat Protection
Unlike servers, users are harder to secure than say, installing a firewall. They are coming, going, gaining access to certain assets and applications at certain times, and are often left responsible for their own password hygiene, ability to spot threats, and keeping their personal devices secure. This makes identity security a difficult, ongoing process for any organisation. But it’s certainly not impossible.
Below are several strategies, tools, and techniques businesses can employ to combat identity threats while improving their security posture and hardening their attack surface.
- Identity Threat Detection and Response (ITDR). ITDR is a broader tactic organisations use, as it combines threat intelligence, identity best practices, tools, and processes to protect identities within an organisation. ITDR should include regular analysis of permission configurations, multi-factor authentication (MFA), PAM, and the monitoring of users and identity sources. Many managed detection and response (MDR) solutions can now monitor identities in addition to other environment components.
See how Arctic Wolf® Managed Detection and Response used identity monitoring, and subsequent unusual behavior detection, to stop an in-progress incident before it escalated.
- Identity and Access Management (IAM). Like ITDR, IAM is the broader guidelines an organisation should use to both create and secure their identity infrastructure. The three main tenants of IAM are governance, or the determination of who has access to what, control of that access, and the continuous monitoring of users and their access. IAM is not a one- and- done process, but should be regularly adjusted as operational and security needs change. IAM often follows a zero trust framework and should employ the principle of least privilege access (PloP) to prevent threat actors from using password-based attacks for privileged access.
- Multi-factor authentication (MFA). While MFA is a simple access control, it can go a long way in preventing identity attacks from succeeding. If a threat actor is trying a brute-force attack or has stolen credentials, MFA will not only stop that access but alert the user or security teams to the unusual behaviour.
- Dark web monitoring. Knowing which credentials are exposed on the dark web or which users may have their information compromised can help your organisation improve credential and identity security, as well as know where identity threats may be coming from.
- Comprehensive security awareness training. A lot of identity attacks begin with the user — whether it’s the user falling for a phishing email or not practicing strong password hygiene — so educating users and reducing human risk is paramount to better identity security. Strong security awareness training should include up-to-date content, phishing simulations, compliance training, and engage users with tactics such as micro learning to increase resilience.
See how security awareness training can transform your user base while reducing human risk.
Explore how an MDR solution, like Arctic Wolf Managed Detection and Response, can monitor your identity sources and help your organization detect and respond to identity threats.
