Identity-related threats are becoming a growing concern for network security professionals due to the increasing preference of cyber attackers to use stolen credentials to gain unauthorized access to systems, rather than exploiting vulnerabilities or using social engineering techniques.
According to reports from IBM X-Force and security company CrowdStrike, there has been a significant surge in cyber attacks using valid credentials and other methods that mimic legitimate users. IBM’s research found a 71 percent year-over-year increase in the volume of attacks using stolen credentials in 2023, with compromised accounts representing 30 percent of all incidents responded to by X-Force. This has propelled the use of valid account abuse to the top of the list of cyber criminals’ most common initial access points. Furthermore, cloud account credentials accounted for 90 percent of for-sale cloud assets on the dark web.
Additionally, IBM noted a 44 percent decrease in phishing attacks compared to the previous year, which is attributed in part to the increased use of valid credentials as a means of gaining initial access to systems. The overall trend observed was that attackers were increasingly utilizing stolen credentials as a means of unauthorized entry.
CrowdStrike’s Global Threat Report for 2024 also highlighted a similar increase in identity-related threats, with attackers targeting various types of credentials and authentication mechanisms. This includes API keys, session cookies and tokens, one-time passwords, and Kerberos tickets. The report noted that threat actors have been focusing on stealing legitimate identities and using them to log in as authentic users, in order to remain undetected and leverage legitimate tools for malicious activities.
In light of these findings, security experts have emphasized the critical importance of organizations prioritizing the protection of identities as a key security measure. They warn that adversaries have identified legitimate identities as the easiest and fastest way to gain unauthorized access to systems.
Furthermore, both reports also highlighted the involvement of nation-state linked attackers in identity-based attacks. For example, Cozy Bear, a group linked to the Kremlin, was reported to have conducted credential phishing campaigns using Microsoft Teams messages to steal multi-factor authentication tokens for Microsoft 365 accounts.
The ability of attackers to use valid credentials for initial access gives them the advantage of evading detection. CrowdStrike identified various methods through which attackers procure legitimate credentials, including accidental leaks, brute-force attacks, phishing, credential stealers, access brokers, insecure self-service password-reset services, and insider threats. Once obtained, these identities enable attackers to bypass multi-factor authentication and move laterally within the network, furthering their unauthorized access and malicious activities.
Overall, the reports underscore the growing prevalence of identity-related threats and the need for organizations to enhance their security measures, particularly in protecting legitimate credentials and preventing unauthorized access. As attackers continue to focus on exploiting identities and conducting social-engineering attacks, the protection of identities is increasingly recognized as the foremost priority for organizations in safeguarding against cyber threats.