Natalia - stock.adobe.com
How to fend off identity-based cyber attacks
Attackers are using legitimate credentials to walk through the front door and “live off the land”. True cyber resilience now depends on protecting identity, not just the perimeter
As technical cyber security controls become increasingly sophisticated, threat actors are constantly on the lookout for novel ways to evade and overcome them. A frequent source of success among cyber criminal groups today involves weaponising identity to access and blend into victims’ IT environments.
Since companies tend to be intensely focused on building high “walls” around their IT perimeter, attackers have shifted their focus from breaking in to simply logging on. They do this by using compromised credentials purchased on the dark web, stealing usernames and passwords through social engineering, or even as insider threats inflicting damage with legitimate credentials.
Identity-based attacks are now among the most common threats organisations face. Recent research from Rubrik Zero Labs found that nearly 80% of all cyber attacks in the past 12 months were identity-driven. These attacks involved exploiting compromised user credentials to gain unauthorised access to critical systems.
After gaining initial access to an IT environment, threat actors’ first priority is typically to escalate their privileges to that of a trusted administrator (another identity manipulation) in order to more easily move throughout the network and access sensitive material.
From there, sophisticated threat actors like Scattered Spider will often confine their activities to abusing sanctioned applications like PowerShell to execute commands or Microsoft SharePoint to exfiltrate data. Known as “living off of the land,” this helps attackers evade detection. By using legitimate tools and cloud services present in the victim’s environment, the group's activities blend seamlessly with normal network and cloud operations.
To counter these types of attacks, companies must have cyber resilience strategies in place to detect unusual or suspicious user behaviours. These might include attempts to access resources not necessary for a user to do his or her job, login attempts from locations where a user does not typically work, or other anomalous interactions with otherwise legitimate tools.
Identity as the new control plane
In addition to being difficult to detect, insider threats can also be difficult to mitigate. Attacks weaponising trusted credentials made up half of the cyber attacks cited by Australian IT leaders in the last year. Some of the top tactics used include phishing, other forms of social engineering, and business email compromise.
Identity details aren’t just handed over by the trusted user. They are often stolen. It might not be from just one breach, but rather multiple breaches from various locations at different times. These can be added into caches of compromised credentials that cyber criminals store, buy, or sell for use at a later date. This fact underscores the dangers of reusing passwords across multiple sites, a common practice that users must be taught the dangers of.
As targeted attacks involving compromised credentials and identity vulnerabilities increase, zero trust principles can help to contribute to stronger identity governance programmes. Least privilege, where users have access only to resources they need to work effectively, and just-in-time access, where privileges are granted only for pre-determined durations, are two such principles.
Additionally, implementing AI-powered anomaly detection systems to monitor user behaviour, detect unusual access patterns, and identify potential identity-based threats in real-time can provide critical early warning signals. These enable organisations to act before a breach can escalate.
Incorporating zero trust principles within cyber resilience strategies helps to minimise the impact of identity-based breaches as they ensure any malicious access gained cannot be escalated to reach more sensitive and business-critical data sets.
Security starts before the breach
Cyber resilience goes beyond the technology organisations employ. Proactive measures must be taken to support a zero-trust security model.
Identity infrastructure is often the first target attackers attempt to exploit, so organisations must ensure they have the capability to restore identity infrastructure should it become compromised. Given that threat actors reliably elevate privileges and create new identities, rendering directories untrustworthy, it is essential to be able to quickly restore compromised identity infrastructure from its last-known uninfected state. The alternative could mean weeks-long, error-prone restoration and costly downtime.
Finally, educating employees about the evolving nature of cyber threats can reduce human error and give them the knowledge they need to spot a phishing or social engineering attack before it is too late. Users should know that phishing is no longer a phenomenon confined to email, and that helpdesks and third-party contractors are prime targets.
Combining training with periodic reviews of access controls, privilege management, and user roles not only limits the number of credentials falling into attackers’ hands but also helps mitigate the impact of any weaponised credentials.
Identity protection, anomaly detection, and pre-emptive recovery capabilities – coupled with proactive risk management – are no longer just security measures. They are critical components of an organisation’s long-term resilience strategy and allow businesses to remain secure in the face of an evolving threat landscape.
After all, what good is a locked safe if you’ve given the criminal the combination?
Kavitha Mariappan is chief transformation officer at Rubrik
