Identity-based cyberattacks are the leading cause of security breaches. Here’s how to stop them.
Businesses are facing a surge in attacks using stolen identity credentials — now the largest source of breaches. While there’s no cure-all, experts recommend a strategy involving the adoption of stronger authentication and authorization systems, as well as tools to provide better visibility into identity-based attacks and “shadow IT” use.
From the SolarWinds and Colonial Pipeline cyberattacks to the latest attacks against Twilio and Uber, a common thread runs through many of the high-profile breaches in recent years: The attackers succeeded by targeting identity credentials.
And all those breaches that you didn’t hear as much about? Chances are that those involved credentials, too. Illegitimate use of credentials was responsible for 48% of breaches in 2021 — by far the largest vehicle for breaches — up from 37% in 2017, according to data provided by Verizon to Protocol.
While the theft of passwords and other credentials has long been a part of the hacker playbook, identity-based attacks have risen to the forefront with so many employees now working outside of a corporate network firewall.
In today’s enterprise, “identity and security are very merged,” said Vasu Jakkal, corporate vice president for security, compliance, identity, management, and privacy at Microsoft. “Identity has become that first level of defense. And that’s a massive shift.”
Breaches involving usernames and passwords jumped 35% in 2021 alone, identity management and security vendor ForgeRock recently reported. Stolen credentials are also now widely available for purchase on the dark web, fueling the surge in identity-based attacks.
In response, mid-sized and large enterprises should explore deploying stronger authentication and make authorization technology — which includes access and permissions controls — a bigger focus of their cybersecurity strategy, industry analysts and executives told Protocol.
“Identity has become that first level of defense. And that’s a massive shift.”
Meanwhile, given the inevitably of breaches using credentials, getting improved visibility into IT environments is key. The adoption of an identity threat detection tool is worth considering, as is technology for helping to secure the use of unmanaged applications, or “shadow IT,” experts said.
Focusing on identity is critical because today, “all attacks become identity-based attacks” at some stage of the incident, said Todd McKinnon, co-founder and CEO of widely used identity platform Okta.
“If you can get identity right, you’re protecting yourself from all attacks, at some level,” McKinnon said. “And the inverse is also true: If you get it wrong, you’re opening yourself up to all kinds of attacks.”
It’s still true: Rotating passwords and choosing complex passwords that are unique to each account are good cybersecurity practices for anyone. But they’re not sufficient, since password-only authentication remains a massive risk for businesses.
Requiring a second form of verification for a user to log in — known as multifactor authentication — continues to be recommended as step No. 1 to preventing security breaches, as annoying or inconvenient as it might be sometimes. And there’s still a long way to go to make that practice common: Microsoft said recently that just 22% of Azure Active Directory identities are secured with MFA.
Unfortunately, many enterprises that’ve adopted MFA are still not in the clear.
There was a time a few years ago when multifactor authentication was seen as a “silver bullet” for stopping many types of credential-based intrusions, said Bryan Murphy, a senior director at identity security vendor CyberArk. But while any type of MFA is better than nothing, “now we’re starting to see that attackers are finding ways around it,” Murphy said.
In the breach of Uber in September, for instance, an attacker posing as an IT staffer convinced a contractor to approve a login push notification, allowing the attacker to bypass Uber’s MFA requirement. And in the case of the Twilio attack this summer, employees most likely entered a one-time passcode into a fake login site — allowing the attackers to break through MFA and access data from at least 125 Twilio customers.
The incidents underscore the fact that many phishing attacks today are “pretty convincing,” said Rachel Tobac, CEO of SocialProof Security, which focuses on training around social engineering threats. As a result, it’s clear that putting employees through user awareness training isn’t enough. “We also need technology to back up that training,” Tobac said.
In August, Cloudflare disclosed that several of its employees fell prey to the same phishing campaign that struck Twilio earlier this summer. Cloudflare, however, provides its employees with YubiKey hardware security keys, which prevented the company from getting breached.
YubiKeys are small devices that plug into a computer or phone, or connect wirelessly via NFC, and serve as a second authentication factor that is “unphishable,” according to the company.
Hardware keys such as YubiKey that comply with the latest authentication standard, known as FIDO2, serve as a second factor that can’t be thwarted, because they require the user to physically touch the key. Completing the login using a YubiKey “can’t be done by a remote hacker,” said Stina Ehrensvard, co-founder and CEO of Yubico. “You have to be there by your computer.”
As further evidence, none of Google’s employees have been successfully phished on work-related accounts since the company rolled out hardware security keys in early 2014, Google said in a statement to Protocol.
Meanwhile, the weakness of other second-factor options, such as push notifications and one-time passcodes delivered over SMS or authenticator apps, is becoming more glaring due to the recent wave of MFA-busting attacks.
None of Google’s employees have been successfully phished on work-related accounts since the company rolled out hardware security keys in early 2014.
“I think the big question is, to what degree should we even allow these phishable configurations?” Okta’s McKinnon said. “With the way the threat environment is, and how it’s always escalating, the argument is easier and easier to make that they shouldn’t even be allowed.”
Still, while hardware keys are more secure than one-time passcodes or push notifications, the keys have other obvious limitations, said Jay Bretzmann, research vice president for security products at IDC. Users have to carry them everywhere, and if one gets lost or stolen, that’s a problem.
Any one technology is not perfect and won’t be enough on its own, Bretzmann said. “There’s no silver bullet, no panacea.”
And so while improving authentication technology is a good place to start, there’s a lot more for businesses to do when it comes to preventing damage from identity-based attacks.
For instance, many cyberattacks today target workers with higher-than-necessary access permissions to sensitive corporate assets, and utilize old, unused credentials. The 2021 ransomware attack against fuel pipeline operator Colonial Pipeline, which led to gas shortages across the Southeastern U.S., was the result of a compromised VPN password for an account that was no longer in use, but hadn’t been deactivated.
In the event of a breach, “you’d like to know that you’ve created a ‘minimum attack surface,’ so it’s not easy to use the credentials that were compromised to do other things,” said Mark McClain, founder and CEO of identity security vendor SailPoint.
That's where the concept of authorization comes in. Minimizing what users are authorized to access — even after they’ve successfully authenticated their identities — helps to reduce what an attacker or malicious insider could exploit, McClain said. SailPoint recently introduced new capabilities that include automated discovery and remediation of anomalous identities and high-risk access permissions, using AI/ML.
It’s critical for enterprises to tackle the authorization challenge because “in most cases, a breach or theft of data actually involves what appears to be a fully valid and authenticated user accessing what they’re supposed to have access to,” said Taylor Ettema, vice president of product management at Palo Alto Networks.
Dealing with the issue of permissions and access policies, however, is “unbelievably complex,” said ForgeRock CEO Fran Rosch.
He cited one example of a ForgeRock customer in the financial brokerage sector that has 20,000 employees and hundreds of different applications, creating a major headache around the management of requests for access. “That’s millions of entitlement requests that they have to understand,” Rosch said. And then on top of that, “employees are coming, leaving, changing jobs. So they’re always changing those entitlement requests.”
“There’s no silver bullet, no panacea.”
The traditional approach has been to set down static rules for how permissions and privileges are managed. But that becomes unwieldy and inefficient very fast within many organizations.
ForgeRock has aimed to address the issue with an AI-driven approach to automating entitlement requests; in the case of the brokerage company, 79% of requests are now fully automated, Rosch said, and “over time, we can get better and better at that.”
Authorization has also become a hotter area for security vendors in recent years as “zero trust” has emerged as a guiding principle for security.
Zero trust refers to the idea that users should not be perpetually trusted to access applications and data just because they were able to authenticate and gain access to the network, an idea that first gained momentum at Google in the wake of a major attack that included the theft of source code from the company. Thanks in part to the surging interest in zero trust, “you’re starting to see authorization come back more into the mix in the identity ecosystem, where once it was always thought of as an application or business problem,” said Damon McDougald, global digital identity lead at Accenture.
One approach to modernizing authorization is known as policy-based access control, offered by vendors including PlainID. Because each application has a different way of implementing authorization policies, PlainID offers a centralized platform that can help organizations to manage their policies across applications, according to the startup’s co-founder and CTO, Gal Helemski.
This approach can also be more dynamic, she said: Using the system, “some of your access is not predetermined, but it is evaluated in real-time based on who you are, where you’re coming from, what you’re trying to access.”
Other startups with new answers to the authorization problem include Saviynt, which aims to provide enhanced control over identity access across cloud and on-premises environments; Ermetic and Sonrai, both of which promise to automatically remove unneeded permissions in cloud environments; and Veza, which enables organizations to gain a visual look at anomalous access privileges in the cloud.
Some startups are also taking a developer-focused approach to helping solve the authorization challenge. Aserto aims to make it easier for developers to embed modern authorization into their apps, while Teleport offers improved infrastructure access controls for software engineers.
Achieving “least privilege,” where employees have the lowest level of privileges necessary to do their jobs, and ultimately, zero trust is an ideal outcome from such efforts. As Palo Alto Networks’ Ettema puts it, zero trust isn’t a product: “It’s a strategy for achieving a security outcome.”
When attackers do manage to get inside the network, they usually don’t sit still.
And so, many enterprises also need improved visibility into their IT systems to shut down “lateral movement” — in which an attacker moves deeper into a victim’s environment by stealing additional credentials and elevating their privileges.
A go-to mitigation for this is what’s known as “conditional access.” A feature of Microsoft’s widely used Azure Active Directory identity service, conditional access can factor in more signals when deciding whether to grant a user access to a corporate resource, or whether to trigger a steeper authentication requirement, for instance.
If an attacker fails the additional authentication challenge at that point, “they’re effectively shut out. And so that lateral movement, that breach, would end there,” said Nicholas Warner, president for security at SentinelOne.
But an organization needs visibility into its environment to get the signals necessary to use this capability effectively. Identity threat detection products, such as those from SentinelOne’s Attivo Networks, can provide this visibility, Warner said. Identity threat detection can spot malicious behavior such as credential theft, misuse of credentials, and attempts to exploit on-premises Active Directory identity systems.
Identity threat detection should also extend into unmanaged devices. It’s crucial to be able to use conditional access on devices that are unmanaged, for instance, in order to completely shut down ransomware that is trying to move laterally through an organization’s IT systems, said CrowdStrike CTO Michael Sentonas.
Given the proliferation of identity-based attacks, the lack of identity threat detection and response in many enterprises represents a “huge gap today,” said Henrique Teixeira, a senior director and analyst at Gartner.
Visibility into the use of unmanaged applications, often referred as shadow IT, is essential to rounding out the identity security picture.
While the practice is often well-intentioned by employees looking to do their jobs better, use of unsanctioned applications becomes a problem when employees keep sensitive company data in those applications and their credentials are compromised.
Addressing shadow IT should start with nontechnological methods, according to Adam Marrè, CISO at cybersecurity vendor Arctic Wolf. Employees should feel empowered to “do the right thing” when it comes to the applications they use, Marrè said.
“So we tell everybody, ‘Hey, when you want to onboard something, we’re not in the business of just saying no — we’re in the business of facilitating you and helping you. So please come to us,’” he said.
But given the high stakes, organizations may also want to explore tools that can help.
1Password, the provider of a widely used password manager, offers businesses the ability to view anonymized data about the applications their employees are using.
A company might, for instance, be able to learn that people on its marketing team are storing passwords for a certain unmanaged app. That could be a signal for the company to bring that app into the fold of sanctioned services, said Steve Won, chief product officer at 1Password.
In that way, efforts to address shadow IT can be “security enabling” rather than “security blocking,” Won said.
Businesses run into further complexity around identity security when they operate in a hybrid cloud environment, as the vast majority of businesses do today.
In the SolarWinds breach, for instance, the attackers first compromised Active Directory Federation Services, a Microsoft single sign-on service, in an on-premises environment. That allowed the attackers to access cloud-based Microsoft 365 accounts that were also joined to the single sign-on credentials.
“[I]dentity has now become the fabric of all security … You’ve got to get that right. The conversation starts there.”
As the SolarWinds attack proved, “we’re now in a world of hybrid identity,” said Darren Mar-Elia, vice president of products at identity security vendor Semperis. But it’s important to realize that Active Directory is an older technology that lacks some of the protections now baked into cloud-based identity systems, such as Azure Active Directory or Okta, Mar-Elia said.
And at least for now, “the reality is that Active Directory still is ubiquitous in most organizations,” he said. Enterprises run half of their workloads in data centers outside of the public cloud, according to a recent report from Flexera.
This means that businesses in the midst of moving to the cloud can’t afford to forget about protecting remaining data centers against credential-related attacks, said Nestori Syynimaa, senior principal security researcher at Secureworks.
The cloud is largely safe when used on its own, he said. But with hybrid IT, “you are drilling holes to that safe cloud environment.”
‘Defense in depth’
Organizations can benefit from new protections against identity-based attacks that are now being built into operating systems. The 2022 update for Windows 11, for instance, blocks a common technique for stealing login and password data known as “credential dumping” through its Credential Guard feature.
As a result, organizations will automatically be protected against this tactic by updating to the latest Windows 11 version, since Credential Guard will be turned on by default for the first time, according to David Weston, vice president for enterprise and OS security at Microsoft.
Apple, Google, and Microsoft have also committed to enabling their respective devices and operating systems to be used for passwordless logins to other apps and services, through providing support for the same FIDO2 standard that’s used by YubiKeys. The so-called passkey technology is now starting to roll out, starting with Apple’s recently launched iOS 16.
Ultimately, to defeat identity-based attacks, businesses will want to adopt a “defense in depth” strategy that involves multiple layers of defense and recognizes that identity now plays an outsize role in the attacker playbook, Microsoft’s Jakkal said.
“This is a world in which identity has now become the fabric of all security,” she said. “You’ve got to get that right. The conversation starts there.”
Due to incorrect information originally provided by Google to Protocol, this story was updated to clarify the timing of Google's rollout of hardware security keys.