Cybercriminals today are increasingly exploiting identities as a key step in their attacks, and it’s easy to understand why. As long as they have the valid credentials of a user, they won’t have to worry about finding creative ways to break into a system. They are already inside.
For identities to be exploited successfully, persistence and legwork are required. The advantage of this tactic, however, is that it is easier to use than exploiting technical vulnerabilities. Bad actors can save a lot of time, energy, and resources by focusing on transforming valid identities into action. Many attackers now prefer to use this strategy. 84% of businesses had a security breach involving identity in the previous year.
We must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources to defend against identity-based attacks. Several identity-based attacks and methods will be described in this blog post, along with an overview of some security controls that can help prevent these attacks
Identifying identity-based attacks and their methods
Identities attacks and related strategies are discussed below. As you can see, this is not an exhaustive list, and cyber criminals are always evolving their methods. While this list does not cover every type of identity threat, it does give an overview of the most common types.
1. Credential stuffing
Credential stuffing is a brute-force attack that uses credentials. Botnets are used to automate the process of exploiting compromised usernames and passwords on many different websites simultaneously by adding pairs of compromised passwords and usernames to them. Identifying account combinations that work and can be reused across multiple sites is the goal.
Identity attacks involving credentials stuffing are common, particularly for web applications. Bad actors can steal from and disrupt multiple places at the same time when they discover a winning pair. As a result of users using the same password on multiple websites, this strategy is very effective.
2. Password spraying
Using password spraying as part of a brute-force identity attack is also a possibility. By systematically trying passwords against numerous usernames, a bad actor attempts to gain unauthorized access to user accounts.
The password spraying attack differs from the traditional brute-force attack, which utilizes multiple passwords for a single account. It’s a more subtle and sophisticated method aimed at avoiding account lockouts. The following outlines the typical course of an identity attack:
• First, the attacker compiles a list of usernames through a variety of public information sources, including leaked databases, reconnaissance activities, and the dark web.
• Next, the attacker selects a small number of passwords that are commonly used or easily guessable.
• The attacker then tests each password against a large number of user accounts until they succeed.
Password spraying is designed to avoid detection by conventional security detection systems, which may not identify identity-based attacks due to the limited number of failed login attempts per user. Services with weak password policies or without account lockout policies are susceptible to password spraying attacks.
3. Phishing
Using a classic tactic that’s been around since the mid-1990s is a very effective way to gain a competitive edge. Users are targeted by attackers through email, SMS, phone calls, and other forms of communication using social engineering and phishing. A phishing attack is designed to trick users into taking action that the attacker desires. As an example, you can provide system login credentials, reveal financial information, install malware, or share other sensitive information with others.
Even though phishing attack methods have become more sophisticated over time, they still rely primarily on social engineering.
4. Social engineering
An identity attack involves social engineering more than anything else. Cyberattacks, other than email phishing, often involve deception and manipulation of users.
As far as cybersecurity is concerned, humans are considered the weakest link. An attack using social engineering exploits a targeted user’s inability to understand or resist an attack. Human emotions such as fear, urgency or greed are used by an attacker in a social engineering attack to trick the target into performing an action, such as disclosing credentials or sending money.
5. Adversary-in-the-middle (AiTM)
Alternatively known as man-in-the-middle, AITM is a form of digital eavesdropping where an attacker intercepts data from a sender to a recipient and from the recipient back to the sender. It is somewhere between the sender and recipient that the attacker’s device sits. Silently, it relays messages without either party being aware of them. There is a cybercriminal operating in the middle of the communication, even though both parties believe they are dealing with a legitimate party.
It allows attackers to take over the entire authenticated session, obtaining passwords, bypassing multi-factor authentication, stealing intellectual property, and stealing private messages. Attackers might even install malware on a user’s device without their knowledge or consent in advanced AITM attacks.
6. Kerberoasting
Despite the fact that its name sounds like a cosy fireside activity, Kerberoasting is anything but cosy. In Kerberoasting, users and services authenticate themselves on a network using Microsoft Kerberos authentication. In Microsoft Active Directory (AD) environments, bad actors attempt to crack (or kerberoast) service account passwords.
An access request for a web application, for example, generates a service ticket encrypted with the password of the service account. As part of a Kerberoasting attack, bad actors target encrypted service tickets and attempt to crack the underlying password using a variety of methods. Depending on the account’s privileges, they may be able to steal sensitive data, manipulate services or move laterally within the network after gaining access to the service account.
7. Silver ticket
This type of attack involves the use of stolen credentials to create a forged authentication ticket. Specifically, they create fake Kerberos tickets through the Ticket Granting Service. A targeted service appears to accept these encrypted and forged tickets as authentic. It is possible for them to impersonate another user, access resources, and potentially escalate privileges once they are inside the service. The next step is to create a golden ticket, as explained below.)
As opposed to other identity-based attacks that use the Kerberos protocol, silver ticket attacks don’t interact with an authentication service or Key Distribution Center (KDC). This makes it harder to detect suspicious activity at the authentication source.
8. Golden ticket
If Willy Wonka’s Chocolate Factory is susceptible to such attacks, you will not be able to enter. It can, however, provide bad actors with sweeping access to a company’s domain by gaining access to user data in Active Directory. Golden ticket attackers exploit weaknesses in the Kerberos protocol, just as Kerberoasting and silver ticket identity attacks do. In this way, attackers can bypass normal authentication processes.
Golden ticket attacks involve attackers forging Kerberos tickets known as Ticket Granting Tickets. Getting access to krbtgt’s NTLM hash, which encrypts TGTs, is a critical step in this process. (The krbtgt account is a default account that exists in all AD domains.) The NTLM hash is a sensitive credential held by the domain controller and used to create valid TGTs.
Golden tickets are worth more than gold to attackers. In addition to containing the identity information of a fictional user with arbitrary privileges, it also provides long-term access to the data. Using this ticket, the attacker can authenticate without compromising user credentials by presenting it to the KDC. Even if legitimate user passwords are changed, golden ticket identity attacks allow bad actors to maintain unauthorized access to a network.
Prevention techniques to avoid identity attacks
Then, you’re probably wondering how you can prevent these types of attacks. Several security controls can be implemented to help. Here are some examples:
Implement multifactor authentication (MFA)
Identity attacks can be prevented with this powerful measure. By adding extra layers of security beyond usernames and passwords, such as one-time tokens or biometrics, MFA makes password cracking much harder for attackers. Most attackers cannot access a secondary authentication method, even if they steal a user’s password.
However, don’t forget that crafty bad actors have been turning to other methods, such as MFA fatigue attacks, to bypass MFA. It is important to have multi-factor authentication, but it is not sufficient to prevent even moderately sophisticated attacks.
Strengthen authentication protocols
Enhance your authentication protocols to prevent Kerberoasting, silver ticket, and golden ticket attacks. There are many strategies you can employ in addition to MFA, such as:
- Prevention of Fraud
- Reduction in support costs
- Internal Mobility and Security
- Reduce fraud and create secure online relationships
- Increased Security
- Holistic approach to mobile engagement
Provide users with targeted cybersecurity awareness training
An identity-based attack’s success is heavily dependent on the human element. Make your users better defenders by helping them to become better users. Since they are often at the front of the line of identity theft, they are vulnerable to many threats.
By providing targeted security awareness training to your users, they will be able to spot phishing attacks and learn how to resist social engineering.
In addition to training your users on how to report suspicious activity, you can give those tips on how to do so. Also, if they think they’ve been tricked by an attacker, stress the importance of moving fast. If identity-based attacks are in motion and bad actors have managed to breach your AD and other critical systems, applications and services, every second counts.
Here is how you can counter the risk of identity threats-and stop the attacks on your identity with eScan
Identity-based attacks are now the strategy of choice for many cybercriminals. Considering how often they succeed, there’s no reason for that to change. As you can see, the techniques outlined above will go a long way toward strengthening your defenses.
eScan Identity Threat Defense is also recommended. Designed for identity threat detection and response (ITDR), it is a product innovation from Gartner. As a result of eScan’s real-time capabilities, identity vulnerabilities can be detected and remedied as well as attacks automatically responded to. Among the features of eScan Identity Threat Defense are:
- Using eScan DLP, you can discover and remediate identity vulnerabilities on endpoints and within your identity repository
- It allows you to detect and stop attackers before they realize that you’re on them with eScan DLP
