As networks become increasingly distributed, user identities are becoming a top adversary target. CrowdStrike’s 2024 Threat Hunting Report and 2024 Global Threat Report state 5 of the top 10 MITRE tactics we observed in 2023 were identity-based, and the CrowdStrike 2023 Threat Hunting Report noted a 583% year-over-year increase in Kerberoasting attacks. These findings illustrate how modern adversaries aren’t breaking in — they’re logging in. Armed with stolen credentials, adversaries can accelerate or skip phases of the kill chain, accessing systems and moving undetected as legitimate users.
A persistent challenge security and IT teams face is monitoring and managing identity hygiene. Organizations manage thousands, or hundreds of thousands, of enterprise identities as it’s not uncommon for individual users to have multiple enterprise accounts to their name. These accounts can possess different levels of privileged access, often by design, and may even be accessed by their users from the same device. Adversaries know this and can use it to their advantage, targeting lower-privileged accounts to springboard to higher-privileged accounts.
To disrupt this tradecraft, CrowdStrike is announcing algorithmic account linking for Active Directory accounts, a new capability now available within CrowdStrike Falcon® Identity Protection. This feature uses natural language processing to predict which enterprise accounts map to the same individual users. This capability gives security teams expanded context when investigating detections, adjusts severity levels to consider all accounts mapped to a user’s identity and provides insight into identity-based attack paths in their environments.
When Good Security Practices Create Hidden Risks
It has long been considered a good security policy to bifurcate low- and high-value user permissions across different accounts. Notably, this practice emerged prior to Active Directory (AD), allowing for temporarily assumable accounts (and later, roles). Bifurcating accounts by privilege limits the possibility of attackers stealing highly privileged account credentials. For this reason, IT administrators often provision multiple accounts for users across different business functions. For example, a user may have one account for typical business activities (email, making/sharing documents) and one for higher-value permissions (reading/editing databases, managing infrastructure).
However, this bifurcation can still create security gaps, which may occur if users are accessing different accounts on the same machines. An attacker that gains control of a machine from a low-privilege account can more easily steal password hashes/tokens to access the users’ higher-privilege account(s). If any single user account is compromised, it is more likely the entire identity — consisting of all accounts belonging to that person — are being targeted or may be compromised. In order to respond quickly to credential theft, it’s important to know which accounts can be traced back to the same individual owner.
Accounts owned by the same user typically share similar identifying fields. Consider the following list of user accounts (Table 1). At a glance, an IT administrator could reasonably identify which groupings of accounts map to the same user (Table 2, indicated by the “pair_index” column), noting which accounts share similar attributes (first name, last name, initials, departments, titles, etc.). While these links can be apparent when managing a few dozen accounts, the challenge arises when managing thousands, if not tens of thousands, of user accounts. Herein lies the opportunity to apply the speed, precision and scale of AI.