Protect Your Weakest Link: New Account Linking Capabilities Use AI to Thwart Identity-Based Attacks

As networks become increasingly distributed, user identities are becoming a top adversary target. CrowdStrike’s 2024 Threat Hunting Report and 2024 Global Threat Report state 5 of the top 10 MITRE tactics we observed in 2023 were identity-based, and the CrowdStrike 2023 Threat Hunting Report noted a 583% year-over-year increase in Kerberoasting attacks. These findings illustrate how modern adversaries aren’t breaking in — they’re logging in. Armed with stolen credentials, adversaries can accelerate or skip phases of the kill chain, accessing systems and moving undetected as legitimate users. 

A persistent challenge security and IT teams face is monitoring and managing identity hygiene. Organizations manage thousands, or hundreds of thousands, of enterprise identities as it’s not uncommon for individual users to have multiple enterprise accounts to their name. These accounts can possess different levels of privileged access, often by design, and may even be accessed by their users from the same device. Adversaries know this and can use it to their advantage, targeting lower-privileged accounts to springboard to higher-privileged accounts.  

To disrupt this tradecraft, CrowdStrike is announcing algorithmic account linking for Active Directory accounts, a new capability now available within CrowdStrike Falcon® Identity Protection. This feature uses natural language processing to predict which enterprise accounts map to the same individual users. This capability gives security teams expanded context when investigating detections, adjusts severity levels to consider all accounts mapped to a user’s identity and provides insight into identity-based attack paths in their environments. 

When Good Security Practices Create Hidden Risks

It has long been considered a good security policy to bifurcate low- and high-value user permissions across different accounts. Notably, this practice emerged prior to Active Directory (AD), allowing for temporarily assumable accounts (and later, roles). Bifurcating accounts by privilege limits the possibility of attackers stealing highly privileged account credentials. For this reason, IT administrators often provision multiple accounts for users across different business functions. For example, a user may have one account for typical business activities (email, making/sharing documents) and one for higher-value permissions (reading/editing databases, managing infrastructure). 

However, this bifurcation can still create security gaps, which may occur if users are accessing different accounts on the same machines. An attacker that gains control of a machine from a low-privilege account can more easily steal password hashes/tokens to access the users’ higher-privilege account(s). If any single user account is compromised, it is more likely the entire identity — consisting of all accounts belonging to that person — are being targeted or may be compromised. In order to respond quickly to credential theft, it’s important to know which accounts can be traced back to the same individual owner. 

Accounts owned by the same user typically share similar identifying fields. Consider the following list of user accounts (Table 1). At a glance, an IT administrator could reasonably identify which groupings of accounts map to the same user (Table 2, indicated by the “pair_index” column), noting which accounts share similar attributes (first name, last name, initials, departments, titles, etc.). While these links can be apparent when managing a few dozen accounts, the challenge arises when managing thousands, if not tens of thousands, of user accounts. Herein lies the opportunity to apply the speed, precision and scale of AI. 

Using AI to Link User Accounts 

CrowdStrike’s algorithmic account-linking capability uses new, cutting-edge natural-language processing to automatically detect accounts that belong to the same person. Applying machine learning to this solution enables Falcon Identity Protection to search for linked accounts in a way that can scale to millions of accounts and continuously detect new potential linkages. 

This feature’s underlying algorithm works by performing similarity scoring to predict when accounts belong to the same person based on various high-value account attributes (such as first/last names, domains, titles, etc.). Security teams can review and manually manage linked accounts, especially if the algorithm incorrectly links accounts. 

Human oversight remains an essential part of this process, with security teams able to unlink or manually link accounts to a given user using the “managed linked accounts” menu (Figure 1 GIF). The model will continuously learn from user modifications and enable user-directed alterations to persist — that is to say, if a user unlinks a pair of accounts, the accounts will never be automatically linked again (Figure 2 GIF).

Key Benefits: Seal Off User-centric Attack Paths and Streamline AD Hygiene

This capability provides security teams with several benefits. First, it enables domain administrators to manage their AD hygiene without manually searching for many accounts, which is especially helpful for domains with thousands of users. By examining all of the accounts linked to the same user, AD admins will also be able to remove unneeded accounts or assess the aggregated or global permissions of all accounts belonging to the same person — an identity-centric vision of security. 

This feature also unlocks more actionable context during active investigations and incident response, enabling security teams to apply a consistent level of risk across accounts traced back to a single user, especially if one account has a higher level of privileged access than another. 

Algorithmic account linking is now available for all users of Falcon Identity Protection, enabling organizations to extend CrowdStrike’s pioneering AI to stay ahead of identity-based attacks. 

Additional Resources

• Register for a complimentary Identity Security Risk Review.
• Visit the Falcon Identity Protection product page to learn more.
• Register for a hands-on lab to see how to stop modern attacks with unified identity protection. 
• Learn more about how CrowdStrike uses behavioral machine learning to disrupt adversaries.