Relentless Threat Activity Puts Identities in the Crosshairs

eCrime and nation-state adversaries continue to strengthen their focus on identity-based attacks, putting pressure on organizations to fortify their defenses with a combination of endpoint and identity protection.

One set of valid employee credentials can provide an adversary with all they need to log into a business, move laterally, escalate privileges and achieve their goals — whether that’s removing access to accounts, terminating services, destroying data or deleting resources.

Identity-based attacks are subtle, but destructive, and organizations must be on high alert for them. CrowdStrike reported 80% of cyberattacks now leverage stolen or compromised credentials. The CrowdStrike 2023 Global Threat Report highlights how adversaries have doubled down on stolen credential use as they continue to deploy identity-focused attacks.

The growing role of identity in cyberattacks is a key driver in the shift away from malware. Malware-free activity accounted for 71% of all threat detections in 2022 — up from 62% in 2021 — partly due to adversaries’ widespread abuse of valid credentials to access and persist in target environments. This heavier reliance on credentials is occurring as adversaries become faster: The average eCrime breakout time is down to 84 minutes. And without the right tools, it takes 243 days for organizations to detect an identity breach.1

Also supporting the rise of identity-based attacks are access brokers, the threat actors who acquire access to organizations then provide or sell this access to other adversaries. Access brokers have long been part of the cybercrime ecosystem but have experienced a surge in popularity as threat actors seek easier and faster access to target environments. The popularity of their services spiked in 2022 with more than 2,500 advertisements for access identified — a 112% jump compared to 2021.

While the access methods these brokers use have remained relatively consistent since 2021, an especially popular tactic involves abusing compromised credentials acquired via information stealers or bought in log shops on the criminal underground.

Credentials allow adversaries to fly under the radar and quickly move laterally around the environment undetected. CrowdStrike data shows adversaries are bypassing traditional security solutions, with 25% of attacks originating from unmanaged hosts such as contractor laptops, rogue systems, legacy applications and protocols, and parts of the supply chain where organizations lack visibility and control. This activity puts essential machines at risk: Critical infrastructure within the U.S. is an attractive target for adversaries, reports the Cybersecurity and Infrastructure Security Agency (CISA) in new guidance on identity and access management.

As enterprise environments become more complex and their attack surface grows, it will become increasingly important for organizations to protect their identities in order to best defend their infrastructure, assets and resources. Unified endpoint and identity protection is the best path forward.

Unified Endpoint and Identity Protection: A More Secure Way

There are many reasons why adversaries pursue identity-based attacks, chief of which is their ability to bypass legacy security systems. This inability to detect credential abuse, combined with a rapid breakout time, drives higher success rates for ransomware, data exfiltration and other types of cyberattacks.

We see this play out in larger enterprises, which often face security challenges with Active Directory (AD), a legacy technology still used by 90% of organizations. Most are exposed to identity-based attacks such as Kerberoasting, which attempts to gain a password hash for an AD account with a Service Principal Name, as well as security hygiene challenges. About 90% of customers that ran our AD Risk Review found stealthy privileged accounts, compromised passwords and stale accounts. One large firm found out of 1,824 privileged accounts, 114 had compromised passwords and 711 were active but hadn’t been used for 90 days — showing a massive attack surface.

In response to the rise in identity-based attacks, organizations have begun to deploy multiple standalone products: AD hygiene tools, SaaS security tools, security incident and event management (SIEM) systems, and security orchestration automation and response (SOAR) solutions.

These point products are not only less effective — they don’t typically provide a single view into adversary behavior across endpoints, identities and workloads — they also create more issues for security teams. Multiple standalone tools drive deployment and operational complexity, and drive cost for the security operations center (SOC). Because it’s hard to coordinate automated responses across several tools, SOC teams must rely on manual correlation of threats.

A better way to protect against these subtle, dangerous threats is a system that brings together world-class endpoint protection with real-time identity protection to ensure visibility across all steps of an adversary’s attack path — from exploitation, to the delivery of malware or exfiltration of data, all the way through stolen credentials and compromised identities.

By unifying endpoint security with native identity protection, the CrowdStrike Falcon® platform delivers modern protection across every attack surface. This protection, delivered through a single lightweight agent, helps detect and block threat activity across the full attack life cycle. Security teams have access to the continuous visibility, proactive control and risk-based response they need to quickly identify and eliminate identity-based threats.

The Falcon platform has helped organizations reduce the number of security tools they need while improving their ability to prevent, detect and respond to breaches: As a result of the single-sensor approach and real-time detection, our customers saw an 84% improvement in efficiency, according to business value assessments.

We are constantly innovating to improve the Falcon platform and help organizations detect and respond to identity-based attack techniques. This March, we debuted three new use cases for CrowdStrike Falcon® Identity Protection designed to: lure adversaries away from critical resources using honeytokens; reduce risks from account vulnerabilities with duplicate password detection; and extend protocol coverage with detections over Server Message Block (SMB).

These updates are part of our ongoing mission to provide the strongest possible defense across the attack surface — including identity-based threat activity — all from a single unified platform.

Additional Resources

  1. https://www.ibm.com/downloads/cas/3R8N1DZJ