The business of selling unauthorized access to organizations is booming: Ads for access brokers spiked in 2022 with more than 2,500 advertisements identified – a 112% jump compared to 2021, the 2023 CrowdStrike Global Threat Report found.
Why the surge in interest? Adversaries are realizing that authenticating with compromised identities and credentials provide an easier and faster route into an organization compared with other methods such as phishing or vulnerability exploitation. Nearly 80% of cyberattacks involve stolen identities, CrowdStrike data shows, and the average breakout time – the time it takes for an attacker to move from initial compromise to another host within the victim’s environment – is down to 84 minutes. Adversaries in possession of valid credentials are likely to stay under the radar and move quickly undetected.
Identity-based attacks are a growing concern for organizations of all sizes and industries. Below are three steps they should consider to strengthen their defenses:
1. Shift Away from a Siloed Approach
As identity-based attacks have emerged as a top attack vector in recent years, organizations have made knee-jerk reactions by deploying multiple standalone solutions, such as Active Directory security tools, security incident and event management (SIEM) systems and security orchestration automation and response (SOAR) solutions. Conventional wisdom would suggest that having multiple tools leads to better protection, right? Well, not really.
Organizations are finding multiple tools do not give security teams the visibility they need into adversary activity. Without insight into endpoints and identities, stopping breaches becomes a lot more difficult.
In addition to being ineffective, the multiple tools approach is proving to be costly due to increased deployment and operational complexity. For example, it is difficult to orchestrate automated responses across multiple standalone tools, which forces security operations center personnel to manually correlate threats across endpoints and identities. This time-consuming process takes valuable resources away from more critical work.
2. Unify Endpoint and Identity Protection
When it comes to tools working together for the greater good of the organization, it is imperative that security teams consider pairing endpoint protection with identity protection to help them navigate identity-based attacks.
Bringing endpoint and identity telemetry together is one of the most effective methods to ensure security teams have full visibility across all steps of an adversary’s attack path. Endpoint protection can identify vulnerability exploitation, malware delivery and fileless attacks; identity protection can alert IT and security teams to stolen credentials, compromised identities, reconnaissance and lateral movement attempts.
So how can you seamlessly pair endpoint and identity protection?
Organizations should consider using a single platform with a single agent that can be deployed anywhere in their environment. This approach has numerous benefits; for example, reducing the number of agents needed to collect telemetry across endpoints and identities, and providing security teams with a single comprehensive view of threats affecting them.
3. Automate Responses to Stop Attacks
Another benefit of using a platform approach is the ability to orchestrate automated policy-based responses to attempted attacks in real time. For example, if a security team notices a user trying to install malware on an endpoint, they can add that user to a dedicated watchlist so they can be stopped or challenged at the authentication level. This type of response is hard to achieve through standalone tools.
With today’s identity-based attacks being more subtle and able to bypass legacy security tools, the success rates for ransomware, data exfiltration and other types of cyberattacks will continue to rise. Organizations need to double down on their efforts to stop these attacks – all it takes is one set of valid credentials in the hands of an adversary to cause significant damage.
