Identity-based cyber attacks are an increasing weapon of choice the more we work in a world increasingly reliant on identity-based authorization. This means, in essence, stealing or faking our passwords or other login credentials.
In response, organizations are adding new layers of authentication, which, inevitably, cyber criminals work to find ways through or around. In this cat-and-mouse game, identity-based attacks are on the rise, and organizations must implement several measures to defend themselves from these.
Identity-based cyber attacks are a growing threat
Hacking into computer systems is as old an activity as computer systems themselves. But the attack surface is wider than ever before; there are more systems around, storing more data about individuals and organizations, offering more potential for exploitation.
“With so much more personal information now online, companies, institutions, infrastructure, and even democracies are being maliciously targeted by actors wishing to exploit it,” Del Heppenstall, partner and head of cyber at KPMG in the UK tells ITPro.
It’s people that are most often the source of a data breach. The 2022 Verizon Data Breach Investigations Report found 82% of data breaches involve the “human element”. That human element can be through sheer malevolence, such as social engineering attacks, of course. But more often than not, it’s a simple incident of human error, such as people falling prey to fake SMS messages, succumbing to a phishing exercise, or reusing common passwords across personal and professional logins. Mistakes are inevitable – after all, we are only human – which is why zero trust strategies are important.
“Adversaries can easily launch high-volume password spraying where they only need to be right once out of millions of attempts,” former BP CISO, Simon Hodgkinson, says. “Similarly, with high-volume phishing attacks, all it takes is one person to click on the link and provide their credentials. The defenders on the other hand need to be right 100% of the time.”
Guarding against the inevitable
Not only do the attackers really know their business, they’re pushing hard and faster. The Microsoft Digital Defense Report 2022 notes the volume of password attacks has risen to an estimated 921 attacks every second. That’s a 74% increase in just one year.
So what is an organization to do? Hodgkinson tells ITPro: “One must be pragmatic. Cyber risk cannot be eradicated. Organizations can only put in place mitigations aligned to their risk appetite and have robust response plans in place. Every organization should assume that they will be compromised at some point.”
Anatomy of identity-based attacks
Helping security teams mitigate identity-based attacks
In this context, organizations must put security front and center. For Heppenstall, the security-first approach that most organizations now take can be strengthened by moving to an identity-focused approach.
He mentions features like least privilege, enhanced monitoring, threat analytics and controls, the establishment of communications guidelines both internally and with external entities and individuals, and continuous validation of end-users including internal, contractors, and third parties. He also suggests “keeping proactive and reactive risk management capabilities around identity and access management, then integrating it with business and security needs will be key to handling threats”.
Taking a nuanced approach to tightening the net
For Kevin Curran, IEEE senior member and professor of cyber security at Ulster University, organizations can fall short if they don’t understand the difference between identity management and authentication.
It’s crucial to “establish how roles are identified in a system and how they are assigned to individuals”, he tells ITPro. This means “security teams need to pay attention when removing, adding, and updating individuals alongside their roles in a system”.
“There needs to be a sensible allocation of levels of access to individuals or groups of individuals,” he continues. “Only then can security teams assume that they have established a ‘foundation’ of protecting the sensitive data within the system and securing the organization itself.”
Best practice isn’t only about technology: there are cultural and process factors to take into account too. Hodgkinson gives ITPro a strong example of how cultural shift has helped other industry sectors with different issues.
“The airline and oil and gas industries dramatically improved safety by embracing a culture of ‘speak up’,” he explains. “When there was an accident or a near miss, people were encouraged to share. This led to a culture of continuous improvement in safety. A similar approach is required in cyber – let’s encourage people to report and share their learnings.”
What would this look like in practice? “If one user clicked on a phishing link, they should share why so others learn from it,” he adds. “This will require organizations to positively support employees who have made a mistake.”
All in all, it would seem that organizations must accept the inevitable and assume attacks will happen. They must also understand that their best mitigation is not solely a matter of best technology practice. It’s also about organizational culture, accepting that people are fallible, and providing a culture of support and learning in that context.
