Identity infrastructure is at the core of our digital lives. It allows us to access our data, prove who we are, and differentiate ourselves from others. However, this crucial layer of security is also a ripe target for adversaries (and even more so now that so many of our services have migrated to the cloud.) Let’s explore common identity attack techniques and how to defend against them.
What are identity attacks?
Identity attacks occur when adversaries target authentication and authorization systems or steal user credentials to gain unauthorized access to systems and resources. These attacks often exploit:
- Authentication vulnerabilities: Exploiting weaknesses in how users prove their identity
- Stolen credentials: Usernames, passwords, or other authentication materials obtained via malware, phishing, or other means
Common techniques used in identity attacks
Adversaries rely on the following tradecraft to execute identity attacks.
Phishing
Adversaries use deceptive messages or websites to trick users into revealing sensitive information. Phishing can range from simple emails asking for credentials to complex, convincing replicas of legitimate websites.
Credential theft
Adversaries often leverage tools like keyloggers or browser password-stealing malware to capture login credentials.
Credential stuffing
Attackers can exploit a victim’s reused password across services. If one service is breached, they test the stolen credentials on others.
Session hijacking
Instead of stealing passwords, attackers intercept session tokens (stored in cookies) to bypass authentication entirely.
Account takeovers (ATO)
Adversaries gain access to accounts for fraud or other malicious purposes, such as distributing spam or breaching enterprise networks.
Privilege escalation
Attackers leverage vulnerabilities to elevate from standard user accounts to administrator privileges, allowing deeper access to systems and data.
Insider access
Not all identity threats come from external adversaries. Sometimes, authorized users act maliciously, whether motivated by dissatisfaction, financial incentives, or other reasons. These insiders can exploit their legitimate access to help adversaries breach systems.
Synthetic identity fraud
A more insidious attack, synthetic identity fraud involves creating fake identities using a mix of real and fabricated information. These identities are used for financial fraud, money laundering, or infiltrating organizations as insiders.
How to protect against identity attacks
- Use unique passwords: Avoid reusing passwords. Instead, use a password manager to securely generate and store strong, unique passwords for every service
- Enable multi-factor authentication (MFA): Add an extra layer of security by requiring a second factor (e.g., a code sent to your phone) for logging in
- Be wary of phishing attempts: Scrutinize unexpected emails, messages, or links, especially if they request sensitive information
- Secure your session tokens: Avoid using public Wi-Fi without a VPN and ensure your devices are up-to-date with security patches to protect against session hijacking
- Limit privileges: Apply the principle of least privilege: limit access rights to the minimum required for users to perform their tasks
- Monitor for suspicious activity: Regularly review account activity for signs of unauthorized access, such as unrecognized logins or changes to account settings
For many security practitioners, the tips above may be second nature, but they still warrant a reminder. Identity is both a cornerstone of security and a prime target for attackers. By understanding common attack methods and implementing robust defenses, you can safeguard your accounts and data. Remember, everyone is a target, so stay vigilant in protecting your online identity.
Related Articles
Shrinking the haystack: Building a cloud threat detection engine
Shrinking the haystack: Building a cloud threat detection engine
Single sign-on, double trouble: Credential theft using AWS access tokens