Identity attacks

Of course, organizations wouldn’t adopt identity providers and IAM solutions if they only created risk by centralizing access behind a single authentication mechanism. In fact, the risk created by centralized identities is offset by the security controls that are baked into—and can be built on top of—identity providers. Most identity solutions make it easy to enforce multi-factor authentication (MFA). They enable organizations to leverage conditional access policies (CAP) and adjust the duration of time for which an access token remains valid. They also generate alerts to inform security teams about suspicious logon attempts and telemetry that you can use to develop custom detection capabilities or conduct investigations.

On balance, centralized identity solutions make organizations more secure, but they’re also a priority target for adversaries. Therefore, organizations should pay special attention to the identity threat landscape and be careful to manage their identity infrastructure as safely and securely as possible.

Identity attacks in 2024

Three of the top five ATT&CK techniques we detected this year were cloud-native techniques enabled by identity.

• Cloud Accounts
• Email Forwarding Rules
• Email Hiding Rules

Similarly, we saw a consistent increase in identity threats targeting our customers throughout the year, which you can see in the following graphic.

Identity detections in 2024

The increase in identity-related techniques atop our ATT&CK rankings and the increase in identity threat detections across our customers are largely the byproduct of growing technological partnerships between Red Canary and identity solution providers, a very intentional effort to expand our detection coverage using telemetry from these partnerships and elsewhere, and increased reliance on AI agents to quickly gather and present analysts with expanded context about otherwise indiscernible identity alerts. It’s difficult to say with certainty that identity attacks are increasing, remaining steady, or decreasing. However, the moment we started looking for identity threats, we found them in droves, and as more customers have adopted our identity products, the number of identity threats we’ve detected has ballooned dramatically.

Likewise, identity threats are growing relative to non-identity threats (e.g., endpoint and cloud threats) across Red Canary as well, as shown in the following image. Non-identity threats continue to make up the bulk of what we detect, but that’s because managed detection and response for endpoints is our oldest and mostly widely adopted product. As customer adoption levels out between the different detection domains (e.g., endpoint, identity, cloud, email, etc.), we’d expect to see the ratio of identity vs. non-identity threat detections to normalize—although it will be interesting to see what is normal for that ratio.

Identity vs. non-identity threats in 2024

What’s clear is this: Identities are a major focal point for adversaries. However, identity attacks remain a means to an end. It’s impossible to enumerate all the things an adversary might do with access to a legitimate identity, but it ranges from ransomware attacks to espionage to cryptocurrency mining and includes just about everything in between.

Since an adversary might choose to do anything once they have access to an identity, it’s critical to understand how they gain access to an identity, which we will explain the following paragraphs.

How adversaries compromise identities

The following is a non-exhaustive list of techniques and other factors that adversaries leverage to compromise identities.

Phishing

All varieties of phishing remain a powerful tool that adversaries frequently leverage to trick users into handing over credentials that they can then use to compromise an identity.

Malware

Malware is another powerful tool for gathering valid credentials and session tokens. The information stealer ecosystem in particular is highly commoditized with widely available and turnkey as-a-service solutions that seem to be fueling widespread account compromise and takeover activity.

Session hijacking

Adversaries also frequently do an end-around on the need to steal credentials at all by intercepting session tokens (often stored in cookies) to gain access to accounts or identities without the need to authenticate.

Vulnerability exploitation

Software vulnerabilities arise from time to time that enable adversaries to exploit their way into an account, elevate their privileges from an already compromised account, or otherwise execute code.

Credential stuffing

Adversaries take advantage of rampant password reuse through a process known as credential stuffing, whereby they leverage variously sourced username-password combinations associated with a user and try to log into other accounts using those same username-password combos.

Password spraying

Password spraying is a technique similar to credential stuffing where adversaries bombard accounts brute-force-style with common or easily guessed passwords to compromise the account.

Data leaks

Data leaks warrant mention here as they provide fodder for the credential stuffing and password spraying attacks mentioned above.

Adversary and man-in-the-middle attacks

Adversary-in-the-middle (AitM) and man-in-the-middle (MitM) attacks enable password theft by presenting users with a legitimate-looking (but fake) account access portal. If the user enters their credentials into the fake login field, the adversary can then use those credentials to log into the actual account in real time. An added benefit of these techniques is that the adversary can present users with an MFA field after the login, enabling them to potentially bypass MFA protections as well. If a user inputs their MFA challenge code, the adversary can relay it in real time to the actual MFA challenge page for the login.

MFA circumvention

Since many organizations enforce MFA for sensitive accounts, circumventing or bypassing MFA protections is often a prerequisite for adversaries attempting to compromise an identity. And there’s a long list of techniques that adversaries leverage to overcome the protection provided by MFA, including the following:

• AitM/MitM attacks
• MFA exhaustion
• SIM swaps
• Help desk social engineering

An adversary can also bypass MFA and take ownership of an account if they are able to bypass any of the configured password reset methods configured in Self-Service Password Management (SSPM). While we’ve researched this in Entra ID and some terminology may be Azure/Microsoft specific, this technique probably applies generally to other identity providers as well.

In essence, an adversary would initiate a password reset on behalf of the user, which would send a password reset code to the actual user, via their mobile device, for example. The adversary would then convince the real user to supply the generated code—either by phishing or another method—before resetting the password and gaining access to the account in question.

In nearly every case, an identity compromise involves a login. These logins are often suspicious, and therefore, preventing and detecting identity attacks requires security teams to understand what makes a login potentially suspicious or malicious. We’ve covered a lot of these preventive measures extensively in other resources, but we’ll reiterate them briefly here:

Prevention

MFA

Enabling multi-factor authentication won’t make identity attacks altogether impossible, but it will certainly raise the barrier of entry by nullifying many of the simplest methods that adversaries deploy to compromise an identity or account.

Conditional access policies (CAP)

Administrators can use conditional access policies to establish parameters around permissible logins based on attributes, such as denying access to unmanaged devices, requiring MFA to access a resource, and more.

Passwordless solutions

Passwordless solutions are another great tool for closing off wide varieties of identity attack vectors. These include things like hardware tokens, hardware-based authentication devices, or biometrics, and they make it difficult for an adversary to compromise an account because they impose a physical or otherwise difficult-to-mimic component into a login process. Unfortunately, passwordless solutions can be challenging to implement at scale across an organization, but nearly any security or IT should consider employing these or similar solutions to protect the most sensitive accounts (e.g., the admin accounts for your identity provider).

Short-term access

Many cloud and identity service providers offer some level of short-term access. These work in different ways but generally involve issuing short-lived access tokens for any session initiated by an authorized and authenticated user. In this way, if an adversary manages to steal a token, the token is short-lived, and the adversary will be forced to re-authenticate themself in a matter of minutes or hours. AWS STS and privileged identity management (PIM) for Microsoft Entra ID are two good examples of this.

Nearly any identity provider will generate alerts for what they deem to be suspicious or malicious logins. These alerts can be voluminous and difficult to investigate and sometimes overwhelm security teams with noisy, enigmatic alerts. Beyond alerts, identity threat detection and response (ITDR) solutions collect telemetry or logs directly from the identity provider that internal security teams or third-party service providers can use to build custom detection rules. Whether you’re developing custom detection rules or investigating alerts generated by an identity provider, the following are some examples of suspicious activity that warrant looking out for:

• logins emanating from suspicious IP ranges, hosting providers, and VPNs
• failed login attempts or conditional access blocks occurring around the same time
• suspicious logins happening in conjunction with the creation of new or suspicious email rules
• logins originating from unusual geographic locations or concurrent logins happening from geographically disparate locations
• detections on hosts associated with identities for which there was a suspicious login attempt
• users logging in from previously unregistered or otherwise unusual devices
• MFA exhaustion attempts (i.e., multiple MFA challenges initiated in short order)