Identity-based security threats are growing rapidly: report

The most dangerous cybersecurity threat of the moment is an attacker with access to legitimate identity information for a given system, according to a report issued today by endpoint security and threat intelligence vendor CrowdStrike.

According to the report, interactive intrusions (which the company defines as those in which an attacker is working actively to accomplish some illicit end on a victim’s system), are increasingly implemented using strategies that involve compromised identity information for access to a target. During the past year, both government-backed and organized crime hacking groups have raised their game with improved phishing techniques and social engineering “tradecraft.”

“The biggest trend that we’ve seen is that everything is moving towards identity,” said Adam Meyers, head of intelligence at CrowdStrike. “80% of attacks involved identity and compromised credentials.”

Those credentials can be compromised in the traditional way, using email phishing and social engineering, or they can be purchased on the dark web, sourced from other types of compromised systems. Once they have access to a target system, cybercriminals use a range of techniques to achieve their ends, and the report said that the use of remote monitoring and management software is sharply on the rise.

“Threat actors understand that there are security tools out there that impede the way they operate,” noted Meyers. “So they’re trying to use techniques that don’t trigger that security.” Compromised login IDs are hard to detect, and must generally be discovered by monitoring for unusual account behavior.

A move away from what he described as a “Microsoft monoculture” in the enterprise would be a positive step toward stemming the current flow of identity based attacks, Meyers said.

“Organizations have gone all in with Microsoft, they have good OSes and productivity suites, but a history of poor security,” Meyers said.

Kerberos-based attacks on the rise

In particular, Kerberos-based attacks against Windows systems have been on the rise, according to CrowdStrike. The technique of “Kerberoasting” (compromising a Kerberos ticket by cracking its encryption offline) has been particularly successful of late, since Windows uses Kerberos as a key authentication method.

The report also includes information about the growing cloud-based threat posed by the use of privilege escalation tools like LinPEAS, which can be used to enumerate information about a cloud environment, including metadata, network attributes and even security credentials, depending on the service provider and its configuration. CrowdStrike recommends applying on-premises security techniques to all cloud workload instances, including restricting outbound connections from those instances to whitelisted addresses.