Co-author: Connor Jackson, Security Research Manager at CyberMaxx
Even though most organizations have made significant investments in identity and access management (IAM) and other preventative identity security measures in recent years, account takeover remains an extremely common attack vector for successful breaches. In fact, research from Mandiant suggests that 10% of successful intrusions start with stolen credentials. That number is likely even higher for certain categories of breaches. For example, Verizon estimates that 77% of web application breaches involve the use of stolen credentials.
Many of these incidents can be traced back to issues like:
- Stolen, leaked, or cracked credentials that are not protected with multi-factor authentication (MFA).
- Defeating MFA through techniques such as malware, social engineering, and SIM jacking.
- Systems implemented in a non-compliant manner (e.g., circumventing IAM).
- Person-in-the-middle attacks that hijack active sessions.
Therefore, organizations must not trust authenticated users implicitly. Identity threats both at and after the point of authentication must be addressed as part of a sound MDR strategy.
It is important to note that tools alone will not solve this problem. It’s not a nameless technology attacking you. It’s a human actor with motivations and the ability to react to what they see and cover their tracks.
If identity security was a technology problem alone, the industry would have solved it 30 years ago. An effective response to identity threats comes down to people, tools, and workflows designed around specific business outcomes.
Identity Threats in the Real World
The incident that is still unfolding with customers of a large cloud platform-as-a-service (PaaS) provider is an excellent example of the real-world business impact of identity threats. Early indications are that the ShinyHunters threat actor group has been targeting the provider’s customers with infostealer malware variants since 2020 to steal credentials.
Now, they are actively using this information to gain access to sensitive data in individual customers’ PaaS platform instances. According to Mandiant, who the company engaged to assist with the response:
- At least 165 customers have been affected
- 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure
High-profile organizations affected by the incident include Ticketmaster and Santander Bank.
Three Common Mistakes that Legacy MDR Providers Make
At CyberMaxx, we often describe our approach as “modern MDR.” We think this is an important distinction since many companies in the marketplace wrap people around off-the-shelf tools and call this MDR. In contrast, a modern MDR provider like CyberMaxx uses security products to their full potential but also operationalizes the human elements of offensive and defensive security to ensure that detection and response models evolve faster than threat actor tactics.
Specific to today’s topic of identity threats, a legacy MDR mindset will often lead to three mistakes:
1. Placing too much faith in basic Identify and Access Management (IAM) vendor features
IAM is the foundation of an effective identity security strategy. It ensures that the right individuals have the appropriate access to technology resources, enhancing security and efficiency while reducing the risk of unauthorized access.
Over time, many IAM vendors have also added additional policy, alerting, and logging capabilities. While these can seem useful on the surface, there is a danger in placing too much faith in the broad observations about user behavior that these alerts focus on.
Impossible time travel is a simple example. Observing that an identity is accessing resources from distant locations in too close of a time to be practical is a valid threat signal. But it’s also one that is highly prone to false positives. And even in cases when the threat is valid, these event logs are easily spoofed by savvy threat actors.
This isn’t intended to be a knock on IAM tools, which as noted above, are invaluable. But the reality is that threat actors have access to the same IAM tools and can devote countless hours to analyzing your exact IAM stack and identifying ways to defeat it.
2. Putting business processes at risk through overly aggressive automated responses
A common response in the event of a detected account takeover is to disable the affected account to prevent the threat actor from accessing it any longer. With today’s API integrations with IAM vendors, this is easy to accomplish in an automated manner. And this is appealing to many legacy MDR vendors, since broader use of automation is an easy path to higher profit margins.
But the reality is that this type of automation should be used sparingly, if at all. While an aggressive automated response may, in fact, stop an attack, it is much more likely to disrupt legitimate business processes. It can even be a form of denial-of-service attack as a threat actor cycles through target accounts using bots and other automation tools.
While it is critical to disable compromised accounts rapidly, an MDR approach that includes rapid human intervention in these scenarios will balance risk mitigation with business continuity.
3. Overlooking the need to secure machine identities
Another common mistake we see legacy MDR providers make is ignoring the growing universe of machine identities that now exist in most organizations. In fact, machine identities outnumber human identities by a wide margin in cases as organizations expand their use of:
- IoT devices that appear in growing quantities and aren’t linked to specific users
- Application designs and integrations that require the use of API keys
- Service accounts used by applications or services to perform automated tasks
This is another example of where off-the-shelf tools alone are not enough to detect and stop sophisticated threat actors. Tools are a means to an end. Humans are attacking you at the end of the day, and they will use whatever tool it takes to get the job done. Your MDR model should use the same mindset: apply human expertise and empower them to use tools where and when they can be useful.
The CyberMaxx Identity Security Blueprint
Identity threat detection and response is a long-established element of the CyberMaxx MDR model.
As part of our Offense Fuels Defense philosophy, we approach identity security from two directions – to both reduce the likelihood of successful identity-based attacks and detect and respond to them quickly and effectively when they are attempted.
Preventative Identity Security
In addition to having a strong IAM foundation, it’s important to take other steps to proactively strengthen your identity security posture. Specific preventative measures we recommend to our customers – and execute on their behalf in many cases – include:
- Performing a proactive security assessment of their IAM platform every three to six months, or more frequently in high-growth or merger and acquisition scenarios.
- Identifying possible ways to improve MFA hygiene, such as requiring or incentivizing adoption, minimizing use of weaker factors like SMS, etc.
- Investigating and pursuing innovations that can strengthen security while reducing prompt fatigue (e.g., FIDO2, passkeys, etc.)
- Pressure testing for authentication weaknesses as part of recurring penetration tests.
- Strengthening employee and contractor hiring practices to reduce the risk of granting access to “counterfeit” employees who introduce insider threats.
- Ensuring that complete and detailed logging is enabled for identity-based events.
And while we discourage customers from over-emphasizing tools in their approach, it is important to assess available controls and enable them when they provide value without significant downside. For example, we work with customers using Microsoft for IAM and/or endpoint detection and response (EDR) to take advantage of features like Conditional Access Policies, which can actively enforce policies, such as re-authentication and step-up authentication for many high-risk situations with minimal risk to business productivity. The tools are necessary but not sufficient for effective cyber security defense.
Identity Threat Detection and Response
It goes without saying that even if you have a strong set of preventative identity security measures in place, it is still a best practice to assume that account takeovers and breaches will be an inevitable fact of life. For this reason, we make identity threat detection and response (ITDR) a pillar of our MDR approach.
To reiterate a point stated above, threat actors have access to the same tools that most organizations use to secure their identities and endpoints. So, while that is not to say that these tools do not have value, they must be configured optimally and augmented with an MDR framework that approaches ITDR with human expertise backed by enabling technologies and well-structured frameworks.
For example, MITRE ATT&CK® provides a well-established set of threat vectors focused on identity that can be used as a starting point. We use these concepts as a starting point and maintain a continually evolving set of propriety detection content across all of these areas that allow us to identify malicious activity and indicators of compromise (IOCs) quickly, including for nuanced threats like:
- Analysis of non-human identities
- Possible insider threats like the counterfeit employee scenario from above
When threats are detected, our zero-latency response model ensures that they do not sit in a queue waiting for attention. Response and investigation are immediate, and we have an embedded threat response team in our SOC that can be engaged to assist with more complex incidents. This allows our team to take steps like deactivating compromised accounts quickly while ensuring that a human is in the loop to prevent business disruptions. Also, because our team invests the time to understand our customers’ environments in detail – we can incorporate threat hunting and provide related analytics that reflect business context and customer-specific risk factors. This simply isn’t possible with an automation-centric, one-size-fits-all MDR approach.
Finally, every action we take on both the preventative and ITDR side of the equation is viewed as an opportunity for continual refinement. The customer-specific learnings from our offensive security activities are used to make our ITDR content stronger, and when broad-scale identity threats like the PaaS provider example above occur, we can add detections for incident-specific IOCs. While any of these actions alone is not a silver bullet, when applied collectively and backed by top-tier talent and proven workflows, they provide the best possible protection against today’s identity threats.