People Centric Insider Threats

The Concerning Rise in Identity-Centric Attacks: Trends and Facts 

Share with your network!

Identity threats are by no means a new type of crime. But in today’s increasingly digitized world, there are more opportunities for bad actors to steal identities and engage in identity-centric attacks than ever before. Unfortunately, user identities are tough for businesses to protect. The fact that these types of attacks are skyrocketing is evidence of that—in the past year alone the Identity Defined Security Alliance reports that a whopping 84% of companies experienced an identity-related security breach. 

In this post, we’ll take a look at identity attack statistics and trends and provide some recent case studies to illustrate how some attacks work. We’ll also highlight one of the most important identity threat facts—that the human element plays a crucial role in the success of these attacks.  

Understanding identity-centric attacks 

There are many types of identity attacks. When most people think of these types of crimes, they often imagine traditional identity theft scenarios: 

  • Financial identity theft, where a criminal gains access to a victim’s financial data, like their credit card details, bank account numbers or Social Security number, to make unauthorized purchases, withdraw funds or open new accounts.  
  • Tax identity theft, where a bad actor uses a victim’s personal information to file false tax returns and claim refunds, diverting the money to their own accounts. 
  • Employment identity theft, where a fraudster uses a victim’s identity to get a job, potentially causing issues for that person when discrepancies arise in their employment and tax records. 

But identity-based attacks also target enterprises and their online users. The cybercriminals behind these attacks might aim to steal sensitive data, siphon off funds, damage or disrupt systems, deploy ransomware or worse. Those are the types of identity attacks we’re covering here. 

Identity threat trends and tactics 

In short, identity-centric attacks are a practical calculation by bad actors: Why would they invest their time and resources to build exploits to help them get in through a virtual back door when they can just walk through the front door? 

But before they reap the rewards, they still have some legwork to do. Here are a few techniques that cybercriminals use to progress identity-based attacks against businesses and their users: 

  • MFA bypass attacks. Many businesses today use multifactor authentication (MFA) to protect the account of their users. It’s more secure than using passwords alone. But of course, bad actors have found new ways to bypass commonly used MFA methods. MFA fatigue attacks are one example.  
  • People-activated malware. People often give life to malware when they fall for a phishing scam or other social engineering tactics. Malware can appear in the form of a .zip file, QR code, .html link, MS Office file and more—there are at least 60 known techniques to plant people-activated malware on corporate networks. 
  • Active Directory (AD) attacks. Most enterprises today use AD as a primary method for directory services like user authentication and authorization. Cybercriminals are keen to target AD, which touches almost every place, person and device on a network. This approach works very well, too—more than half of identity-related breaches can be traced back to AD
  • Cached credentials harvesting. Cached credentials are commonly stored on endpoints, in memory, in the registry, in a browser or on disk. Attackers use various tools and techniques to collect these credentials and gain access to more privileged identities. Once they have harvested these credentials, they can use them to move laterally and log into different applications.  

Adversaries are likely to find a good “crop” when they are harvesting cached credentials. Recent research from Proofpoint found that more than one in 10 endpoints have exposed privileged account passwords, making it one of the most common identity risks

Keep in mind that cybercriminals are always innovating, and they are quick to build or adopt tools that can help them be more efficient and effective. Using artificial intelligence (AI) is just the latest example. Bad actors can use this technology to: 

  • Automate phishing attacks 
  • Create realistic fake videos or audio recordings for impersonation  
  • Automate the process of testing stolen login credentials across sites and services 
  • Create highly targeted social engineering attacks 
  • Generate fake identities that can be used to create fraudulent accounts 

The human factor in identity attacks 

Now, let’s talk about how people enable identity attacks. It’s important to understand that social engineering is usually at the heart of identity compromise. Social engineering is a technique where an attacker uses human emotions like fear and urgency to trick the target into performing an action that they normally wouldn’t. The target might be convinced or compelled to send the attacker money, divulge sensitive customer data or disclose their credentials. 

The fact that social engineering is so crucial to the success of identity attacks makes it even more vital for your business to provide a security awareness program for your users. Security training can teach users how to identify and respond to these attacks. Plus, it can help reinforce why it’s essential for them to guard their credentials carefully. 

Case studies 

So, what do identity-centric attacks look like in the real world? Here’s a quick overview of two recent examples in the news: 

Capita 

In the spring of 2023, the attackers—the Black Basta ransomware gang—used a phishing email with a .zip file to compromise a user at the outsourcing giant Capita. Once inside the company’s environment, attackers used the open-source Mimikatz tool to extract Microsoft 365 credentials. They then used those credentials to disable multiple security systems on the compromised endpoint.  

The attackers were able to move around undetected and steal sensitive data for an extended period. As part of the fallout from the breach, Capita was expected to pay more than $26 million due to the loss of supplier and customer data. 

Uber 

In September 2022, an attacker affiliated with the threat actor group Lapsus$ compromised the account of an Uber contractor. The contractor had received several MFA notifications as the attacker tried to access the account—and eventually accepted one. 

After they were able to log in, the bad actor achieved privilege escalation to get access to multiple systems and resources. This included the company’s AWS environment, G Suite accounts and OneLogin. The attacker even had access to Duo for multifactor authentication, which meant they could bypass MFA for any other system they wanted to get into. 

How to mitigate and prevent identity attacks 

Security awareness education is just one part of a multipronged approach to help you protect your privileged identities and reduce the risk of identity-based attacks. You should also consider taking these critical steps: 

  • Audit privileged access management (PAM) coverage gaps. This includes taking an inventory of all privileged users (human and service accounts) in your environment.  
  • Address AD identity misconfigurations. By doing so, you can impede the progress of an attacker who tries to use a vulnerable identity to get into a domain and gain access to others.  
  • Take a proactive approach to remediating exposed credentials on endpoints. This makes it harder for bad actors to harvest credentials that can be used to move laterally or escalate privileges. 

How Proofpoint can help 

Today’s identity threat statistics are staggering, but your business doesn’t have to become one of them. With the Proofpoint Identity Threat Defense platform, you can better protect your business by continuously remediating vulnerable identities while also better detecting and responding to active threats. 

The Proofpoint Identity Threat Defense platform is made up of two primary components: 

  • Proofpoint Spotlight can help your business discover vulnerable identities and remove them before attackers find them. 
  • Proofpoint Shadow can help you stop attackers before they cause havoc by detecting and responding to active attempts at lateral movement and privilege escalation before an attacker reaches your IT crown jewels. 

To learn more about how to protect your business from identity threats, download our e-book, Identity Threat Detection and Response: Challenges and Solutions

Learn more about Proofpoint Identity Threat Defense, and how we can help you break the middle of the attack chain.  

Subscribe to the Proofpoint Blog