It’s easy to understand why today’s cybercriminals are so focused on exploiting identities as a key step in their attacks. Once they have access to a user’s valid credentials, they don’t have to worry about finding creative ways to break into an environment. They are already in.
Exploiting identities requires legwork and persistence to be successful. But in many ways this tactic is simpler than exploiting technical vulnerabilities. In the long run, a focus on turning valid identities into action can save bad actors a lot of time, energy and resources. Clearly, it’s become a favored approach for many attackers. In the past year, 84% of companies experienced an identity-related security breach.
To defend against identity-based attacks, we must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources. In this blog post, we will describe several forms of identity-based attacks and methods and offer an overview of some security controls that can help keep identity attacks at bay.
Types of identity-based attacks and methods
Below are eight examples of identity attacks and related strategies. This is not an exhaustive list and, of course, cybercriminals are always evolving their techniques. But this list does provide a solid overview of the most common types of identity threats.
1. Credential stuffing
Credential stuffing is a type of brute-force attack. Attackers add pairs of compromised usernames and passwords to botnets that automate the process of trying to use the credentials on many different websites at the same time. The goal is to identify account combinations that work and can be reused across multiple sites.
Credential stuffing is a common identity attack technique, in particular for widely used web applications. When bad actors find a winning pair, they can steal from and disrupt many places at once. Unfortunately, this strategy is highly effective because users often use the same passwords across multiple websites.
2. Password spraying
Another brute-force identity attack method is password spraying. A bad actor will use this approach to attempt to gain unauthorized access to user accounts by systematically trying commonly used passwords against many usernames.
Password spraying isn’t a traditional brute-force attack where an attacker attempts to use many passwords against a single account. It is a more subtle and stealthy approach that aims to avoid account lockouts. Here’s how this identity attack usually unfolds:
- The attacker gathers a list of usernames through public information sources, leaked databases, reconnaissance activities, the dark web and other means.
- They then select a small set of commonly used or easily guessable passwords.
- Next, the attacker tries each of the selected passwords against a large number of user accounts until they find success.
Password spraying is designed to fly under the radar of traditional security detection systems. These systems may not flag these identity-based attacks due to the low number of failed login attempts per user. Services that do not implement account lockout policies or have weak password policies are at risk for password spraying attacks.
Here’s a classic and very effective tactic that’s been around since the mid-1990s. Attackers use social engineering and phishing to target users through email, text messages, phone calls and other forms of communication. The aim of a phishing attack is to trick users into falling for the attacker’s desired action. That can include providing system login credentials, revealing financial data, installing malware or sharing other sensitive data.
Phishing attack methods have become more sophisticated over the years, but they still rely on social engineering to be effective.
4. Social engineering
Social engineering is more of an ingredient in an identity attack. It’s all about the deception and manipulation of users, and it’s a feature in many types of cyberattacks, not just email phishing.
It is generally accepted that humans are the weakest link in cybersecurity. And social engineering is a strategy meant to take advantage of a targeted user’s inability to understand or resist an attack. In a social engineering-based threat, an attacker will use human emotion—like fear, urgency or greed—to trick the target into performing an action, such as disclosing their credentials or sending money.
5. Adversary-in-the-middle (AiTM)
AiTM (formerly man-in-the-middle) is a type of digital eavesdropping and theft where an attacker intercepts data from a sender to the recipient, and then from the recipient back to the sender. The attacker’s device sits somewhere between the sender and recipient. It relays messages silently, unbeknownst to either party. While both sides of the communication believe they are dealing with a legitimate party, the fact is that the cybercriminal is operating in the middle.
Through this technique, attackers can take over the entire authenticated session, obtain passwords, bypass MFA, steal intellectual property, private messages and more. And in advanced AiTM attacks, attackers might go so far as to install malware on a user’s device without their knowledge or involvement.
While its name evokes some type of cozy fireside activity, Kerberoasting is far from fun for those who are targeted. Kerberoasting takes advantage of Microsoft’s Kerberos authentication, a process through which users and services authenticate themselves on a network. Bad actors attempt to crack (or kerberoast) the passwords of service accounts within Microsoft Active Directory (AD) environments.
When a user requests access to a service like a web application, that request results in a service ticket that is encrypted with a key derived from the service account’s password. In a Kerberoasting attack, bad actors target these encrypted service tickets and attempt to crack the underlying password using various techniques. If they succeed, they could then use their access to the service account to steal sensitive data, manipulate services or move laterally within the network, depending on the account’s privileges.
7. Silver ticket
In these attacks, bad actors use stolen credentials to create a forged authentication ticket. More specifically, they create forged Kerberos Ticket Granting Service tickets or TGS. These encrypted and forged tickets appear authentic to a targeted service. Once inside the service, they can impersonate another user, access resources and potentially escalate privileges. (They can also move on to create a golden ticket, as explained below.)
Unlike other identity-based attacks that involve the Kerberos protocol, silver ticket attacks do not involve interaction with the central authentication service or Key Distribution Center (KDC). This makes it harder to detect suspicious activity at the authentication source.
8. Golden ticket
This ticket won’t get you into Willy Wonka’s Chocolate Factory (unless the factory is vulnerable to this type of attack). But it can help bad actors gain sweeping access to a company’s domain by accessing user data stored in Active Directory. Like Kerberoasting and silver ticket identity attacks, the golden ticket approach seizes on weaknesses in the Kerberos protocol. It allows attackers to bypass normal authentication.
In a golden ticket attack, attackers forge Kerberos tickets known as Ticket Granting Tickets, or TGTs. Critical steps in this process include gaining access to the krbtgt account’s NTLM hash, which is used to encrypt TGTs. (The krbtgt account is a default account that exists in all AD domains.) The NTLM hash is a sensitive credential held by the domain controller and used to create valid TGTs.
A golden ticket truly is worth its weight in gold to attackers. It contains the identity information of a fictional user with arbitrary privileges as well as provides long-term access. Once the attacker has this ticket, they can present it to the KDC for authentication without the need to compromise actual user credentials. And golden ticket identity attacks give bad actors a way to maintain unauthorized access to a network even if legitimate user passwords are changed.
Prevention techniques to avoid identity attacks
So, you’re probably wondering what you can do to help prevent these types of identity-based attacks. There are multiple security controls that will help. Here are some examples:
Implement multifactor authentication (MFA)
This is a powerful defense measure against identity attacks. MFA makes password cracking much harder for attackers by adding an extra layer of security, like one-time tokens or biometrics, beyond just using a username and password. Even if an attacker steals a user’s password, they still won’t have access to the secondary authentication method, in most cases.
Keep in mind, though, that crafty bad actors have been turning to other methods, like MFA fatigue attacks, to bypass MFA—and they are finding success. MFA is important, but not sufficient to stop even moderately sophisticated attackers.
Strengthen authentication protocols
Enhance your authentication protocols to prevent Kerberoasting, silver ticket and golden ticket attacks. In addition to using MFA, some of the many strategies you can employ include:
- Rotating encryption keys regularly
- Enforcing strong password policies
- Reducing the maximum lifetime of tickets
- Instituting account lockout policies
- Monitoring and analyzing authentication events
- Conducting regular security audits
- Securing krbtgt accounts more aggressively
- Updating and patching systems
- Following the principle of least privilege (PoLP)
Provide targeted cybersecurity awareness training to users
The human element plays a vital role in the success of identity-based attacks. So, help turn your users into better defenders. After all, they are on the front line when it comes to many identity threats.
With targeted security awareness training, your users can learn to spot phishing attacks and find out how to resist social engineering tactics.
Equally important, you can use training to instruct your users on how to report suspicious activity. You can also emphasize the need to move fast if they think they’ve been tricked by an attacker. Every second counts when identity-based attacks are in motion and bad actors have found a way to breach your AD and other critical services, systems and applications.
How Proofpoint can help you counter the risk of identity threats—and stop identity attacks
Identity-based attacks are a go-to strategy for many cybercriminals today. Given the high rate of their success, that’s unlikely to change. But using the techniques outlined above can go a long way toward helping you to strengthen your defenses.
Proofpoint Identity Threat Defense is another measure to consider. It is a recent product innovation in a security space referred to by Gartner as identity threat detection and response (ITDR). Proofpoint can help you discover identity vulnerabilities and detect and respond to attacks in real time with automated remediation and responses. The Proofpoint Identity Threat Defense platform includes:
Proofpoint Spotlight, which can help you to discover and remediate identity vulnerabilities on endpoints and in your identity repositories
Proofpoint Shadow, which can help you detect and stop attackers before they know that you’re onto them
If you’d like to learn more about how your business can counter the risk of identity threats, download our e-book, Identity Threat Detection and Response: Challenges and Solutions.
Subscribe to the Proofpoint Blog