Identity based attacks

Exploiting =
identities requires legwork and persistence to be successful. But in =
many ways this tactic is simpler than exploiting technical =
vulnerabilities. In the long run, a focus on turning valid identities =
into action can save=C2=A0bad =
actors=C2=A0a lot of time, energy and resources. Clearly, =
it=E2=80=99s become a favored approach for many attackers. In the past =
year,=C2=A084% of =
companies=C2=A0experienced an identity-related security =
breach.

To defend against =
identity-based attacks, we must understand how bad actors target the =
authentication and authorization mechanisms that companies use to manage =
and control access to their resources. In this blog post, we will =
describe several forms of identity-based attacks and methods and offer =
an overview of some security controls that can help keep=C2=A0identity =
theft attacks=C2=A0at bay.

Types of =
identity-based attacks and methods

Below are eight =
identity threat examples and related strategies. This is not an =
exhaustive list and, of course, cybercriminals are always evolving their =
techniques. But this list does provide a solid overview of the most =
common types of identity threats.

1. =
Credential stuffing

Credential =
stuffing is a type of=C2=A0brute-force=
attack. Attackers add pairs of compromised usernames and passwords =
to botnets that automate the process of trying to use the credentials on =
many different websites at the same time. The goal is to identify =
account combinations that work and can be reused across multiple =
sites.

Credential =
stuffing is a common identity-based attack technique, in particular for =
widely used web applications. When bad actors find a winning pair, they =
can steal from and disrupt many places at once. Unfortunately, this =
strategy is highly effective because users often use the same passwords =
across multiple websites.

2. =
Password spraying

Another =
brute-force identity attack method is password spraying. A bad actor =
will use this approach to attempt to gain unauthorized access to user =
accounts by systematically trying commonly used passwords against many =
usernames.

Password spraying =
isn=E2=80=99t a traditional brute-force attack where an attacker =
attempts to use many passwords against a single account. It is a more =
subtle and stealthy approach that aims to avoid account lockouts. =
Here=E2=80=99s how this identity-based attack usually unfolds:

The attacker gathers a list of usernames through =
public information sources, leaked databases, reconnaissance activities, =
the dark web and other means.They then select a small set of commonly used =
or=C2=A0easily =
guessable passwords.Next, the attacker tries each of the selected =
passwords against a large number of user accounts until they find =
success.

Password spraying =
is designed to fly under the radar of traditional security detection =
systems. These systems may not flag these identity-based attacks due to =
the low number of failed login attempts per user. Services that do not =
implement account lockout policies or have weak password policies are at =
risk for password spraying attacks.

3. =
Phishing

Here=E2=80=99s a =
classic and very effective identity-based attack that=E2=80=99s been =
around since the mid-1990s. Attackers use social engineering and=C2=A0phishing=C2=A0to target users through email, text messages, phone calls and =
other forms of communication. The aim of a phishing attack is to trick =
users into falling for the attacker=E2=80=99s desired action. That can =
include providing system login credentials, revealing financial data, =
installing=C2=A0malware=
=C2=A0or sharing other sensitive data.

Phishing attack =
methods have become more sophisticated over the years, but they still =
rely on social engineering to be effective.

4. =
Social engineering

Social =
engineering=C2=A0is more of an ingredient in an identity attack. =
It=E2=80=99s all about the deception and manipulation of users, and =
it=E2=80=99s a feature in many types of cyberattacks, not just email =
phishing.

It is generally =
accepted that humans are the weakest link in cybersecurity. And social =
engineering is a strategy meant to take advantage of a targeted =
user=E2=80=99s inability to understand or resist an attack. In a social =
engineering-based threat, an attacker will use human =
emotion=E2=80=94like fear, urgency or greed=E2=80=94to trick the target =
into performing an action, such as disclosing their credentials or =
sending money.

5. =
Adversary-in-the-middle (AiTM)

AiTM =
(formerly=C2=A0man-in-the-=
middle) is a type of digital=C2=A0eavesdroppi=
ng=C2=A0and theft where an attacker intercepts data from a sender to =
the recipient, and then from the recipient back to the sender. The =
attacker=E2=80=99s device sits somewhere between the sender and =
recipient. It relays messages silently, unbeknownst to either party. =
While both sides of the communication believe they are dealing with a =
legitimate party, the fact is that the cybercriminal is operating in the =
middle.

Through this type =
of identity attack, attackers can take over the entire authenticated =
session, obtain passwords, bypass=C2=A0MFA, =
steal intellectual property, private messages and more. And in advanced =
AiTM attacks, attackers might go so far as to install malware on a =
user=E2=80=99s device without their knowledge or involvement.

6. =
Kerberoasting

While its name =
evokes some type of cozy fireside activity,=C2=A0Kerberoasti=
ng=C2=A0is far from fun for those who are targeted. Kerberoasting =
takes advantage of Microsoft=E2=80=99s Kerberos authentication, a =
process through which users and services authenticate themselves on a =
network. Bad actors attempt to crack (or kerberoast) the passwords of =
service accounts within Microsoft Active Directory (AD) =
environments.

When a user =
requests access to a service like a web application, that request =
results in a service ticket that is encrypted with a key derived from =
the service account=E2=80=99s password. In a Kerberoasting attack, bad =
actors target these encrypted service tickets and attempt to crack the =
underlying password using various techniques. If they succeed, they =
could then use their access to the service account to steal sensitive =
data, manipulate services or move laterally within the network, =
depending on the account=E2=80=99s privileges.

7. =
Silver ticket

In these attacks, =
bad actors use stolen credentials to create a forged authentication =
ticket. More specifically, they create forged Kerberos Ticket Granting =
Service tickets or TGS. These=C2=A0encrypted=C2=A0and forged tickets appear authentic to a targeted service. Once =
inside the service, they can impersonate another user, access resources =
and potentially escalate privileges. (They can also move on to create a =
golden ticket, as explained below.)

Unlike other =
identity-based attacks that involve the Kerberos protocol, silver ticket =
attacks do not involve interaction with the central authentication =
service or Key Distribution Center (KDC). This makes it harder to detect =
suspicious activity at the authentication source.

8. =
Golden ticket

This ticket =
won=E2=80=99t get you into Willy Wonka=E2=80=99s Chocolate Factory =
(unless the factory is vulnerable to this type of attack). But it can =
help bad actors gain sweeping access to a company=E2=80=99s domain by =
accessing user data stored in=C2=A0Active =
Directory. Like Kerberoasting and silver ticket identity attacks, =
the golden ticket approach seizes on weaknesses in the Kerberos =
protocol. It allows attackers to bypass normal authentication.

In a golden =
ticket attack, attackers forge Kerberos tickets known as Ticket Granting =
Tickets, or TGTs. Critical steps in this process include gaining access =
to the krbtgt account=E2=80=99s NTLM hash, which is used to encrypt =
TGTs. (The krbtgt account is a default account that exists in all AD =
domains.) The NTLM hash is a sensitive credential held by the domain =
controller and used to create valid TGTs.

A golden ticket =
truly is worth its weight in gold to attackers. It contains the identity =
information of a fictional user with arbitrary privileges as well as =
provides long-term access. Once the attacker has this ticket, they can =
present it to the KDC for authentication without the need to compromise =
actual user credentials. And golden ticket identity attacks give bad =
actors a way to maintain unauthorized access to a network even if =
legitimate user passwords are changed.

Identity =
Attack Prevention Techniques

So, =
you=E2=80=99re probably wondering what you can do to help prevent these =
types of identity-based attacks. There are multiple security controls =
that will help. Here are some examples:

Implement=
multifactor authentication (MFA)

This is a =
powerful defense measure against identity attacks. MFA makes password =
cracking much harder for attackers by adding an extra layer of security, =
like one-time tokens or biometrics, beyond just using a username and =
password. Even if an attacker steals a user=E2=80=99s password, they =
still won=E2=80=99t have access to the secondary authentication method, =
in most cases.

Keep in mind, =
though, that crafty bad actors have been turning to other methods, =
like=C2=A0MFA =
fatigue attacks, to bypass MFA=E2=80=94and they are finding success. =
MFA is important, but not sufficient to stop even moderately =
sophisticated attackers.

Strengthe=
n authentication protocols

Enhance your =
authentication protocols to prevent Kerberoasting, silver ticket and =
golden ticket attacks. In addition to using MFA, some of the many =
strategies you can employ include:

Rotating encryption keys regularlyEnforcing strong password policiesReducing the maximum lifetime of ticketsInstituting account lockout policiesMonitoring and analyzing authentication =
eventsConducting regular security auditsSecuring krbtgt accounts more =
aggressivelyUpdating and patching systemsFollowing the principle of least privilege =
(PoLP)Provide =
targeted cybersecurity awareness training to users

The human element =
plays a vital role in the success of identity-based attacks. So, help =
turn your users into better defenders. After all, they are on the front =
line when it comes to many identity threats.

With =
targeted=C2=A0security =
awareness training, your users can learn to spot phishing attacks, =
find out how to resist social engineering tactics, and become your =
strongest identity attack prevention strategy.

Equally =
important, you can use training to instruct your users on how to report =
suspicious activity. You can also emphasize the need to move fast if =
they think they=E2=80=99ve been tricked by an attacker. Every second =
counts when identity-based attacks are in motion and bad actors have =
found a way to breach your AD and other critical services, systems and =
applications.