Identity-based attacks and the identity attack chain
Tony Goulding
Imagine your identity attack surface as a living, breathing entity with a powerful story to tell.
It might go something like this…
1. Underdog Turned Hero: IT systems are humming along. User identities and permissions are accounted for, and session monitoring keeps an eye on things.
2. Plot Twists: It's a quiet day until a cyber intruder mounts an identity-based attack using stolen credentials.
3. Battle Royale: Preventive and detective identity security controls spring into action. They outwit attackers and break the Identity Attack Chain.
4. A Triumphant Ending: No damage is done, and your business continues as usual.
This story isn’t a fairy tale. It’s an identity-based attack scenario all types of organizations face every day.
Earlier this year, for example, Change Healthcare experienced an identity-based attack. Cybercriminals used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multi-factor authentication (MFA) and successfully stole a vast amount of private healthcare data. The attack cost the company almost $900 million and had massive repercussions for healthcare providers and patients.
According to Delinea’s global survey of 1,800 IT and security decision-makers, 80% of companies worldwide experienced an identity-based attack in the past year, and 93% of victims suffered measurable losses. Clearly, the stakes are high.
Understanding how identity-based attacks work can help you prevent a cyber incident from becoming a full-scale breach. In this blog, you’ll understand how cybercriminals progress along the Identity Attack Chain to achieve their goals. At each stage, you’ll also learn strategies and technologies to disrupt identity-based attacks.
What is an identity-based attack?
In the case of identity-based attacks, adversaries leverage enterprise identities and credentials to obtain high levels of access to sensitive data and systems. Imagine someone breaking into your house using your key. Once they’re inside, things go from bad to worse.
The pathology usually revolves around incremental escalations of privilege. For example, let’s say phishing helps the attacker obtain a low-level credential, but it's not a high enough privilege to achieve their goal. So, they then use another related exploit like Pass-the-Hash to elevate privileges and gain more access. Maybe that's still not enough, so they must continue to exploit vulnerabilities until they eventually gain Domain Administrator privileges.
Once attackers gain the highest level of privileges, they can operate undetected inside your environment, holding the keys to the kingdom.
Identity-based attacks progress in phases along what’s known as the Identity Attack Chain. The Identity Attack Chain is the typical step-by-step process cyber criminals use to conduct identity-based attacks. The term “attack chain” (also called the “cyber kill chain”) is a model that identifies the sequence of events an adversary must progress through to breach your network. The original cyber kill chain can be traced back to 2011 when Lockheed Martin created it for military operations. It decomposes an enemy attack into stages, each representing a distinct objective along the path.
In the initial stage of an identity-based attack, attackers obtain valid authorization credentials (in most cases, a username/password combination) to gain an initial foothold in your organization. Threat actors commonly obtain credentials by conducting reconnaissance on employees, allowing them to find or guess usernames and weak passwords. Social engineering techniques like phishing emails entice employees to enter their credentials into fake websites or click on links that download malware. Attackers may also harvest credentials from code repositories or buy them from access brokers.
Steps within this stage of the attack:
Reconnaissance: Harvesting email addresses, conference information, etc.
Weaponization: Coupling exploit with backdoor into deliverable payload.
Delivery: Delivering weaponized bundle to the victim via email, web, USB, etc.
Learn more about credential compromise techniques and how to protect your credentials
In the next stage of an identity-based attack, the criminal seeks to escalate. Credentials helped them gain initial entry. Now, they need to establish a foothold from which to operate. Commonly, they deploy malware that executes code. This gives them more visibility and more access.
For example, once they gain a foothold on a workstation or server, an attacker may download a toolkit like Hash Cat and attempt an exploit like Pash-the-Hash, which allows them to fool Windows into giving them access to additional services. If there are any hashes in system memory, let's say from help desk admin who has logged in within the last 30 days, the hash of their credential can be captured. Attackers exploit that hash to escalate privileges.
Once they are able, attackers commonly deliver a weaponized payload that will execute their agenda, such as malware to encrypt data for ransom. The attacker can control actions remotely on their timetable.
Steps within this stage of the attack:
Exploitation: Exploiting a vulnerability to execute code on victim’s system.
Installation: Installing malware on the asset.
Ultimately, adversaries steadily increase access levels through ongoing lateral movement and privilege elevation until they own the entire trust fabric (e.g., Active Directory). At that point, they have hands-on-keyboard access to do whatever they desire. Attackers want to retain their elevated position in your environment so they can come and go as they please and act on their objectives whenever they want.
Because they have elevated privileges, they can cover their tracks and can stay hidden for long periods.
Steps within this stage of the attack:
Command and control: Command channel for remote manipulation of victims.
Actions on objectives: With “hands on keyboard” access, intruders accomplish their original goals.
How to proactively defend against identity-based attacks
In today’s multi-cloud environment, the Identity Attack Chain becomes much more complex to disrupt, for several reasons:
- Instead of a small admin group, numerous people and systems can access data and resources and generate identities.
- A mix of different identity providers, federated apps/services, and local CSP users restrict identity monitoring and limit understanding of privileged behavior.
- Modern cloud environments have intricate permission models with thousands of possible permissions across numerous services.
- Cloud environments experience rapid shifts with new identities (especially machine identities) created constantly, and entitlements provisioned and removed at breakneck speeds.
- Misconfigured Groups in identity management systems and/or cloud resources inadvertently expose risks.
To combat identity-based attacks, you need to establish identity security controls for authentication and authorization and ensure they’re working as expected. Preventive measures must interrupt the identity attack chain at every point of interaction.
- Limit privileges. The most effective thing you can do is enforce a model of least privilege. So even if an account is compromised, it has minimum rights, and you have a limited blast radius.
- Manage credentials with a secure vault. Enterprise password vaults and Privileged Access Management solutions automate the process of complex password creation, rotation, and expiration. They require complex, unique passwords for each user account and machine identity and enforce regular password changes.
- Avoid hard-coded or default credentials in code. Never embed credentials as part of your software development process; instead, replace credentials with API calls to the secure vault. Always replace default credentials in any third-party software you use or code you download from GitHub or other code repository.
- Enable Multi-Factor Authentication (MFA) at depth. Enforce MFA based on context.
How to stop an identity-based attack in progress
What if you haven't closed every door, every vector of attack? What if you do get compromised?
One of the things you're always up against in any attack is reducing the dwell time—the amount of time between an initial foothold of compromise and the exploit being fully executed so that an attacker is walking away with your crown jewels. The shorter the dwell time, the less risk you will be fully compromised. You can reduce dwell time and thwart an identity-based attack by reacting quickly.
Detection of unusual behavior that is an indicator of compromise gives you the intelligence and context you need to investigate.
Session monitoring and recording solutions to understand anomalous credential use and unauthorized access attempts. Identity Threat Detection and Response (ITDR) solutions provide your incident response team and Security Operations Center (SOC) with the context to investigate suspicious credential activity and interrupt attacks before they cause widespread damage. Augmenting monitoring and threat detection with Artificial Intelligence (AI) can help identify patterns that escape humans and speed up the process so you can discover incidents faster and reduce dwell time.
Learn more about the Identity Attack Chain
Download your copy of Understanding the Attack Chain to Protect Your Network. Here's what you’ll find inside and why it matters to you:
- Insight into the attacker’s mind: From initial reconnaissance to weaponization and delivery, know the latest tactics attackers are using.
- Tactics to stay ahead: Learn which identity security controls to implement proactively for a robust defense.
- Strategies to maximize cyber resilience: See how you can contain attacks in progress before they cause damage.