The dark side of identity theft: how hackers obtain the keys to your kingdom
Identity theft is becoming a growing trend in the digital world
The latest growing trend in the digital landscape is identity theft. Cybercriminals now realize it’s more efficient, effective, and cheaper to steal IDs and passwords rather than trying to penetrate technical security controls.
Once they have siphoned the access credentials from a single employee, they move laterally, stealing even more credentials, escalating privilege, and compromising servers and endpoints to download sensitive organizational data. This allows an attacker to turn one compromised identity into an organization-wide data breach or ransomware incident.
Privileged identities are the keys to the kingdom, which attackers can exploit to steal a business’s most valuable assets. Unfortunately, with these attacks being so hard to detect, most organizations are unaware of the actual risk.
Security teams need to re-evaluate the detection tools they use to spot compromised users and lateral movements across environments before extensive damage is done.
Emails as the key
Threat actors recognize that many staff members have access to their organization's most critical data and that it's relatively easy to trick them into taking action that could jeopardize the security of such information. Most of these attacks can start with a simple email.
Email-based attacks continue to dominate the threat landscape globally and in the UK. Proofpoint's 2023 State of the Phish report revealed that 91% of UK organizations experienced an attempted phishing attack in 2022, which was successful in some form. Of these successful attacks, 43% resulted in credential theft and account compromise, where employees invertedly exposed their credentials, giving threat actors access to sensitive data and their business accounts.
Many of today's attacks count on compromised identities, including ransomware. Proofpoint data shows that 82% of UK organizations experienced an attempted email-based ransomware attack in the past year, with 62% suffering a successful infection. Additionally, 85% of UK organizations reported they have experienced data loss due to an insider's action in 2022.
Email security is critical. Organizations can block most targeted attacks before they reach employees through a technical combination of email gateway rules, advanced threat analysis, email authentication, and visibility into cloud applications. Despite this, we should look at the entire attack chain as part of an effective threat protection strategy, encapsulating the threats people and their identities continuously face.
Locking the door on attacks
Threat actors tend to rely on the same technique – such as targeting employees with an email to gain a foothold into an organization and moving laterally to obtain as much access as possible. They rely on this technique as it works, and it continues to do so unless organizations consider how they can break the links in the attack chain.
When considering how organizations can break attack chains, the first step is to halt the initial compromise in the first place. This is where a robust email security strategy is vital.
An initial email can lead to extensive security compromises from Business Email Compromise (BEC) attacks, cloud account takeovers, or cybercriminals using trusted third parties to compromise the organization through their supplier. After the initial compromise, they will have access to a domain, giving them access to email accounts and the ability to commit extensive fraud from that point.
Worryingly, compromised accounts often go undetected, leaving no indicators of compromise or evidence of malware. These attacks continue to increase despite deploying privileged account management (PAM) and multifactor authentication (MFA).
Organizations can face an even more significant issue if undetected, with privilege escalation and agile movement within their networks.
To combat this, organizations need to implement the necessary technology to identify and respond to compromised users and remove the elements attackers need to complete their crime, namely privileged account access. A unique approach to identity threat detection and response (ITDR) will help organizations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property.
Organizations can prevent initial identity theft and compromise by installing these robust technical controls. However, as with all threats, a combination of people, processes, and technology is vital.
Shared responsibility
Security should be a shared responsibility. People across all organizational levels must be empowered to understand the security put in place and the risky behaviors that can lead to breaches. Training and awareness programs are vital, but one size does not fit all. You need to ensure that your program is robust from the user's perspective –making it relevant to their work and personal lives.
Organizations in the UK stand out in this respect - as highlighted in Proofpoint's 2023 State of the Phish report, 67% of UK organizations train employees on security topics that explicitly target their organization, and 58% of UK organizations train ALL their employees.
According to Proofpoint data, over 99% of cyber threats require human interaction to be successful. When your people are that vital to an attack, they must be an essential part of your defense. Cybercriminals spend day and night trying to penetrate networks, systems, and data. The least we can do is make them work a little more complicated.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Matt Cooke is Cybersecurity Strategist for EMEA at Proofpoint. With 20+ years of experience. He provides expertise on key regional cybersecurity strategies such as people-centric security, security awareness, risk management and insider threats.