How to Protect Your Employees from Identity-Based Attacks

Identity-based attacks have become one of the most significant threats facing organizations today.  According to IBM’s X-Force threat intelligence team, cybercriminals increasingly rely on stolen identities — not technical hacks — to help them compromise enterprise systems.

But what types of attacks do you need to look out for? And how can your organization best protect your employees from falling victim?

We'll explore the tactics attackers employ in identity-based attacks and how organizations can adopt a multi-layered approach to mitigate risk.

The rise of identity-based attacks

The number of identity-based attacks continues to grow. As CrowdStrike reported, 80% of attacks involve identity and compromised credentials. And an IBM report found that identity-related attacks are now the top vector impacting global cybercrime, rising 71% yearly.

With statistics like these, it’s easy to see the growing problem that identity-based attacks can cause organizations. 

Types of identity-based attacks

Cybercriminals don’t just rely on one type of attack — they try numerous tactics until they find one that works. Common types of identity-based attacks include:

Broad-based phishing campaign

One of the most common types of identity-based password attacks, a broad-based phishing attack is when the cybercriminal acquires a large list of email addresses. Then, they craft and send a generic phishing message with a specific call to action — like sending users to a fake login page.

They hope that at least a few recipients will fall for the scam and go to the bogus website to enter their credentials, giving attackers access to legitimate usernames and passwords they can use to access sensitive data. 

Spear-phishing campaigns

Spear-phishing campaigns differ from broad-based phishing by targeting specific individuals rather than large groups. Attackers carefully select their targets and conduct extensive research using social media and web sources to gather personal information about the victim.

Then, they craft a highly personalized message that references specific details (like mentioning a recent conference the recipient attended) to increase the likelihood of the recipient falling for the phishing attempt.

The attacker aims to trick the victim into taking a specific action — such as visiting a fake login page or clicking on a malware link — to steal their credentials or install malware for further attacks.

Credential stuffing

People are creatures of habit, and many users reuse the same passwords across multiple accounts. One Microsoft-funded study found that 73% of people duplicate passwords across their personal and professional accounts.

And credential stuffing attacks take advantage of this situation, obtaining credentials from previous website breaches or password dump sites and using automated tools to test these credentials across various websites. 

Password spraying

Another human tendency is to keep it simple; we want passwords that are easy to remember rather than random combinations of letters, numbers, and symbols. Attackers deploy password spraying attacks to exploit this, using a small list of commonly used passwords that match the targeted domain’s complexity policy.

Instead of trying multiple passwords for one user, the attacker uses the same common password across many different accounts to avoid detection. 

Pass-the-hash techniques

Pass-the-hash attacks are becoming more common in businesses, with One Identity reporting that 95% of one survey’s respondents had experienced a direct business impact due to a pass-the-hash attack. In a pass-the-hash attack, the attacker obtains the hashed version of a user's password from a compromised system.

Then, the attacker uses this hash to authenticate to other systems without needing to crack the actual password.

This technique allows attackers to move laterally within a network, accessing sensitive data.

Man-in-the-Middle (MitM) attacks

In a MitM attack, the attacker intercepts a network connection, often by mimicking a legitimate Wi-Fi access point. Then, when an end user connects to the malicious access point, the attacker can monitor all the user's inputs, including login credentials.

If the attack is successful, the attacker can steal credentials or session tokens to authenticate into the victim's account, gaining access to sensitive data or executing further attacks.

A multi-layered approach to security

As identity becomes the new security perimeter, it's crucial for organizations to prioritize account and password security. Weak, reused, and compromised credentials are often the primary entry point for attackers; in fact, the Verizon 2023 Data Breach Investigations Report found that 50% of all breaches started with stolen and/or weak credentials.

To mitigate the risk of identity-based attacks, organizations must adopt a multi-layered approach to security. This includes: 

Implementing strong password policies: Strong password policies are essential to ensure that end users aren’t using weak, easily guessable passwords. Consider implementing a password policy software — like Specops Password Policy — which can help you enforce strong password requirements and prevent the use of weak passwords.

In addition, Specops Password Policy will continuously scan your Active Directory against our database of over four billion unique known compromised passwords. Any users found to be using a breached password will be notified and asked to change their password immediately.

Regularly auditing your Active Directory: To secure your accounts, you should regularly audit your Active Directory for weak or compromised passwords. Additionally, you should proactively identify and remove stale or inactive accounts that hackers can exploit. 

Consider auditing to help identify vulnerabilities and take appropriate action. For example,  Specops Password Auditor is a free, read-only tool that scans your Active Directory for password-related vulnerabilities, giving you an easy-to-understand view of your organization’s password-related risks.

Implementing multi-factor authentication: Ensure end users have set up multi-factor authentication across your apps. MFA adds an extra layer of security by requiring users to provide a second form of authentication — like a one-time password sent to their registered mobile phone or biometric data — in addition to their username and password.

Protecting against social engineering: Your organization’s service desk represents a highly attractive target to hackers; after all, the IT team members who answer the phone and respond to emails at the service desk are the gatekeepers for password resets. And if an attacker can effectively use a social engineering attack on your service desk, they can gain unauthorized access and wreak havoc.

Just ask MGM Resorts, which experienced widespread outages, days of downtime, and millions of dollars in repercussions after hackers tricked the company’s service desk into providing access. 

Automated solutions can help provide another layer of protection against attacks on your organization's service desk. For example, Specops Secure Service Desk can help your service desk staff verify user identification, reducing your social engineering vulnerability. 

Remaining vigilant against evolving threats

Organizations must remain vigilant to protect against identity-based attacks. Take a multi-faceted approach to keep your organization’s risk level low.

By implementing strong password policies, regularly auditing accounts, leveraging MFA, and utilizing tools like those offered by Specops Software, you can reduce your risk of falling victim to these increasingly sophisticated and pervasive threats. 

Ready to secure passwords across your organization? Get in touch to speak with an expert. 

Sponsored and written by Specops Software.