The most dangerous cybersecurity threat of the moment is an attacker with access to legitimate identity information for a given system, according to a report issued today by endpoint security and threat intelligence vendor CrowdStrike.
According to the report, interactive intrusions (which the company defines as those in which an attacker is working actively to accomplish some illicit end on a victim’s system), are increasingly implemented using strategies that involve compromised identity information for access to a target. During the past year, both government-backed and organized crime hacking groups have raised their game with improved phishing techniques and social engineering “tradecraft.”
“The biggest trend that we’ve seen is that everything is moving towards identity,” said Adam Meyers, head of intelligence at CrowdStrike. “80% of attacks involved identity and compromised credentials.”
Those credentials can be compromised in the traditional way, using email phishing and social engineering, or they can be purchased on the dark web, sourced from other types of compromised systems. Once they have access to a target system, cybercriminals use a range of techniques to achieve their ends, and the report said that the use of remote monitoring and management software is sharply on the rise.
“Threat actors understand that there are security tools out there that impede the way they operate,” noted Meyers. “So they’re trying to use techniques that don’t trigger that security.” Compromised login IDs are hard to detect, and must generally be discovered by monitoring for unusual account behavior.
A move away from what he described as a “Microsoft monoculture” in the enterprise would be a positive step toward stemming the current flow of identity based attacks, Meyers said.