What are Identity Threats?

Identity threats are those threats that target user accounts, credentials, and other identity related vulnerabilities.  The hackers exploit these threats by using cyberattacks to gain unauthorized access to systems and data.  These cyberattacks are techniques like phishing, credential stuffing, and password spraying to steal or misuse identities for malicious purposes, like performing lateral movement or escalating privileges within a network.

Identity-based attacks are currently the most focused and prevalent type of attack by hackers. They have surpassed previous top threats like software vulnerabilities and are now the primary attack surface, accounting for a majority of incidents, driven by the accessibility of tools like phishing-as-a-service platforms and infostealer malware.  Other reasons why hackers focus on identity theft are:

• It is now easier for attackers to “log in” to systems using stolen or compromised credentials rather than trying to “hack” in through vulnerabilities.
• Identity compromise is the entry point for many other types of attacks, including malware, ransomware, and advanced persistent threats (APTs)
• The widespread use of stolen credentials from data breaches combined with sophisticated tools like credential stuffing and password spraying allows attackers to launch massive, automated attacks.
• Affordable tools like phishing-as-a-service platforms has lowered the technical bar for attackers.
• Identity-based attacks, such as business email compromise (BEC) and corporate account takeover (CATO), can lead to immediate and significant financial losses and operational disruption.
• Major tools and solutions vendors are quick to patch vulnerabilities in their solutions and as such making it harder for hackers to target only tools.
• While many organizations perform security awareness trainings and tests, companies still do not achieve 100% success rate. Hackers attack this human loophole to gain access to the organization’s data.
• For many organizations, security is still an afterthought. Only after an incident has occurred does management devote appropriate effort to security.
• Organizations forget the inter-connection of many organizations. A small company may provide services to a large organization and may have access to the large organization’s network. The hacker is initially interested in the small company so that the hacker may harvest credentials to use in attacking the large organization.

Common Identity-based Attack Methods

Here are some of the common identity-based attack methods used by cyber criminals:

• Phishing and social engineering: Deceptive emails or messages that trick users into revealing their credentials.
• Credential stuffing: Using large lists of stolen username and password combinations to log into multiple websites.
• Password spraying: Trying a few common passwords against many different accounts, rather than many passwords against one account, to avoid account lockouts.
• Infostealer malware: Malicious software designed to harvest credentials and other sensitive information from a user’s computer.
• Deepfake impersonation: Using AI-generated content to impersonate individuals for fraudulent purposes.
• Man-in-the-Middle (MITM): Attacker intercepts communication between two parties and searches the intercepted data for usable credentials.
• Brute Force Attacks: Because there are many compiles dictionary of names, the attacker an automated tool to try different passwords on an account.
• Kerberoasting: An attack method that tries to crack the password for service accounts in AD.

What are the criminals End Goal?

Although quite a bit of focus is on Business Email Compromise or BEC, the cyber criminals are usually not after email data, but the information stored on SharePoint.

SharePoint is often the main prize for attackers. It’s where companies keep the good stuff—sensitive docs, spreadsheets, contracts, credentials—all neatly organized and easy to search.

There are instances where attackers don’t even touch the mailbox. They log in, skip email entirely, and head straight for SharePoint. This is not to say that attackers are not interested in emails. In some cases, the attacker may be interested in the CEO’s email so that they can impersonate the CEO and ask for money to be wired to them.

And when they do, they move fast. Attackers can get their hands on sensitive data in less than 10 seconds.

It’s also worth remembering: SharePoint isn’t just a target – it can become a weapon. We’ve seen attackers use compromised SharePoint infrastructure to host malicious files and launch new phishing campaigns.

So next time you’re responding to a BEC, and all the focus is on login anomalies or inbox rules, stop and ask: What did the attacker get from SharePoint?

If SharePoint’s in scope for the attacker, it better be in scope for you as a defender too.

How can Companies protect against Identity Threats?

Companies should think about layered cybersecurity protection and utilize Identity Threat Detection and Response (ITDR) systems.  ITDR is a cybersecurity approach focused on finding and stopping threats that target user accounts, credentials, and other identity-based vulnerabilities. It involves monitoring user activity and identity systems for signs of compromise, such as leaked passwords or unusual login patterns or behavior, and then responding to mitigate the risks. This helps protect organizations from identity-based attacks like phishing and ransomware by strengthening their security posture around identities, which are becoming a new perimeter for security. 

How Does ITDR work?

ITDR Focuses on:

• Detection: Continuously monitors risks like compromised credentials, risky user behavior, and identity system misconfigurations. This is a continuous process that dynamically analyzes users, user activities, and their devices.
• Threat intelligence: Leverages information from sources like the dark web to identify stolen or leaked credentials.
• Response: Provides automated or manual responses to stop threats, such as locking compromised accounts or blocking malicious activity.
• Proactive posture: It also helps reduce the overall attack surface by identifying gaps in protection and securing privileged identities.

What is Enhanced ITDR?

Traditional ITDR tools were designed for an era with a clear perimeter and focused primarily on reactive alerts from identity systems. Enhanced ITDR moves beyond this by addressing the complexity of modern, decentralized cloud environments, where threats can emerge from various SaaS applications that often lack formal oversight.  It focuses on preventing identity-based threats in modern SaaS environments, not just detecting and responding to them after they occur. This updated approach emphasizes continuous risk reduction by proactively identifying issues like unused credentials, excessive permissions, and risky integrations, and providing tools for immediate action to strengthen security posture.

What Can You Do?

Consider the following features of Enhanced ITDR when selecting a solution:

• Proactive prevention: It identifies and helps fix risks like stale accounts, weak passwords, and over-privileged users before they can be exploited.
• Comprehensive visibility: It provides visibility across the entire SaaS attack surface, including both managed and unmanaged applications.
• Real-time detection: It detects threats in real time, such as malicious OAuth grants or browser extensions, and correlates alerts with other security data for better context.
• Streamlined response: It enables quick-threat neutralization through one-click actions or automated workflows, reducing the time security teams spend on manual remediation.
• Posture improvement: It helps strengthen an organization’s overall identity security posture by providing guidance to fix identified gaps.
• Zero trust: All users and devices are inherently unsafe. Implementing ITDR becomes the initial step into Zero Trust.

Integrating ITDR with MDR

To integrate ITDR with your Managed Detection and Response (MDR) solution, you can use native integrations within your selected ITDR solution (like Vectra AI) where identity-based threat alerts are automatically escalated to the MDR team for investigation and response.

For multi-vendor environments, configure the ITDR solution to send security events to your Security Information Event Management (SIEM) platform where the MDR service is already monitoring, enabling the MDR team to correlate identity threats with other security data.

Majority of the time, SIEM software is used as a central hub.  The ITDR solution can be configured to send security alerts directly to the SIEM.   Ensure the MDR service is already ingesting and monitoring data from this SIEM.  This allows the MDR team to correlate identity threat data with other logs (from endpoints, network devices, etc.) for a comprehensive view.

Create alert escalation and response playbooks and clearly define what constitutes a critical identity threat that should be escalated to the MDR team.  Work with your MDR provider to develop specific response playbooks for identity-based threats (e.g., account lockout, password reset, session termination).  The ITDR tool can automate initial containment actions, with the MDR team handling complex investigations and out-of-band responses.

In addition, continuously review the integration and the types of alerts being generated.  Tune your ITDR rules and MDR playbooks to reduce false positives and ensure that genuine threats are being detected and responded to efficiently.

Benefits of ITDR

As computing landscape continue to change, organizations are realizing the benefits of implementing ITDR.  These benefits include:

• Protection against attackers
  • Detection of privilege escalation and lateral movement
  • Correlation across multiple systems
• Protection against misuse
  • Identification of anomalous sessions
  • Identification of anomalous tokens (API and OAuth)
• Provisions for compliance requirements