Top 5 Situational Risks for Identity-Based Attacks

March 20, 2024
Vectra AI
Top 5 Situational Risks for Identity-Based Attacks

With identity-based attacks on the rise and the cause of major breaches, multi-factor authentication (MFA) has been widely adopted by companies, organizations, and governments worldwide. But with almost 90% of organizations enduring identity-based attacks in 2023, implementing MFA is not enough.

As we know, multi-factor authentication involves two and often three factors of identity verification before granting a user access to data, a network, an account, or an application. 

Three Types of Authentication

Single-factor authentication is very simple. As a user, you enter a three- or four-digit code – that is, something you know – to access phone messages, online bank accounts, etc. However, relying on single-factor authenticators (SFA) proved to be of little protection. Hackers quickly found ways to copy, steal, or guess their way to “secret” codes and access private accounts. 

Dual factor or two-step authentication involves something you know, such as a PIN or secret code, plus adding something you possess, such as a personal mobile device, to receive a push notification or text message. In this example, there are two layers of verification. User access requires knowing your secret code and having immediate access to your mobile device.

Multi-factor authentication that goes beyond two factors adds a third factor – that is, something that you are – a physical attribute that is unique to you, such as a fingerprint, voice, or facial recognition. MFA usually requires all three for the user to gain the access they seek.

The MFA Security Landscape and AI-Driven Attacks 

The reality is that the risks of using MFA as an effective identity security procedure will likely continue to rise going forward. The main reason for that is the emergence of artificial intelligence or AI-driven cyberattacks that ramped up in 2023. AI and machine learning are proving to be formidable force multipliers, enabling cybercriminals to launch highly complex and automated attacks that bypass or overwhelm the usual MFA protections.

For example, AI-powered assaults can customize spear-phishing attacks to focus specifically on a single individual to fool a user into believing the attacker is that person. AI-driven attacks impersonate a trusted user by ingesting thousands of data points from public sources, social media posts, and online behaviors to assess that person’s specific tastes and characteristics to create deep-fake but highly persuasive messaging and online presence. These and other types of AI-driven attacks are becoming more common in 2024.

The Okta Breach­–Attackers Are So Glad You Chose MFA

But AI-driven attacks aren’t the only kind that are fueling the rise in identity attacks. The reality is that even if you do everything right, attackers can still bypass your preventative controls. In fact, several common situational threat risks are leading to highly successful and very public identity-based attacks. 

For example, the November 2023 Okta breach wasn’t an AI-driven attack, it was simply the result of an identity access management (IAM) program without sufficient visibility into users, their account access, or credential tracking. Hackers gained unauthorized access to the network via stolen credentials of a service account stored on their system and accessed all the personal information of every Okta account holder. 

The breach was accomplished by a simple identity-based attack which MFA was unable to prevent or detect in time. Okta’s breach affirms the adage that people are both our most valuable asset but, depending on the situation, can also pose the biggest risk to even the most prepared organizations.

There was certainly not a lot of innovation in the Okta attack, but it worked.

Situational Threat Risks

What’s key to understanding is that the Okta breach was due to situational threat risks, which are much more controllable than AI-driven threats if your detection capabilities are what they should be. There is, of course, the irony of the Okta breach in that it’s the industry leader in multifactor authentication (MFA), which is specifically designed to prevent identity-based attacks. However, situational threat risks remain a common cause of identity-based attacks. 

The good news is that even though they’re used often, with the right identity threat detection and response solution in place, they’re quite preventable. Knowing this, your first move should be to assess the situational threat risks within your own environment. The risks may not be as obvious as you’d like. Still, if you look closely, you’ll find situational risks that may not be covered – nor discoverable – by your identity access management (IAM) or even privileged access management (PIM) practices and procedures. 

Below are the top five controllable situational risk threats that are contributing to the rapid rise in identity-based attacks and, with the right solution, are easily preventable.

1.   M&A-Related Activities

Mergers and acquisitions (M&A) activity is increasing, with private equity and corporate deals expected to rise by 12%-13% in 2024. If your organization is engaged in M&A activity – or plans to be – be aware that an organization’s risk tolerance is at its lowest during the M&A process. 

There are several reasons why this is. For one, at the highest level of analysis, every phase of M&A activity brings new behavior, new people, new processes, new objectives, and new events into your organization’s daily life. These changes will impact all levels of the organization, from the entry-level employees to the C-suite. In short, with new realities come new risks. 

At the operational level, the M&A process involves new strategies, screening new people, harmonizing differentiated due diligence practices, disruptions in routines, data sharing, new systems integration processes, new transactions, and other situational and behavioral changes. Each presents new challenges and new risks. Some of the risks will be obvious, others may not be. 

At the cultural and human resources level, reconciling day-to-day business practices, employee behavior, risk management expectations, and staff integration challenges can also bring new and unknown situational risks. Furthermore, by its very nature, M&A usually means cutting jobs, which can mean disgruntled employees, territorial conflicts between staff, and other behavioral patterns that can pose identity-based risks.

Added to all of these factors is the drive at the board and C-suite levels to get the deal done with as little disruption or business losses as possible. That can mean some executives taking shortcuts on procedural or risk-management best practices, such as sharing too much data too soon, granting high-level access when unnecessary, and other shortcuts to bring the deal to a quicker close. 

These and other situational risks just come with the M&A territory.

2.   Organizations that Hold Sensitive Data or Critical Infrastructure are High-Value Targets

Another form of situational risk is companies and organizations that work with or possess high-value data and/or infrastructure. This makes them more likely to be targeted for identity attacks. 

For example, Okta, with its critical infrastructure, has an elevated probability of being targeted by identity attackers. A financial services firm with billions of dollars in assets would be another example of a firm with a higher probability of situational risk of identity attack. Energy companies with nuclear infrastructure, healthcare firms, telecom companies, law firms, and certain manufacturers also have elevated situational risks for identity attacks. 

3.    Third-Party Access Risk

As organizations’ use and reliance upon applications, third-party contractors, and outside services increases, so does the risk of identity-based attacks. Maintaining strict access control to sensitive networks, services, and applications becomes more challenging as more third-party partners, contractors, and suppliers are used. 

For example, attackers can use Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. The attacks in these environments occur not by exploiting vulnerabilities per se, but by abusing native Microsoft functionality. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts to gain uninterrupted access to a Microsoft tenant.

Also problematic are organizations that rely on multiple partners and third parties will find it more time-consuming to monitor their partners to ensure proper risk and access management procedures are followed and enforced. Differing levels of expertise, geographically distributed business partners, as well as culturally diverse customs and behavioral expectations, all pose risks of identity-based breaches to organizations. 

4.  Insider Threat and Workforce Reduction/Layoff Risks 

Your employees can be a major source of identity risk. Even today, with the danger of cyber threats well known, most don’t follow even the most basic security protocols to protect their identity. 

For example, 62% of professionals use one password for multiple accounts, making identity-based attacks way too easy. That helps explain why 31% of surveyed organizations say they’ve experienced brute force or password spraying attacks in the past year. VPNs can help verify and allow remote third-party access, but they’re limited in their visibility. 

Workforce reductions and layoffs can also be a significant cause of identity-based insider threats. For example, nearly 1-in-3 former employees still have company SaaS access. With cloud-based platforms like Microsoft 365, which have many access points, cybercriminals can access your ex-employees credentials through their under-protected personal device, shared applications, or other ways.

5. Excessive Access for Employees

Another very common situational risk is employees being given more access to data, applications, and networks than they need to perform their jobs. Excessive access can occur when new employees are granted a fixed or standardized level of access to the company network, systems, and applications that exceeds what is necessary for their roles. 

Excessive access opens the door for low-level, low-responsibility employees who may not guard their fobs, laptops, or authentication factors as they should, and become unwitting vectors for identity-based attacks. In these instances, IAM tools are ineffective because the excess access has been granted, so abuse is not recognized.

This also happens when employees are granted a higher level of authorized access for a specific project or purpose. After the task or project is completed, the elevated access is not revoked, leading to the potential for identity abuse.

It’s not just low-level access employees that pose access risks that can’t be mitigated by IAM or PAM tools. Privileged identities, especially service accounts, are difficult to monitor and control access permission. As a result, security teams often have little visibility into what sensitive data and/or assets their privileged employees are accessing or why. 

Another common scenario for excess access is when an employee moves to a different division or assumes a different role within the company or organization. The prior access levels may be left open unnecessarily, their laptop may not be cleared of their prior access or their fobs may not be collected or deactivated. Each of these are common situational risks that can raise the risk of an identity-based attack.

Lack of Visibility into User Access and Behavior Raises Identity-Based Risk

Lack of visibility into user access, user identities, and behaviors is the common thread to most situational risks, including the five listed in this post. What’s more, SOC teams will only face tougher challenges in defending their organizations against identity-based risks going forward.

There are several reasons why.

The explosion of SaaS applications has made it very difficult for IT security teams to access and gain visibility into SaaS apps, the identity of users, and their behavior within the network. 

The expansion of remote work has made determining the identity and necessity of third-party employees accessing the network more difficult. This trend will continue.

The rapid increase in the number of identities raises the threat of identity-based risk. The statistics are staggering. About 98% of organizations have seen an increase in identities (ISDA). Furthermore, for every human identity, there are 45 machine/service identities, and 62% of organizations lack visibility into employees or machines accessing their sensitive data and assets.

These factors make IAM programs less effective than they need to be and can allow unverified users to gain access from unauthorized IP addresses and access restricted data, or worse. Without visibility, enforcing the rules for employees sharing accounts, and determining the employment status of an individual or their behavior within the network on a granular level, can be difficult if not impossible.

Leverage AI to Gain Visibility and Situational Context into User Identity and Behavior

The key to understanding and stopping identity-based risk is being able to turn the tables on the main situational risk factors. Those factors include the lack of visibility into user identity, ensuring that the level of user access to the network is appropriate, and the ability to quickly contextualize user behavior. Your SOC team must be able to automatically verify a user, instantly gain visibility into the user’s behavior within the network and cloud, and immediately correlate it with the user’s access level and duties, no matter where the user may be. 

Determining the identity and necessity of third-party employees accessing the network and cloud, for example, is a common challenge. It can be resolved, however, with the right solution that delivers deep visibility into organizations’ hybrid environments. But without visibility, enforcing the rules for employees sharing accounts, determining the employment status of an individual or their behavior within the hybrid environment on a granular level, can be difficult if not impossible.

Furthermore, protecting organizations with automated appropriate responses is also necessary to minimize the risk of identity-based attacks. Instant AI-driven remediation enables your team to stop unauthorized behavior, eliminate access, and prevent breaches, application abuse, exfiltration, or other damage, within minutes, not months. 

That’s a very big deal. 

Vectra ITDR leverages AI-driven Attack Signal IntelligenceTM to signal active and covert identity behaviors like stealthy admins, misused service accounts, and malicious sign-ins across multiple attack surfaces. With full context into incidents and knowledge of attacker behavior, it ensures a 360-degree view of identity-based attacks with >80% less alert noise than other tools. 

Vectra AI delivers unmatched signal clarity, coverage, and control, enabling organizations to immediately see, make sense of, and shut down unauthorized sign-ins, scripting engine access, trusted application abuse, domain federation changes, and widespread network and cloud privilege abuse before the onset of ransomware and data breaches. 

Book a free identity exposure gap analysis today and gauge your level of protection in the event of a potential identity breach.