The frequency of ransomware attacks has doubled over the last couple of years, accounting for 10% of all breaches. According to the 2022 Verizon Data Breach Investigation Report, the ‘human element’ is the primary means of initial access in 82% of breaches, with social engineering and stolen credentials serving as key threat actor TTPs. Attackers consistently attempt to access valid credentials and use them to move throughout enterprise networks undetected. These challenges are driving CISOs to put identity security at the top of their priority list.
Traditional Identity Solutions Still Leave Room for Attacks
Traditional identity security solutions topping the list include Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA). These tools ensure the right users have appropriate access and employ continuous verification, guiding principles of the zero-trust security model.
However, Identity and Access Management – focusing solely on provisioning, connecting, and controlling identity access – is just the starting point to identity security. Coverage must extend beyond the initial authentication and access control to other identity aspects such as credentials, privileges, entitlements, and the systems that manage them, from visibility to exposures to attack detection.
From an attack vector perspective, Active Directory (AD) is an obvious asset. AD is where identity and its key elements naturally exist, which is why it is in an attacker’s crosshairs and a top security concern. In addition, as cloud migration continues at a rapid pace, additional security challenges arise as IT teams move quickly to provision across their environments.
When AD vulnerabilities combine with the cloud’s tendency toward misconfiguration, the need for an additional layer of protection beyond provisioning and access management becomes much clearer.
Identity Security with a New Twist
Modern, innovative identity security solutions provide essential visibility into credentials stored on endpoints, Active Directory (AD) misconfigurations, and cloud entitlement sprawl. Identity Attack Surface Management (ID ASM) and Identity Threat Detection and Response (ITDR) are new security categories designed to protect identities and the systems that manage them.
These solutions complement and operate in conjunction with Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Network Detection and Response (NDR), and other similar solutions.
ID ASM looks to reduce the identity attack surface to limit the exposures attackers can exploit. The fewer exposures, the smaller the identity attack surface. For most enterprises, this means Active Directory, whether on-premises or in Azure.
While EDR is a robust solution that looks for attacks on endpoints and collects data for analysis, ITDR solutions look for attacks targeting identities. Once an ITDR solution detects an attack, it adds a layer of defense by providing fake data that redirects the attacker to an authentic-looking decoy and automatically isolates the compromised system conducting the query.
ITDR solutions also provide incident response assistance by collecting forensic data and gathering telemetry on the processes used during the attack. The complementary nature of EDR and ITDR fit perfectly together to achieve a common goal – thwarting an attacker’s efforts.
ID ASM and ITDR solutions provide detection of credential misuse, privilege escalation, and other tactics that attackers exploit or engage in within the network. They close critical gaps between identity access management and endpoint security solutions, stopping cybercriminal attempts to exploit vulnerable credentials to move through networks undetected.
Identity Threat Security Solutions
SentinelOne has leveraged its deep experience in privilege escalation and lateral movement detection and offers a best-of-breed solution in the Identity Threat Detection and Response and ID ASM spaces. The company has secured its leadership position based on its broad ITDR and ID ASM solutions portfolio.
Identity Security Products:
- Singularity Identity Posture Management for continuous assessment of Active Directory exposures and activities that would indicate an attack
- Singularity Identity Threat Detection and Response (ITDR) for detection of unauthorized activity and attacks on Active Directory, protection against credential theft and misuse, prevention of Active Directory exploitation, attack path visibility, attack surface reduction, and lateral movement detection
Singularity™ Identity
Detect and respond to attacks in real-time with holistic solutions for Active Directory and Entra ID.
Get a DemoIt’s Time for a New Identity Security Approach
With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities. This need is particularly true as organizations race to adopt the public cloud, and both human and non-human identities continue to increase exponentially.
Given the penchant for attackers to misuse credentials, leverage Active Directory (AD), and target identities through cloud entitlement, it is critical to detect identity-based activity with modern ID ASM and ITDR solutions.
Learn more about SentinelOne’s Singularity Identity Posture Management and Singularity Identity solutions.
Identity Based Attacks FAQs
Identity attacks are Information security incidents where an attacker attempts to access systems illegitimately by targeting user credentials like usernames, passwords, or auth tokens. Attackers are interested in stealing, manipulating, or misusing identity-related data instead of technical vulnerability attacks.
These are attacks using identity and access management vulnerabilities to impersonate legitimate users or wander persistently laterally in networks. Attackers easily bypass traditional security once they obtain legitimate credentials because they appear as legitimate users, making it virtually hard to detect them.
Common examples include phishing emails that trick users into revealing login credentials, credential stuffing attacks that use stolen passwords across multiple sites, and password spraying attacks that try common passwords against many accounts. Social engineering techniques manipulate employees into divulging confidential information, while man-in-the-middle attacks intercept communications to steal data.
Brute force attacks use automated tools to guess passwords, and golden ticket attacks exploit Active Directory weaknesses for domain access.
Identity-based approaches focus on “who you want to become” while outcome-based approaches target “what you want to achieve”. In security contexts, identity-based attacks target the person’s digital identity and credentials to gain unauthorized access, while outcome-based attacks focus on achieving specific results like data theft or system disruption.
Identity-based methods create lasting behavioral changes because they align with personal identity, whereas outcome-based methods can lose effectiveness once the goal is reached. Organizations need both approaches – identity-focused security controls and outcome-focused incident response procedures.
You can prevent these attacks by implementing multi-factor authentication, which requires additional verification beyond passwords. Strong password policies using passphrases rather than complex passwords make systems harder to breach. Employee training helps staff identify phishing attempts and social engineering tactics before falling victim.
Regular security audits identify vulnerabilities, while single sign-on solutions reduce the number of credentials attackers can target. Monitor user behavior for unusual activity and implement zero-trust security models that verify every access request.
Major identity attack types include credential stuffing using stolen login pairs across multiple sites, password spraying with common passwords against many accounts, and phishing emails designed to steal credentials. Social engineering manipulates victims into revealing information, while brute force attacks guess passwords using automation tools.
Man-in-the-middle attacks intercept communications, Kerberoasting targets service account passwords, and golden ticket attacks exploit Active Directory weaknesses. Session hijacking takes over active user sessions, and privileged account compromises target high-access administrative credentials.
MFA introduces one more security layer that bars unauthorized entry even if passwords are compromised. It demands users to display more than one authentication method like passwords, mobile codes, or biometric data before it grants entry. Even if hackers get your password through phishing or data breaches, they also need the second method for entry.
MFA significantly decreases breach risk because hackers must break more than one independent credential compared to one password. MFA-enabled organizations are significantly less vulnerable to successful identity-based attacks because it introduces more barriers which many hackers are incapable of breaching easily.
