The Need for Speed: How Identity Compromise Accelerates Attacks

By Narendran Vaideeswaran, Director, Product Marketing, Identity and Zero Trust

Adversaries’ changing tactics enable them to stay ahead. In the past, many have relied on brute force to break down defenses and infiltrate organizations, or exploited vulnerabilities in perimeter firewalls, software, and hardware to gain a foothold in their desired target environment.

This kind of attack chain may progress from initial access, to discovery, to privilege escalation, to credential access, to lateral movement before the adversary achieves an impact. Because this type of infiltration and attack progression involves several steps, it may take a while to complete and as a result, give defenders more time to learn about, and respond to, the threat.

Today’s adversaries have evolved their tactics and techniques to accelerate their attacks. They now focus on using identities to infiltrate targets and facilitate attack progression through lateral movement and privilege escalation. This eliminates several steps in the attack chain because an intruder who already has legitimate credentials can skip straight to lateral movement and more quickly have an impact without alerting the victim to their malicious activity. It takes far longer to detect and respond to identity-based attacks than it does to discover more traditional malware-based attacks.

Attackers are increasingly attempting to accomplish their goals with legitimate credentials and built-in tools — an approach known as “living off the land” — in an effort to evade detection by legacy antivirus tools. This trend is growing more popular: the 2022 CrowdStrike Global Threat Report found out of all detections indexed by the CrowdStrike Security Cloud in the fourth quarter of 2021, 62% were malware-free, another sign adversaries are trying to succeed without writing malware to the endpoint.

This reliance on credentials has led to the rise of access brokers as key components of the eCrime threat landscape. Adversaries are increasingly communicating with one another and selling “access”, or username/password pairs, to one another in order to facilitate criminal activity. The CrowdStrike Intelligence team has analyzed access brokers’ advertisements and found they sell entries to organizations from at least 30 different sectors, demonstrating any industry can be a target.

Breakout time is one metric that reflects how attackers are moving with greater speed and purpose. This metric refers to the amount of time it takes an adversary to move laterally from an initially compromised host to another host in the victim environment. CrowdStrike’s analysis of hands-on eCrime intrusion activity in 2021 revealed the average breakout time is only 1 hour and 38 minutes — a very short window for defenders to respond.

Last year’s noPac exploit exemplifies how modern attacks are accelerating. In mid-December 2021, a public exploit that combined two critical Microsoft Active Directory design flaws was released. This exploit allowed the escalation of privileges of a regular domain user to domain admin, which enables a malicious actor to launch multiple attacks, such as domain takeover or a ransomware campaign. Around the time noPac was disclosed, Researchers at Secureworks demonstrated how to exploit these flaws to gain domain privileges in just 16 seconds.

 Defending Against Swift and Subtle Attacks

These identity-centric attacks have become a core component of today’s breaches, including several high-profile attacks. Not only does this technique allow adversaries to move quickly; it also lowers the cost of their operations — obtaining legitimate credentials is significantly cheaper than buying zero-day exploits or launching a custom supply-chain attack.

Identity attacks are extremely hard to detect. When valid employee credentials have been compromised and an adversary is acting as that user, it’s often very tough to differentiate between the typical behavior of the employee, and that of the attacker, if you’re using traditional security tools and practices.

Even a well-designed IT environment can fall victim to the weaknesses of relying on credentials without strong identity protection. Any account, whether it belongs to an IT admin, employee, third-party vendor, or a customer, can provide an attack path. As more employees have fully transitioned to remote work, the attack surface of many organizations has expanded and driven the need for a strong and flexible identity security solution.

Identity is one component within a broader security platform. To create the strongest level of protection, organizations must create a strategy that encompasses endpoint security, IT security, cloud workload protection and container security, in addition to identity protection. An identity security solution must also integrate with existing identity and access management (IAM) tools and processes, as well as a Zero Trust architecture.

A comprehensive identity security strategy will improve an organization’s visibility of credentials in a hybrid environment and allow them greater insight into their behavior, risk, and deviations. It will also enhance detection and defense of lateral movement, and strengthen the security of privileged users to protect against actions like privilege escalation and account takeover.

Speed often dictates success or failure — especially in cybersecurity, where stealthy attacks can unfold in a matter of hours and have devastating consequences. Security teams of all sizes and industries must invest in agility for their strategic decision-making by automating prevention, detection, investigation, and response workflows with integrated cyber threat intelligence.