via VentureBeat
While 99% of businesses plan to invest more in security, only 52% have fully implemented multi-factor authentication (MFA), and only 41% adhere to the principle of least privilege in access management.
Adversaries, including nation-states, state-funded attackers and cybercrime gangs, continue to sharpen their tradecraft using generative AI, machine learning (ML) and a growing AI arsenal to launch increasingly sophisticated identity attacks. Deepfakes, tightly orchestrated social engineering and AI-based identity attacks, synthetic fraud, living-of-the-land (LOTL) attacks and many other technologies and tactics signal that security teams are in danger of losing the war against adversarial AI.
“Identity remains one of the hairiest areas of security—in really basic terms: you need authorization (authZ: the right to access) and authentication (authN: the means to access). In computer security, we work really hard to marry authZ and authN,” Merritt Baer, CISO at Reco.ai, told VentureBeat in a recent interview.
“What we have to do is make sure that we use AI natively for defenses because you cannot go out and fight those AI weaponization attacks from adversaries at a human scale. You have to do it at machine scale,” Jeetu Patel, Cisco’s executive vice president and chief product officer, told VentureBeat in an interview earlier this year.
The bottom line is that identities continue to be under siege, and adversaries’ continued efforts to improve AI-based tradecraft targeting weak identity security are fast-growing threats. The Identity Defined Security Alliance (IDSA) recent report, 2024 Trends in Securing Digital Identities, reflects how vulnerable identities are and how quickly adversaries are creating new attack strategies to exploit them.
The siege on identities is actual – and growing.
“Cloud, identity and remote management tools and legitimate credentials are where the adversary has been moving because it’s too hard to operate unconstrained on the endpoint. Why try to bypass and deal with a sophisticated platform like CrowdStrike on the endpoint when you could log in as an admin user?” Elia Zaitsev, CTO of CrowdStrike, told VentureBeat during a recent interview.
The overwhelming majority of businesses, 90%, have experienced at least one identity-related intrusion and breach attempt in the last twelve months. The IDSA also found that 84% of companies suffered a direct business impact this year, up from 68% in 2023.
“The future will not be televised; it will be contextual. It’s rare that a bad actor is burning a 0-day (new) exploit to get access—why use something special when you can use the front door? They are almost always working with valid credentials,” Baer says.
“80% of the attacks that we see have an identity-based element to the tradecraft that the adversary uses; it’s a key element,” Michael Sentonas, president of CrowdStrike, told the audience at Fal.Con 2024 this year. Sentonas continued, saying, “Sophisticated groups like Scattered Spider, like Cozy Bear, show us how adversaries exploit identity. They use password spray, they use phishing, and they use MTM frameworks. They steal legitimate creds and register their own devices.”
Why identity-based attacks are proliferating
Identity-based attacks are surging this year, with a 160% rise in attempts to collect credentials via cloud instance metadata APIs and a 583% spike in Kerberoasting attacks, according to CrowdStrike’s 2023 Threat Hunting Report.
The all-out attacks on identities emphasize the need for a more adaptive, identity-first security strategy that reduces risk and moves beyond legacy perimeter-based approaches:
Unchecked human and machine identity sprawl is rapidly expanding threat surfaces. IDSA found that 81% of IT and security leaders say their organizations’ number of identities has doubled over the last decade, further multiplying the number of potential attack surfaces. Over half the executives interviewed, 57%, consider managing identity sprawl a primary focus going into 2025, and 93% are taking steps to get in control of it. With machine identities continuing to increase, security teams need to have a strategy in place for managing them as well. The typical organization has 45 times more machine identities than human ones, and many organizations do not even know exactly how many they have. What makes managing machine identities challenging is factoring in the diverse needs of DevOps, cybersecurity, IT, IAM and CIO teams.
Growing incidence of adversarial AI-driven attacks launched with deepfake and impersonation-based phishing techniques. Deepfakes typify the cutting edge of adversarial AI attacks, achieving a 3,000% increase last year alone. It’s projected that deepfake incidents will go up by 50% to 60% in 2024, with 140,000-150,000 cases globally predicted this year. Adversarial AI is creating new attack vectors no one sees coming and creating a new, more complex, and nuanced threatscape that prioritizes identity-driven attacks. Ivanti’s latest research finds that 30% of enterprises have no plans in place for how they will identify and defend against adversarial AI attacks, and 74% of enterprises surveyed already see evidence of AI-powered threats. Of the majority of CISOs, CIOs, and IT leaders participating in the study, 60% say they are afraid their enterprises are not prepared to defend against AI-powered threats and attacks.
More active targeting of identity platforms starting with Microsoft Active Directory (AD). Every adversary knows that the quicker they can take control of AD, the faster they control an entire company. From giving themselves admin rights to deleting all other admin accounts to insulate themselves during an attack further, adversaries know that locking down AD locks down a business. Once AD is under control, adversaries move laterally across networks and install ransomware, exfiltrate valuable data and have been known to reprogram ACH accounts. Outbound payments go to shadow accounts the attackers control.
Over-reliance on single-factor authentication for remote and hybrid workers and not enforcing multi-factor authentication to the app level company-wide. Recent research on authentication trends finds that 73% of users reuse passwords across multiple accounts, and password sharing is rampant across enterprises today. Add to that the fact that privileged account credentials for remote workers are not monitored and the conditions are created for privileged account misuse, the cause of 74% of identity-based intrusions this year.
The Telesign Trust Index shows that when it comes to getting cyber hygiene right, there is valid cause for concern. Their study found that 99% of successful digital intrusions start when accounts have multi-factor authentication (MFA) turned off. “The emergence of AI over the past year has brought the importance of trust in the digital world to the forefront,” Christophe Van de Weyer, CEO of Telesign, told VentureBeat during a recent interview. “As AI continues to advance and become more accessible, it is crucial that we prioritize trust and security to protect the integrity of personal and institutional data. At Telesign, we are committed to leveraging AI and ML technologies to combat digital fraud, ensuring a more secure and trustworthy digital environment for all.”
A well-executed MFA plan will require the user to present a combination of something they know, something they have, or some form of a biometric factor. One of the primary reasons why so many Snowflake customers were breached is that MFA was not enabled by default. CISA provides a helpful fact sheet on MFA that defines the specifics of why it’s important and how it works.
Ransomware is being initiated more often using stolen credentials, fueling a ransomware-as-a-service boom. VentureBeat continues to see ransomware attacks growing at an exponential rate across healthcare and manufacturing businesses as adversaries know that interrupting their services leads to larger ransomware payout multiples. Deloitte’s 2024 Cyber Threat Trends Report found that 44.7% of all breaches involve stolen credentials as the initial attack vector. Credential-based ransomware attacks are notorious for creating operational chaos and, consequently, significant financial losses. Ransomware-as-a-Service (RaaS) attacks continue to increase, as adversaries are actively phishing target companies to get their privileged access credentials.
Practical steps security leaders can take now for small teams
Security teams and the leaders supporting them need to start with the assumption that their companies have already been breached or are about to be. That’s an essential first step to begin defending identities and the attack surface adversaries target to get to them.
“I started a company because this is a pain point. It’s really hard to manage access permissions at scale. And you can’t afford to get it wrong with high-privileged users (execs) who are, by the way, the same folks who ‘need access to their email immediately!’ on a business trip in a foreign country,” says Kevin Jackson, CEO of Level 6 Cybersecurity.
The following are practical steps any security leader can take to protect identities across their business:
- Audit and revoke any access privileges for former employees, contractors and admins Security teams need to get in the practice of regularly auditing all access privileges, especially those of administrators, to see if they’re still valid and if the person is still with the company. It’s the best muscle memory for any security team to get in the habit of strengthening because it’s proven to stop breaches. Go hunting for zombie accounts and credentials regularly and consider how genAI can be used to create scripts to automate this process. Insider attacks are a nightmare for security teams and the CISOs leading them.
Add to that the fact that 92% of security leaders say internal attacks are as complex or more challenging to identify than external attacks, and the need to get in control of access privileges becomes clear. Nearly all IAM providers have automated anomaly detection tools that can help enforce a thorough identity and access privilege clean-up. VentureBeat has learned that approximately 60% of companies are paying for this feature in their cybersecurity suites and are not using it. - Make MFA the standard with no exceptions and consider how user personas and roles with access to admin rights and sensitive data can also have biometrics and passwordless authentication layered in. Security teams will need to lean on their vendors to get this right, as the situation at Snowflake and now Okta logins with 52-character-long user names have been allowing login session access without providing a password.
Gartner projects that by next year, 50% of the workforce will use passwordless authentication. Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access, and Windows Hello for Business. Of these, Ivanti’s Zero Sign-On (ZSO) is integrated into its UEM platform, combines passwordless authentication FIDO2 protocols, and supports biometrics, including Apple’s Face ID as a secondary authentication factor. - Get just-in-time (JIT) provisioning right as a core part of providing least privileged access. Just-in-Time (JIT) provisioning is a key element of zero-trust architectures, designed to reduce access risks by limiting resource permissions to specific durations and roles. By configuring JIT sessions based on role, workload, and data classification, organizations can further control and protect sensitive assets.
The recently launched Ivanti Neurons for App Control complements JIT security measures by strengthening endpoint security through application control. The solution blocks unauthorized applications by verifying file ownership and applying granular privilege management, helping to prevent malware and zero-day attacks. - Prevent adversaries and potential insider threats from assuming machine roles in AWS by configuring its IAM for least privileged access. VentureBeat has learned that cyberattacks on AWS instances are increasing, and attackers are taking on the identities of machine roles. Be sure to avoid mixing human and machine roles in DevOps, engineering, production, and AWS contractors.
If role assignments have errors in them, a rogue employee or contractor can and has stolen confidential data from an AWS instance without anyone knowing. Audit transactions and enforce least privileged access to prevent this type of intrusion. There are configurable options in AWS Identity and Access Management to ensure this level of protection.
Predicting the future of identity management in 2025
Every security team needs to assume an identity-driven breach has happened or is about to if they’re going to be ready for the challenges of 2025. Enforcing least privileged access, a core component of zero trust, and a proven strategy for shutting down a breach needs to be a priority. Enforcing JIT provisioning is also table stakes.
More security teams and their leaders need to take vendors to task and hold them accountable for their platforms and apps supporting MFA and advanced authentication techniques.
There’s no excuse for shipping a cybersecurity project in 2025 without MFA installed and enabled by default. Complex cloud database platforms like Snowflake point to why this has to be the new normal. Okta’s latest oversight of allowing 52-character user names to bypass the need for a password just shows these companies need to work harder and more diligently to connect their engineering, quality, and red-teaming internally so they don’t put customers and their businesses at risk.
