Unmasking cyber criminals: The power of privileged identities
Identity theft is a growing threat in today’s digital landscape. Threat actors now realise it’s more effective, faster, and cheaper to steal credentials and login than trying to hack through technical controls.
Once they have siphoned access details from just one employee, they move laterally, stealing even more credentials, escalating privilege, compromising servers and endpoints, and downloading sensitive organisational data – it’s now far too easy for an attacker to turn one compromised identity into an organisation-wide ransomware incident or data breach.
Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels. Unfortunately, due to the hard-to-detect nature of these attacks, most organisations are unaware of this risk.
Security teams need to consider the detective tools they have in place to spot compromised users and lateral movements across environments before too much damage is done.
Email remains the key entry point
Threat actors understand that people hold access to an organisation’s most critical data and that the majority can be relatively easily tricked into taking action that could put the security of your organisation in jeopardy. And most of these attacks start with a simple email.
Email-based attacks continue to dominate the threat landscape globally, and in Australia, Proofpoint’s 2023 State of the Phish report revealed that among the Australian organisations that experienced an attempted phishing attack in 2022, 94% of these were successful. Of these successful attacks, 50% resulted in credential theft and/or account compromise, where employees invertedly expose their credentials, giving threat actors access to sensitive data and their business accounts.
Many of today’s attacks rely on such compromised identities, including ransomware. Proofpoint data shows that 86% of Australian organisations experienced an attempted email-based ransomware attack in the past year, with 58% suffering a successful infection. In addition, 78% of Australian organisations reported they have experienced data loss due to an insider’s action in 2022.
It is clear to see that email security is critical. Through a technical combination of email gateway rules, advanced threat analysis, email authentication, and visibility into cloud applications, organisations can block the majority of targeted attacks before they reach employees.
However, we must look at the entire attack chain as part of an effective threat protection strategy, covering the threats your people and their identities continuously face.
Breaking the attack chain
Attackers will continue to rely on the same technique - targeting employees with an email in an attempt to gain a foothold into an organisation and move laterally, doing as much damage as they can. They depend on this technique because, put simply, it works and will continue to do so unless organisations consider how they can break the links in the attack chain.
When we look at opportunities for organisations to break the attack chain, the first step is to stop the initial compromise in the first place. This is where a robust email security strategy is crucial. From Business Email Compromise (BEC) attacks, cloud account takeovers or cyber criminals using trusted third parties to compromise the organisation through their supplier, an initial email can lead to compromise. After the initial compromise, they have access to your domain, giving them access to email accounts and the ability to commit fraud.
Worryingly, compromised accounts can often go undetected, leaving no indicators of compromise or evidence of malware. And despite the deployment of privileged account management (PAM) and multifactor authentication (MFA), these attacks are still on the rise. If undetected, organisations are faced with an even bigger problem – that of privileged escalation and lateral movement within the networks.
To combat this, organisations need to implement technology to identify and respond to compromised users and remove what attackers need to complete their crime: privileged account access. A unique approach to identity threat detection and response (ITDR) will help organisations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property.
By implementing such robust technical controls, organisations are able to prevent initial identity theft and compromise. However, as with all threats, a combination of people, processes and technology is crucial.
Security is a shared responsibility. We must empower people at all levels within our organisations to understand security and the risky behaviours that can lead to breaches. Training and awareness programs are crucial, but one size does not fit all. Make sure your program is from the perspective of the user – make it relevant to their work and personal lives.
Organisations in Australia still have more to do in this regard. As per Proofpoint’s 2023 State of the Phish report, just 67% of Australian organisations with a security awareness program train their entire workforce. Although this is higher than the global average of 56%, just 37% of Australian organisations conduct phishing simulations, meaning a critical component to building an effective security awareness program is being missed.
According to the latest Data Breach Investigation Report (DBIR), 74% of breaches involve the human element to be successful. When your people are that vital to an attack, they need to be a vital part of your defence. Cybercriminals spend day and night trying to penetrate your networks, systems, and data. The least we can do is make them work a little harder.