From Credentials To Identity: Understanding Digital Identity & Access

Uploaded on 2024-11-29 in TECHNOLOGY--Resilience, FREE TO VIEW

To better understand the problems of online identity theft, we need to consider what we mean by ‘digital identity’. At the start of its guidelines, the National Institute of Standards and Technology (NIST) defines digital identity as the "online persona of a subject," recognising that there isn’t yet a single, widely accepted definition. But here, we can view digital identity simply to represent a person in online transactions.

Access to digital infrastructure traditionally relies on information associated with this digital identity. In most cases, to access a digital service, a person (or "subject") needs to know a “secret,” which acts as a credential - such as a password, PIN, or API key. When they provide this secret, the system assumes the person is who they claim to be. But if this credential is stolen, malicious actors can use it to impersonate that person - effectively committing identity theft.

To more reliably verify a person’s true identity, security systems often combine multiple factors - credentials - such as:  

  • Something they know: A secret, like a password or PIN.
  • Something they have: like a physical device, such as a security token or trusted platform module (TPM).
  • Something they are: such as biometrics, like a fingerprint or facial recognition.

This layered approach strengthens digital identity verification, helping ensure a person’s identity is accurately represented in online transactions. It’s clear that the theft of a credential equals identity theft.

Credential Misuse Is Rising

According to the 2024 Verizon Data Breach Investigations Report, human involvement in data breaches remains significant. The report indicates that 68% of breaches involved a (non-malicious) human element, such as individuals falling victim to social engineering attacks or making errors. 

The report notes that over the past decade, stolen credential incidents have appeared in almost one-third (31%) of all breaches, highlighting the persistent risk associated with credential-based attacks.

Verizon observes a significant increase in attacks involving the exploitation of vulnerabilities, which nearly tripled from the previous year, accounting for 14% of all breaches. This surge underscores the evolving tactics of threat actors and the importance of robust security measures.

According to data gathered by the US Cybersecurity and Infrastructure Security Agency (CISA) Risk and Vulnerability Assessment (RVA) analyses revealed that Valid Accounts [T1078] were the most common successful attack technique, responsible for 41% of successful attempts.”

Meanwhile, the 2024 Microsoft Digital Defense Report highlights a significant rise in credential misuse and identity theft, emphasising the evolving tactics of cybercriminals and the necessity for robust security measures. Key findings note that cybercriminals are increasingly targeting user credentials to gain unauthorised access to systems and data. This surge underscores the critical need for organisations to implement strong authentication protocols and monitor for suspicious activities.

Microsoft also reports a notable increase in sophisticated phishing campaigns designed to deceive individuals into revealing sensitive information. These attacks often exploit human psychology, making them particularly effective and challenging to detect.

The report advocates for the widespread implementation of MFA as a fundamental defence against credential theft. MFA adds an additional layer of security, making it more difficult for attackers to compromise accounts even if credentials are obtained.

And it stresses the need to adopt a ‘Zero Trust’ approach, which assumes that threats could be both external and internal. This model requires continuous verification of user identities and device health, reducing the risk of unauthorised access.

These insights underscore the importance of proactive security strategies, continuous monitoring, and user education to combat the growing threat of credential misuse and identity theft.

Bypassing MFA?

Multi-factor authentication (MFA) prevents access to the system unless all required factors are verified, ensuring the user’s identity is confirmed. A typical MFA setup, for example, asks users to enter a One-Time Password (OTP) sent via SMS in addition to their username and password.

While adding more factors strengthens security, the system can still be compromised if it is improperly configured or if there are vulnerabilities in the software or hardware components.

An example of credential theft is a  a phishing email from a compromised business partner containing a Google link redirect chain leading to a M365 phishing page. These types of phishing links are hard to detect due to the email sender being observed previously communicating with the recipient and the mails passing DMARK, DKIM, and SPF checks. These checks  normally prevent users from receiving such a  link, but was bypassed using this technique. The next stage involves a Man-in-the-Middle attack -  the user’s login session was hijacked and a secondary MFA option was registered by the perpetrator, to gain persistent access to the account. Fortunately, there are preventive measures available to mitigate the threat in the initial access phase. 

Additional Recommendations To Prevent Identity Theft

To further safeguard against identity theft, implementing Restrictive Conditional-Access Policies can provide an additional layer of security by ensuring that only trusted users and devices can access sensitive systems. For organisations managing devices, requiring enrolment into Microsoft Intune for management enhances oversight and control, though it’s important to note that Bring Your Own Device (BYOD) policies may pose challenges in these cases.

Switching to Windows Hello for Business on devices equipped with Trusted Platform Modules (TPM) is another effective alternative. This approach leverages advanced authentication methods, such as biometrics or PINs, to improve resistance against phishing attacks while enhancing the overall security posture of endpoints. These measures, when integrated into a robust cybersecurity framework, can significantly mitigate the risk of identity theft.

CSIS strongly recommends establishing a phishing-resistant multifactor policy, incorporating security devices like YubiKey - a hardware-based security key that provides strong two-factor, multi-factor, and passwordless authentication - or similar. Implementing such measures not only enhances protection, but also makes it impossible to fall victim to malicious activities such as session stealing.

Managing Digital Identities

There are several ways to better manage organisational security online, and help staff avoid the issues surrounding identity attack, including, but not limited to: 

Implementing Proper Access Control
Implementing robust access control mechanisms is essential to ensure only authorised users can access specific data and systems, reducing the risk of unauthorised access. This includes setting up role-based access controls (RBAC) and applying the principle of least privilege, which limits user permissions to only what is necessary for their role. 

Monitoring Infrastructure - Audit Logs
Regular monitoring of audit logs is crucial for detecting unusual activity early on, providing insights into who accessed what, when, and from where. Analyzing these logs can reveal signs of unauthorised access, privilege escalation, or attempted credential misuse, enabling swift intervention. 

Monitoring Compromised Credentials
Understanding the types of compromised credentials related to your organisation being bought and sold on the dark web and other criminal markets is critical to ensuring you do not allow an attacker to gain initial access foothold in your network using a valid account. 

CSIS Compromised Credentials service provides continuous real-time monitoring of stolen credential data which may be used against your organisation. During 2024, CSIS has observed approximately 24 billion credential combinations (i.e., usernames along with associated passwords and URLs) from Q1-Q3, or an average of 3 billion credential combinations per month.

Develop & Maintain A Cyber Incident Response Plan
Developing and maintaining a cyber incident response plan provides a clear roadmap for identifying, containing and resolving security incidents, helping to reduce damage and recovery time. Regularly updating and testing the plan ensures it remains effective against evolving threats. CSIS provides Emergency Response Consulting services to assist organisations in preparing for and responding to cyber incidents.

Have an Emergency Response Partner
Partnering with an external emergency response team ensures access to specialised expertise in the event of a breach. These professionals can assist with containment, investigation and remediation efforts, helping restore operations quickly and securely. CSIS is a member of FIRST, the global forum for incident response and security teams, and NCSC Assured in Incident Response, offers Emergency Response Retainers, guaranteeing immediate and round-the-clock access to world-class emergency incident response.

Through implementing multi-factor authentication, strengthening access controls, and establishing proactive monitoring and incident response measures, organisations can reduce the risk of unauthorised access and protect against identity theft. 

By using professioanal solutions, including continuous monitoring, access control assessments and dedicated emergency response services, companies are better equipped to defend their digital infrastructure against sophisticated attacks.

A strong commitment to a robust, well-rounded security strategy is essential for any organisation to thrive in today’s digital landscape.

Ford Merrill is Senior Director of the Cyber Intelligence Business Unit at CSIS Security Group A/S

Image: Mohamed Hassan

You Might Also Read: 

Unlocking A Unified Digital Identity For Europe:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Russian State-Sponsored Hacking Extends Worldwide
Cybersecurity Essentials For Laptop Gamers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Nethemba

Nethemba

Nethemba provide pentesting and security audits for networks and web applications. Other services include digital forensics, training and consultancy.

AhnLab

AhnLab

AhnLab provides a range of information security solutions including network security, endpoint security, antivirus and consulting services.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

Smokescreen

Smokescreen

Smokescreen's IllusionBLACK employs deception technology to detect, deflect and defeat advanced hacker attacks.

Computing Technology Industry Association (CompTIA)

Computing Technology Industry Association (CompTIA)

CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

eCosCentric

eCosCentric

eCosCentric provides software development solutions for the IoT, M2M & embedded systems market.

LogicHub

LogicHub

LogicHub is built on the principle that every decision process for threat detection and response can and should be automated.

Prosperoware

Prosperoware

Prosperoware develop software for cybersecurity, privacy, and regulatory compliance for content systems, and financial matter management.

LAVAAT

LAVAAT

At LAAVAT, our goal is to make it easy for our customers to build secure IoT devices without a need to invest considerably in embedded security and cryptography expertise.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

SecureChain AI

SecureChain AI

SecureChain are combining blockchain and AI technology to create a smarter blockchain platform especially in terms of security.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

Trofi Security

Trofi Security

Trofi Security provides Information Technology and Information Security services to organizations in both the public and private sectors.