7 Critical Identity-Related Attack Types

The bolstering of Identity and Access Management (IAM) security has become evermore prevalent in the wake of a growing number of identity-based attacks in recent years. Security teams are not prepared to combat this threat, as almost 50% of organizations are not adequately staffed or funded for new IAM projects or IAM modernization efforts, mostly due to the lack of skilled IAM personnel (Gartner). 

In 2024 alone, there have been a couple notable identity-based breaches: UnitedHealth experienced an attack, due to a lack of Multi-Factor Authentication (MFA), and was forced to release a $22M payment to the criminals. The breach has already cost them $900M, not including the ransom paid. Snowflake experienced a massive breach due to stolen account credentials. The full extent of data exfiltration may never be known, but there are huge financial losses and reputational damage to some of Snowflake’s high profile customers, including AT&T, TicketMaster, and Neiman Marcus. AT&T alone has 242M customers for its U.S. wireless mobility services. It is said the hackers gained access to records of subscribers’ calls and text messages over a six-month period.

Let's explore 7 common attack methodologies: 

1. Phishing

Phishing is a type of cyber attack used to steal user data which happens when an attacker pretends to be a trusted entity. What seems like an innocent or simple request for email confirmation or password reset could give a bad action the ability to move right into your network. For example, an executive at your company is sent unexpected docusign for review. It looks and feels real, but the hyperlink on the “Sign” button actually takes you to a sketchy website.

Mitigation: 

• Regular employee education on phishing attempts
• Sender Policy Framework
• DomainKeys Identified Mail
• Domain Message Authentication Reporting and Conformance

2. Insider Threats 

A former or disgruntled employee can become a security nightmare, as they may share critical information that may expose your network to outsiders. An employee at your company is unhappy, and has been looking to move companies. Once accepting a job at a direct competitor, they download deal information and databases and take them on their way out the door.

Mitigation: 

• Enforce IAM for immediate or plane termination
• Prevent data exfiltration
• Eliminate idle accounts
• Map your exposure

3. Credential Stuffing

Credential stuffing is a type of cyberattack in which hackers use stolen login information from one platform to try to access unrelated accounts on different platforms. A hacker purchases a list of 100,000 email and password combinations from a dark web marketplace (originally stolen from a social media platform). They then configure a botnet using compromised computers to distribute login attempts to company systems, avoiding detection. After several thousand  combinations per minute, the botnet successfully accesses a few accounts, gaining access to sensitive company systems and data.

Mitigation:

• Enforce strong password policies
• Implement Multi-Factor Authentication (MFA)
• Monitor for unusual login patterns 
• Limit login attempts

4. Golden Ticket Attack 

A golden ticket attack aims to secure extensive access to an organization's domain by leveraging user information stored in Microsoft Active Directory (AD). This type of attack takes advantage of vulnerabilities in the Kerberos authentication protocol, which is used to access AD, enabling the attacker to circumvent standard authentication processes.

An attacker tricks an employee into downloading malware through a phishing email. This malware opens a backdoor on their computer, allowing the hacker to access the company’s network. The hacker then increases their access rights to become a domain administrator. They extract the KRBTGT hash, enabling them to create a "Golden Ticket," which gives them access to all resources in the network, like file servers, databases, and applications.

Mitigation:

• Limit privileges 
• Implement strong authentication policies
• Conduct regular security audits

5. Kerberoasting

Kerberoasting is a technique hackers use to crack service account passwords in Active Directory. After gaining access to a regular user account, the hacker uses PowerShell to list service accounts. They find the SQL Database service account and request a special ticket for it. Then, they extract the ticket's hash and save it. Using a password cracking tool, they crack the password, gaining access to the SQL service account. This elevated access may allow them to explore other areas of the network if the account has extra permissions.

Mitigation: 

• Use strong service account passwords
• Limit service account permissions
• Monitor Kerberos ticket requests
• Implement account lockout policies

6. Password Spraying

A password spraying attack is a brute force method where a hacker employs a single, commonly used password against multiple accounts.

Initially, an attacker obtains a list of email addresses for employees through scraping the companies website, searching LinkedIn Profiles, and purchasing a leaked database from the dark web. They use this to compile a list of 1,000 potential usernames in the format. firstname.lastname@company.com. Then, they create a list of commonly used passwords, and use an automated tool to log into the company VPN using each password against all 1,000 usernames. To avoid detection, they even wait 5 minutes between each attempt and rotate through different IP addresses. Eventually, they gain access to a few user accounts, and can access sensitive company data, send phishing emails from legitimate addresses, escalate privileges, and plant malware on the company’s system. 

Mitigation: 

• Enforce strong password policies
• Implement Multi-Factor Authentication (MFA)
• Limit login attempts 
• Use rate limiting

7. Silver Ticket Account

A silver ticket is a fake login ticket created by hackers when they have a user's password. After getting into a company computer via a phishing email, the attacker gathers domain details and extracts a key code (NTLM hash) for the SQL server account. They use this to make a silver ticket, allowing them to connect to the SQL server and pull out sensitive information. They can also explore more of the network or upgrade their access to control even more.

Mitigation: 

• Secure service account credentials 
• Monitor service account usage
• Regularly audit service accounts
• Limit ticker lifetimes

Ready to Remove the IAM Weight Off of Your Security Team’s Back? 

Introducing Alex, Twine’s first digital cybersecurity employee, who takes away the burden of identity management tasks - proactively completing your organization’s cyber objectives.  Let Alex learn, understand and provide end-to-end execution and automation for your cyber team’s critical identity and access management (IAM) tasks: 

The problem with today’s identity and access management (IAM) tools is that they generate a lot more work than initially expected: setup, deployment, as well as ongoing upkeep. Legacy systems are excessively complicated, require highly skilled operators, and do not ensure thorough deprovisioning. This results in residual traces, orphaned accounts, and over-privileged accounts.

Before Alex, no technology has been able to fully replicate human capabilities in the IAM cybersecurity vertical - until now. With Alex, finally cybersecurity teams are equipped with  a high-performing digital employee who joins the team and autonomously executes IAM tasks as directed, from A to Z. Onboard Alex to maximize cyber efficiency and get the most out of your existing Identity toolset.