In this four-part series, Systal’s SOC Analyst Abbey Adegbola delves into the adversary trends affecting the ever-evolving cybersecurity landscape. Part three discusses the ‘Persistent Threat of Identity Compromise and Credential Acquisition’.
As most organisations continue to focus on the unrelenting evolution of generative AI, there are other critical adversarial trends that will continue to shape the threat landscape. In my time within cybersecurity, I have never seen any technology or trend explode like generative AI, especially with the frontier models such as ChatGPT, but there are other prevalent and critical issues in cybersecurity as threat actors continue to advance in technique and complexity.
In the ever-evolving landscape of cybersecurity, threat actors continue to exploit various weaknesses in enterprise security. However, one trend stands out prominently: the relentless pursuit of compromising identities and acquiring credentials. In this article, we explore the methods, risks, and mitigation strategies related to this persistent threat.
The Persistent Threat: Identity Compromise and Credential Acquisition
Identity remains a major target for threat actors and a gateway to highly destructive breaches. Techniques such as credential stuffing, phishing campaigns, Kerberoasting, brute force attacks, Adversary in the Middle (AiTM) and use of malware are all common methods used by adversaries to compromise identities while they consistently innovate and modify their methods. Breached credentials unlock access to sensitive systems, escalate attacks, and facilitate lateral movement – making identity theft a persistent and significant threat. In most cases, compromising identities now serves as a precursor to highly destructive activities such as data exfiltration and ransomware.
According to IBM X-Force Threat Intelligence Index 2024, the largest shift that the IBM X-Force team noticed in 2023 was a pronounced surge in cyberthreats targeting identities. It was noted that adversaries have historically tended to take the route of least resistance to achieve their objectives. Nowadays, the emphasis is more on “logging in rather than hacking in”, underscoring the relative ease of obtaining credentials as opposed to exploiting vulnerabilities or carrying out phishing campaigns. In addition to stealing account credentials, CrowdStrike Counter Adversary Operations (CAO) observed adversaries targeting API keys and secrets, session cookies and tokens, one-time passwords (OTPs) and Kerberos tickets throughout 2023 and this is certain to continue. Some months ago, Midnight Blizzard (APT29) used secrets found in stolen data to gain access to some of Microsoft’s internal systems and source code repositories while Forest Blizzard (APT28) are also known to conduct regular credential collection campaigns against some Microsoft products and other services. To maintain access to cloud services and workloads, adversaries often achieved persistence at the identity level. Systal’s own Global SOC team has also noted an uptick in phishing campaigns, brute force attacks, AiTM and other malicious techniques targeting users with the goal of acquiring credentials while the CSIRT team has been engaged in identity-related incidents (such as Kerberoasting) on client environments.
As threat actors persistently target identities and credentials, organisations must prioritise identity-centric security and adopt proactive measures. By enforcing the use of phishing-resistant MFA to fortify identity verification, maintaining an efficient credential hygiene, ensuring the use of XDR tools, providing regular education/awareness for users, and enforcing security best practices, we can combat the threat and mitigate the risks posed by this ongoing trend.
Systal’s Capabilities to Protect Organisations
It is highly essential for organisations of any size to have a robust and effective cybersecurity program, which encompasses the fundamental security practices, in place. However, many organisations find it difficult to create and maintain a robust cybersecurity program and healthy cybersecurity culture that can keep pace with the threat landscape. Systal offers a broad range of cybersecurity services from security operations, digital forensics and incident response to professional services that fully manage a customer’s security and protect their digital assets and environment. Our strong capabilities in continuous monitoring, managed detection and response can help organisations protect themselves against ever evolving and sophisticated cyber threats.
Systal Operational Services offer a comprehensive framework to protect your organisation’s digital health and resilience using cutting-edge technology. With a dedicated global SOC and proven Cyber Security Incident Response Team (CSIRT), our services are meticulously designed to proactively monitor, manage, detect, respond, and remediate potential cyber threats. For more information on how Systal can help solve your cybersecurity challenges contact our experts.
Next in the series, we will be examining supply chain attacks as a medium used by threat actors to carry out massive breaches, impacting a wider network.
Abbey Adegbola is an experienced Security Engineer working with Systal Technology Solutions. Abbey brings over seven years of IT support experience and SOC analyst experience into the Security team within Systal, providing security engineering support and L3 SOC analysis services to Systal’s customers and internal Security Team. Abbey is also a skilled malware analyst and reverse engineer who works to support the capabilities of Systal’s Cyber Security and Incident Response Teams.
Contact Systal's Experts