By Ford Merrill, Senior Director of the Cyber Intelligence Business Unit, CSIS Security Group A/S
To better understand the problems of online identity theft, we need to
consider what we mean by ‘digital identity'. At the start of its guidelines,
the National Institute of Standards and Technology (NIST) defines digital
identity as the "online persona of a subject," recognising that there
isn't yet a single, widely accepted definition. But here, we can view digital
identity simply to represent a person in online transactions.
Access to digital infrastructure traditionally relies on information
associated with this digital identity. In most cases, to access a digital
service, a person (or "subject") needs to know a "secret," which acts
as a credential-such as a password, PIN, or API key. When they provide this
secret, the system assumes the person is who they claim to be. But if this
credential is stolen, malicious actors can use it to impersonate that person -
effectively committing identity theft.
To more reliably verify a person's true identity,
security systems often combine multiple factors - credentials - such as:
- Something they know: A secret, like a password or PIN.
- Something they have: like a physical device, such as a security token or
trusted platform module (TPM).
- Something they are: such as biometrics, like a fingerprint or facial
recognition.
This layered approach strengthens digital identity verification, helping
ensure a person's identity is accurately represented in online transactions.
It's clear that the theft of a credential equals identity theft.
Credential Misuse is rising
According to the 2024 Verizon Data Breach
Investigations Report, human involvement in data
breaches remains significant. The report indicates that 68% of breaches
involved a (non-malicious) human element, such as individuals falling victim to
social engineering attacks or making errors.
The report notes that over the past decade, stolen
credential incidents have appeared in almost one-third (31%) of all breaches,
highlighting the persistent risk associated with credential-based attacks.
Verizon observes a significant increase in attacks
involving the exploitation of vulnerabilities, which nearly tripled from the
previous year, accounting for 14% of all breaches. This surge underscores the
evolving tactics of threat actors and the importance of robust security
measures.
According to data gathered by the US Cybersecurity
and Infrastructure Security Agency (CISA) Risk and Vulnerability Assessment (RVA) analyses revealed that Valid
Accounts [T1078] were the most common successful attack technique, responsible
for 41% of successful attempts."
Meanwhile, the 2024 Microsoft
Digital Defense Report highlights a significant
rise in credential misuse and identity theft, emphasising the evolving tactics
of cybercriminals and the necessity for robust security measures. Key findings
note that cybercriminals are increasingly targeting user credentials to gain
unauthorised access to systems and data. This surge underscores the critical
need for organisations to implement strong authentication protocols and monitor
for suspicious activities.
Microsoft also reports a notable increase in
sophisticated phishing campaigns designed to deceive individuals into revealing
sensitive information. These attacks often exploit human psychology, making
them particularly effective and challenging to detect.
The report advocates for the widespread
implementation of MFA as a fundamental defence against credential theft. MFA
adds an additional layer of security, making it more difficult for attackers to
compromise accounts even if credentials are obtained.
And it stresses the need to adopt a ‘Zero Trust'
approach, which assumes that threats could be both external and internal. This
model requires continuous verification of user identities and device health,
reducing the risk of unauthorised access.
These insights underscore the importance of
proactive security strategies, continuous monitoring, and user education to
combat the growing threat of credential misuse and identity theft.
Bypassing MFA?
Multi-factor authentication (MFA) prevents access to the system unless
all required factors are verified, ensuring the user's identity is confirmed. A
typical MFA setup, for example, asks users to enter a One-Time Password (OTP)
sent via SMS in addition to their username and password.
While adding more factors strengthens security, the system can still be
compromised if it is improperly configured or if there are vulnerabilities in
the software or hardware components.
One example of an incident
in relation to credential theft, is a customer under the protection of our
Managed Detection and Response services receiving a phishing email from a
compromised business partner.
The email contained a
Google link redirect chain leading to a M365 phishing page. These types of
phishing links are much harder to detect due to the email sender being observed
previously communicating with the recipient and the mails passing DMARK, DKIM,
and SPF checks. These checks normally
prevent users from receiving such a
link, but that was bypassed using this technique
As a result, few defenses
remain, and only the email security solution raised an alert for CSIS to take
action on.
The next stage involved a
Man-in-the-Middle attack - the user's
login session was hijacked and a secondary MFA option was registered by the
perpetrator, to gain persistent access to the account.
Fortunately, CSIS was able
to stop the attack and take preventive measures to mitigate the threat in the
initial access phase - leaving the perpetrator empty-handed.
Additional Recommendations to
Prevent Identity Theft
To further safeguard against
identity theft, implementing Restrictive Conditional-Access Policies can
provide an additional layer of security by ensuring that only trusted users and
devices can access sensitive systems. For organisations managing devices,
requiring enrolment into Microsoft Intune for management enhances oversight and control,
though it's important to note that Bring Your Own Device (BYOD) policies may
pose challenges in these cases.
Switching to Windows Hello for Business on devices equipped with
Trusted Platform Modules (TPM) is another effective alternative. This approach
leverages advanced authentication methods, such as biometrics or PINs, to
improve resistance against phishing attacks while enhancing the overall security
posture of endpoints. These measures, when integrated into a robust
cybersecurity framework, can significantly mitigate the risk of identity theft.
CSIS strongly recommends establishing a phishing-resistant multifactor
policy, incorporating security devices like YubiKey - a
hardware-based security key that provides strong two-factor, multi-factor, and
passwordless authentication - or similar. Implementing such measures not only
enhances protection, but also makes it impossible to fall victim to malicious
activities such as session stealing.
Managing digital identities
There are several ways to better manage organisational security online,
and help staff avoid the issues surrounding identity attack, including, but not
limited to:
Implementing proper Access Control
Implementing robust access control mechanisms is
essential to ensure only authorised users can access specific data and systems,
reducing the risk of unauthorised access. This includes setting up role-based
access controls (RBAC) and applying the principle of least privilege, which
limits user permissions to only what is necessary for their role. CSIS offers
services such as Active
Directory (AD) Security Assessments to
help organisations identify and remediate complex risks and threats within
their access control systems.
Monitoring infrastructure - audit logs
Regular monitoring of audit logs is crucial for
detecting unusual activity early on, providing insights into who accessed what,
when, and from where. Analyzing these logs can reveal signs of unauthorised
access, privilege escalation, or attempted credential misuse, enabling swift
intervention. CSIS Managed Detection and Response (MDR) services offer 24/7 monitoring and analysis of security events,
ensuring prompt detection and response to potential threats.
Monitoring compromised credentials
Understanding the types of compromised credentials
related to your organisation being bought and sold on the dark web and other
criminal markets is critical to ensuring you do not allow an attacker to gain
initial access foothold in your network using a valid account.
CSIS Compromised Credentials service provides
continuous real-time monitoring of stolen credential data which may be used
against your organisation. During 2024, CSIS has observed approximately 24
billion credential combinations (i.e., usernames along with associated
passwords and URLs) from Q1-Q3, or an average of 3 billion credential
combinations per month.
Develop and maintain a cyber incident response plan
Developing and maintaining a cyber incident
response plan provides a clear roadmap for identifying, containing and
resolving security incidents, helping to reduce damage and recovery time.
Regularly updating and testing the plan ensures it remains effective against
evolving threats. CSIS provides Emergency
Response Consulting services to assist
organisations in preparing for and responding to cyber incidents.
Have an Emergency Response partner
Partnering with an external emergency response team ensures access to
specialised expertise in the event of a breach. These professionals can assist
with containment, investigation and remediation efforts, helping restore
operations quickly and securely. CSIS is a member of FIRST, the global forum for
incident response and security teams, and NCSC Assured in Incident Response,
offers Emergency Response Retainers, guaranteeing immediate and
round-the-clock access to world-class emergency incident response.
Through implementing multi-factor authentication, strengthening access
controls, and establishing proactive monitoring and incident response measures,
organisations can reduce the risk of unauthorised access and protect against
identity theft.
Using solutions like those provided by CSIS, including continuous
monitoring, access control assessments and dedicated emergency response
services, companies are better equipped to defend their digital infrastructure
against sophisticated attacks. A strong commitment to a robust, well-rounded
security strategy is essential for any organisation to thrive in today's
digital landscape.
##
ABOUT THE
AUTHOR
With a
foundational career spanning over a decade as a Senior Architect securing Linux
and BSD systems within datacenter and hosting environments, Ford contributed
notably to the defense of the American Financial sector during 'Operation
Ababil' between 2012-2013. His efforts in disseminating live attack data and
insights greatly benefited the security community and culminated in a pivotal
presentation at ISOI 11 in Burbank.
In 2014, Ford embraced a move from Texas to pursue a dedicated cybersecurity
research role at CSIS Security Group in Copenhagen, Denmark, continuing deeper
research into DDoS actors, malware, brand infringement, phishing, and
conducting incident response activities. Notably, Ford was the principal
developer behind the technology stack that powers the CSIS Anti-Phishing
service, phishdb. In addition, he has also presented at CCCC on DDoS Botnets
such as Mirai.
Now in upper management, Ford oversees Cyber Intelligence Services at CSIS,
where he is leading a comprehensive portfolio realignment focused on evolving
the group's offering. He is an experienced public speaker, regularly presenting
on areas of expertise to various audience profiles. With a profound
understanding of cybercrime's changing dynamics, Ford stands out as a strategic
thought leader, ready to share his unique insights.