Did you know that 80% of all breaches use compromised identities and can take up to 250 days to identify?
Unfortunately, identity-driven attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.
To better understand the identity threat landscape, let’s explore seven common identity-based attacks and how they work.
Types of Identity-Based Attacks
1. Credential Stuffing
Credential stuffing is a cyberattack where cybercriminals use stolen login credentials from one system to attempt to access an unrelated system.
Credential stuffing attacks follow a relatively simple attack path. First, the attacker leverages stolen account credentials or buys breached credentials via the dark web. With the credentials in hand, the attacker then sets up a botnet or other automation tool to attempt to log into multiple unrelated accounts simultaneously. The bot then checks to see if access was granted to any secondary services or accounts. In the event the login attempt was successful, the attacker will gather additional information, such as personal data, stored credit card information or bank details.
2. Golden Ticket Attack
A golden ticket attack is an attempt to gain almost unlimited access to an organization’s domain by accessing user data stored in Microsoft Active Directory (AD). This attack exploits weaknesses in the Kerberos identity authentication protocol, which is used to access the AD, allowing an attacker to bypass normal authentication.
To carry out a golden ticket attack, the attacker needs the fully qualified domain name, the security identifier of the domain, the KRBTGT password hash and the username of the account they are going to access.
3. Kerberoasting
Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the AD.
In such an attack, an adversary masquerading as an account user with a service principal name (SPN) requests a ticket, which contains an encrypted password, or Kerberos. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques.
Once the plaintext credentials of the service account are exposed, the adversary possesses user credentials that they can use to impersonate the account owner.
Reduce Active Directory Security Risks
A frictionless approach to securing your crown jewel identity store
Download Now4. Man-in-the-Middle (MITM) Attack
A man-in-the-middle attack is a type of cyberattack in which an attacker eavesdrops on a conversation between two people, two systems, or a person and a system.
The goal of a MITM attack is to collect personal data, passwords or banking details, and/or to convince the victim to take an action such as changing login credentials, completing a transaction or initiating a transfer of funds.
5. Pass-the-Hash Attack
Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network.
The attacker typically gains access to the network through a social engineering technique. Once the attacker gains access to the user’s account, they use various tools and techniques that scrape the active memory to derive data that will lead them to the hashes.
Armed with one or more valid password hashes, the attacker gains full system access, enabling lateral movement across the network. As the attacker impersonates the user from one application to the next, they often engage in hash harvesting — accumulating additional hashes throughout the system which can be used to access more areas of the network, add account privileges, target a privileged account, and set up backdoors and other gateways to enable future access.
6. Password Spraying
A password spraying attack is a brute force technique that involves a hacker using a single common password against multiple accounts.
First, the attacker acquires a list of usernames, then attempts logins across all usernames using the same password. The attacker repeats the process with new passwords until the attack breaches the target authentication system to gain account and systems access.
7. Silver Ticket Attack
A silver ticket is a forged authentication ticket often created when an attacker steals an account password. Silver ticket attacks use this authentication to forge ticket granting service tickets. A forged service ticket is encrypted and enables access to resources for the specific service targeted by the silver ticket attack.
Once the attacker obtains the forged silver ticket, they can run code as the targeted local system. They can then elevate their privileges on the local host and start moving laterally within the compromised environment or even create a golden ticket. This gives them access to more than the originally targeted service and is a tactic for avoiding cybersecurity prevention measures.
CrowdStrike Identity Protection
CrowdStrike Falcon® Identity Threat Protection (ITP) enables hyper accurate threat detection and real-time prevention of identity-based attacks combining the power of advanced AI, behavioral analytics and a flexible policy engine to enforce risk-based conditional access.
Falcon ITP can enforce consistent risk-based policies to automatically block, allow, audit or step up authentication for every identity, at the same time ensuring a frictionless login experience for genuine users.