Identify theft: The keys to the kingdom in the hands of hackers

Person using a laptop with a padlock symbol
(Image credit: Shutterstock)

The latest growing trend in the digital landscape is identity theft. Cybercriminals now realize it’s more efficient, effective, and cheaper to steal IDs and passwords rather than trying to penetrate technical security controls.

Once they have siphoned the access credentials from a single employee, they move laterally, stealing even more credentials, escalating privilege, compromising servers and endpoints to download sensitive organizational data. This opens the door for an attacker to turn one compromised identity into an organization-wide data breach or ransomware incident.

Privileged identities are the keys to the kingdom which attackers can exploit to steal a business’s most valuable assets. But unfortunately, with these attacks being so hard to detect, most organizations are unaware of the actual risk.

Security teams need to re-evaluate the detection tools they are currently using to spot compromised users and lateral movements across environments before extensive damage is done.

Emails as the key

Threat actors recognize that many staff have access to their organization's most critical data, and that it’s relatively easy to trick them into taking an action which could jeopardize the security of such information. And most of these attacks can start with a simple email.

Email-based attacks continue to dominate the threat landscape, both globally and in the UK. Proofpoint’s 2023 State of the Phish report revealed that 91% of UK organizations experienced an attempted phishing attack in 2022, which were successful in some form. Of these successful attacks, 43% resulted in credential theft and/or account compromise, where employees invertedly exposed their credentials, giving threat actors access to sensitive data and their business accounts.

Many of today’s attacks count on compromised identities, including ransomware. Proofpoint data shows that 82% of UK organizations experienced an attempted email-based ransomware attack in the past year, with 62% suffering a successful infection. Additionally, 85% of UK organizations reported they have experienced data loss due to an insider’s action in 2022.

Email security is clearly critical. Through a technical combination of email gateway rules, advanced threat analysis, email authentication and visibility into cloud applications, organizations can block the majority of targeted attacks before they reach employees. In spite of this, we should be looking at the entire attack chain as part of an effective threat protection strategy, encapsulating the threats that people and their identities continuously face.

Matt Cooke

Locking the door on attacks

Threat actors tend to rely on the same technique – such as targeting employees with an email to gain a foothold into an organization and moving laterally to obtain as much access as possible. They rely on this technique as it works, and it continues to do so unless organizations take into consideration how they can break the links in the attack chain.

When considering how organizations can break attack chains, the first step is to halt the initial compromise in the first place. This is where a robust email security strategy is vital.

From Business Email Compromise (BEC) attacks, cloud account takeover or cybercriminals using trusted third parties to compromise the organization through their supplier, an initial email can lead to extensive security compromises. After the initial compromise, they have will have access to a domain, giving them access to email accounts and the ability to commit extensive fraud from that point.

Worryingly, compromised accounts often go undetected, leaving no indicators of compromise or evidence of malware. And despite the deployment of privileged account management (PAM) and multifactor authentication (MFA), these attacks continue to increase.

If undetected, organizations can face an even bigger issue, with privilege escalation and agile movement within their networks.

In order to combat this, organizations need to implement the necessary technology to identify and respond to compromised users and remove the elements attackers need to complete their crime: namely privileged account access. A unique approach to identity threat detection and response (ITDR) will help organizations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property.

By installing these robust technical controls, organizations can prevent initial identity theft and compromise. However, as with all threats, a combination of people, process and technology is vital.

Shared responsibility

Security should be a shared responsibility. People across all levels within an organization must be empowered to understand the security put in place and the risky behaviors which can lead to breaches. Training and awareness programs are vital, but one size does not fit all. You need to ensure that your program is robust from the perspective of the user –making it relevant to their work and personal lives.

Organizations in the UK stand out in this respect - as highlighted in Proofpoint’s 2023 State of the Phish report, 67% of UK organizations train employees on security topics that explicitly target their organization, and 58% of UK organizations train ALL their employees.

According to Proofpoint data, over 99% of cyber threats require human interaction to be successful. When your people are that vital to an attack, they need to be a vital part of your defence. Cybercriminals spend day and night trying to penetrate networks, systems, and data. The least we can do is make them work a little harder.

We've featured the best business VPN.

Matt Cooke is Cybersecurity Strategist for EMEA at Proofpoint. With 20+ years of experience. He provides expertise on key regional cybersecurity strategies such as people-centric security, security awareness, risk management and insider threats.