While 99% of companies plan to speculate more in security, only 52% have fully implemented multi-factor authentication (MFA), and only 41% adhere to the principle of least privilege in access management.
Adversaries, including nation-states, state-funded attackers and cybercrime gangs, proceed to sharpen their tradecraft using generative AI, machine learning (ML) and a growing AI arsenal to launch increasingly sophisticated identity attacks. Deepfakes, tightly orchestrated social engineering and AI-based identity attacks, synthetic fraud, living-of-the-land (LOTL) attacks and lots of other technologies and tactics signal that security teams are at risk of losing the war against adversarial AI.
“Identity stays one in every of the hairiest areas of security—in really basic terms: you would like authorization (authZ: the best to access) and authentication (authN: the means to access). In computer security, we work really hard to marry authZ and authN,” Merritt Baer, CISO at Reco.ai, told EnterpriseBeat in a recent interview.
“What we’ve to do is make certain that we use AI natively for defenses because you can not exit and fight those AI weaponization attacks from adversaries at a human scale. You need to do it at machine scale,” Jeetu Patel, Cisco’s executive vp and chief product officer, told EnterpriseBeat in an interview earlier this 12 months.
The bottom line is that identities proceed to be under siege, and adversaries’ continued efforts to enhance AI-based tradecraft targeting weak identity security are fast-growing threats. The Identity Defined Security Alliance (IDSA) recent report, 2024 Trends in Securing Digital Identities, reflects how vulnerable identities are and the way quickly adversaries are creating latest attack strategies to take advantage of them.
The siege on identities is actual – and growing.
“Cloud, identity and distant management tools and bonafide credentials are where the adversary has been moving since it’s too hard to operate unconstrained on the endpoint. Why attempt to bypass and take care of a complicated platform like CrowdStrike on the endpoint when you could possibly log in as an admin user?” Elia Zaitsev, CTO of CrowdStrike, told EnterpriseBeat during a recent interview.
The overwhelming majority of companies, 90%, have experienced not less than one identity-related intrusion and breach attempt within the last twelve months. The IDSA also found that 84% of corporations suffered a direct business impact this 12 months, up from 68% in 2023.
“The future is not going to be televised; it’ll be contextual. It’s rare that a nasty actor is burning a 0-day (latest) exploit to get access—why use something special when you need to use the front door? They are almost all the time working with valid credentials,” Baer says.
“80% of the attacks that we see have an identity-based element to the tradecraft that the adversary uses; it’s a key element,” Michael Sentonas, president of CrowdStrike, told the audience at Fal.Con 2024 this 12 months. Sentonas continued, saying, “Sophisticated groups like Scattered Spider, like Cozy Bear, show us how adversaries exploit identity. They use password spray, they use phishing, they usually use MTM frameworks. They steal legitimate creds and register their very own devices.”
Why identity-based attacks are proliferating
Identity-based attacks are surging this 12 months, with a 160% rise in attempts to gather credentials via cloud instance metadata APIs and a 583% spike in Kerberoasting attacks, in line with CrowdStrike’s 2023 Threat Hunting Report.
The all-out attacks on identities emphasize the necessity for a more adaptive, identity-first security strategy that reduces risk and moves beyond legacy perimeter-based approaches:
Unchecked human and machine identity sprawl is rapidly expanding threat surfaces. IDSA found that 81% of IT and security leaders say their organizations’ variety of identities has doubled during the last decade, further multiplying the variety of potential attack surfaces. Over half the executives interviewed, 57%, consider managing identity sprawl a primary focus going into 2025, and 93% are taking steps to get in charge of it. With machine identities continuing to extend, security teams must have a technique in place for managing them as well. The typical organization has 45 times more machine identities than human ones, and lots of organizations don’t even know exactly what number of they’ve. What makes managing machine identities difficult is factoring in the various needs of DevOps, cybersecurity, IT, IAM and CIO teams.
Growing incidence of adversarial AI-driven attacks launched with deepfake and impersonation-based phishing techniques. Deepfakes typify the innovative of adversarial AI attacks, achieving a 3,000% increase last 12 months alone. It’s projected that deepfake incidents will go up by 50% to 60% in 2024, with 140,000-150,000 cases globally predicted this 12 months. Adversarial AI is creating latest attack vectors nobody sees coming and making a latest, more complex, and nuanced threatscape that prioritizes identity-driven attacks. Ivanti’s latest research finds that 30% of enterprises haven’t any plans in place for the way they may discover and defend against adversarial AI attacks, and 74% of enterprises surveyed already see evidence of AI-powered threats. Of the vast majority of CISOs, CIOs, and IT leaders participating within the study, 60% say they’re afraid their enterprises are usually not prepared to defend against AI-powered threats and attacks.
More lively targeting of identity platforms starting with Microsoft Active Directory (AD). Every adversary knows that the quicker they’ll take control of AD, the faster they control a complete company. From giving themselves admin rights to deleting all other admin accounts to insulate themselves during an attack further, adversaries know that locking down AD locks down a business. Once AD is under control, adversaries move laterally across networks and install ransomware, exfiltrate invaluable data and have been known to reprogram ACH accounts. Outbound payments go to shadow accounts the attackers control.
Over-reliance on single-factor authentication for distant and hybrid staff and never enforcing multi-factor authentication to the app level company-wide. Recent research on authentication trends finds that 73% of users reuse passwords across multiple accounts, and password sharing is rampant across enterprises today. Add to that the indisputable fact that privileged account credentials for distant staff are usually not monitored and the conditions are created for privileged account misuse, the reason for 74% of identity-based intrusions this 12 months.
The Telesign Trust Index shows that relating to getting cyber hygiene right, there’s valid cause for concern. Their study found that 99% of successful digital intrusions start when accounts have multi-factor authentication (MFA) turned off. “The emergence of AI over the past 12 months has brought the importance of trust within the digital world to the forefront,” Christophe Van de Weyer, CEO of Telesign, told EnterpriseBeat during a recent interview. “As AI continues to advance and turn out to be more accessible, it’s crucial that we prioritize trust and security to guard the integrity of non-public and institutional data. At Telesign, we’re committed to leveraging AI and ML technologies to combat digital fraud, ensuring a safer and trustworthy digital environment for all.”
A well-executed MFA plan would require the user to present a mix of something they know, something they’ve, or some type of a biometric factor. One of the first the explanation why so many Snowflake customers were breached is that MFA was not enabled by default. CISA provides a helpful fact sheet on MFA that defines the specifics of why it’s essential and the way it really works.
Ransomware is being initiated more often using stolen credentials, fueling a ransomware-as-a-service boom. EnterpriseBeat continues to see ransomware attacks growing at an exponential rate across healthcare and manufacturing businesses as adversaries know that interrupting their services results in larger ransomware payout multiples. Deloitte’s 2024 Cyber Threat Trends Report found that 44.7% of all breaches involve stolen credentials because the initial attack vector. Credential-based ransomware attacks are notorious for creating operational chaos and, consequently, significant financial losses. Ransomware-as-a-Service (RaaS) attacks proceed to extend, as adversaries are actively phishing goal corporations to get their privileged access credentials.
Practical steps security leaders can take now for small teams
Security teams and the leaders supporting them need to start out with the belief that their corporations have already been breached or are about to be. That’s a necessary first step to start defending identities and the attack surface adversaries goal to get to them.
“I began an organization because it is a pain point. It’s really hard to administer access permissions at scale. And you may’t afford to get it unsuitable with high-privileged users (execs) who’re, by the way in which, the identical folks who ‘need access to their email immediately!’ on a business trip in another country,” says Kevin Jackson, CEO of Level 6 Communications.
The following are practical steps any security leader can take to guard identities across their business:
- Audit and revoke any access privileges for former employees, contractors and admins Security teams must get within the practice of commonly auditing all access privileges, especially those of administrators, to see in the event that they’re still valid and if the person remains to be with the corporate. It’s the most effective muscle memory for any security team to get within the habit of strengthening since it’s proven to stop breaches. Go trying to find zombie accounts and credentials commonly and consider how genAI could be used to create scripts to automate this process. Insider attacks are a nightmare for security teams and the CISOs leading them.
Add to that the indisputable fact that 92% of security leaders say internal attacks are as complex or tougher to discover than external attacks, and the necessity to get in charge of access privileges becomes clear. Nearly all IAM providers have automated anomaly detection tools that can assist implement an intensive identity and access privilege clean-up. EnterpriseBeat has learned that roughly 60% of corporations are paying for this feature of their cybersecurity suites and are usually not using it.
- Make MFA the usual with no exceptions and consider how user personas and roles with access to admin rights and sensitive data may have biometrics and passwordless authentication layered in. Security teams might want to lean on their vendors to get this right, because the situation at Snowflake and now Okta logins with 52-character-long user names have been allowing login session access without providing a password.
Gartner projects that by next 12 months, 50% of the workforce will use passwordless authentication. Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access, and Windows Hello for Business. Of these, Ivanti’s Zero Sign-On (ZSO) is integrated into its UEM platform, combines passwordless authentication FIDO2 protocols, and supports biometrics, including Apple’s Face ID as a secondary authentication factor.
- Get just-in-time (JIT) provisioning right as a core a part of providing least privileged access. Just-in-Time (JIT) provisioning is a key element of zero-trust architectures, designed to cut back access risks by limiting resource permissions to specific durations and roles. By configuring JIT sessions based on role, workload, and data classification, organizations can further control and protect sensitive assets.
The recently launched Ivanti Neurons for App Control complements JIT security measures by strengthening endpoint security through application control. The solution blocks unauthorized applications by verifying file ownership and applying granular privilege management, helping to forestall malware and zero-day attacks.
- Prevent adversaries and potential insider threats from assuming machine roles in AWS by configuring its IAM for least privileged access. EnterpriseBeat has learned that cyberattacks on AWS instances are increasing, and attackers are taking up the identities of machine roles. Be sure to avoid mixing human and machine roles in DevOps, engineering, production, and AWS contractors.
If role assignments have errors in them, a rogue worker or contractor can and has stolen confidential data from an AWS instance without anyone knowing. Audit transactions and implement least privileged access to forestall such a intrusion. There are configurable options in AWS Identity and Access Management to make sure this level of protection.
Predicting the long run of identity management in 2025
Every security team must assume an identity-driven breach has happened or is about to in the event that they’re going to be ready for the challenges of 2025. Enforcing least privileged access, a core component of zero trust, and a proven strategy for shutting down a breach must be a priority. Enforcing JIT provisioning can be table stakes.
More security teams and their leaders must take vendors to task and hold them accountable for his or her platforms and apps supporting MFA and advanced authentication techniques.
There’s no excuse for shipping a cybersecurity project in 2025 without MFA installed and enabled by default. Complex cloud database platforms like Snowflake point to why this must be the brand new normal. Okta’s latest oversight of allowing 52-character user names to bypass the necessity for a password just shows these corporations must work harder and more diligently to attach their engineering, quality, and red-teaming internally so that they don’t put customers and their businesses in danger.
