What’s behind the recent rise in identity-based attacks? [Q&A]
Cybercriminals are increasingly using sophisticated identity-based attacks (phishing, social engineering, leveraging compromised credentials) to gain access as trusted users and move laterally across systems undetected.
We spoke to Cristian Rodriguez, field CTO, Americas at CrowdStrike, about the company’s recent research into these attacks and now organizations can defend against them.
BN: Why are identity-based attacks a growing threat to organizations?
CR: Identity is the lowest hanging fruit for adversaries to exploit as cyber defenses evolve and advance. Instead of picking the lock of the heavily guarded side door, they take the path of least resistance: stealing -- or buying -- legitimate credentials to gain access as a legitimate user. This essentially enables them to walk through the front door with the keys to the house. You set off a lot fewer alarms this way, and this trusted access enables adversaries to move laterally undetected in the direction of high value targets once inside with hands-on keyboard activities.
The data tells the story -- last year, 79 percent of all attacks to gain initial access were malware free while access broker advertisements surged 50 percent YoY. Additionally, five of the top ten MITRE ATT&CK tactics observed this past year were identity-based. From phishing to social engineering to buying valid credentials off the dark web, these techniques make it much faster and easier for adversaries to gain access to their victim’s networks and achieve their objectives.
BN: What adversaries are you tracking that are known for identity-based attacks?
CR: A handful of adversaries stand out as notorious identity-based attackers:
FAMOUS CHOLLIMA, a North Korea nexus adversary, specializes in financially motivated operations, including cryptocurrency theft, credit card fraud and highly sophisticated insider threat campaigns. They infiltrate companies by posing as remote software developers, using forged identities and AI-generated LinkedIn profiles to secure jobs at major firms. Once hired, operatives redirect company-issued laptops to third-party handlers running laptop farms in the US, where teams access sensitive systems, deploy malware and exfiltrate data. CrowdStrike uncovered 304 FAMOUS CHOLLIMA incidents in 2024 -- 40 percent being insider jobs.
COZY BEAR, associated with Russia’s Foreign Intelligence Service, conducts persistent and precise spear-phishing campaigns to target government entities, NGOs, defense contractors and academic institutions in North America and Europe, stealing sensitive data for intelligence-gathering objectives.
SCATTERED SPIDER, a financially motivated eCrime group, utilizes sophisticated social engineering tactics -- smishing (SMS phishing), vishing (voice phishing), SIM-swapping and even direct phone calls -- to manipulate IT help desk agents into resetting passwords and providing them unauthorized access to targeted accounts. SCATTERED SPIDER then deploys ransomware and extortion procedures for significant financial gain at the expense of their victim.
BN: What are the main challenges companies face with identity security?
CR: The surge in identity-based attacks highlights a critical weakness in organizations that treat identity security as a box to check for compliance. Many businesses rely on patchwork tools that address only isolated aspects of the identity challenge, leading to visibility gaps and operational inefficiencies.
This siloed approach also fosters a dangerous disconnect between security teams. For instance, the separation between identity and access management (IAM) teams and security operations (SecOps) teams introduces blind spots that adversaries can exploit across on-premises, cloud and SaaS domains. To counter these increasingly sophisticated threats, organizations must adopt a more integrated and comprehensive approach to identity security. Identity must be a fundamental pillar of security strategy.
BN: What is the recipe for success for defending against identity-based attacks?
CR: Success in defending against identity-based attacks starts with a unified strategy that spans the full identity attack lifecycle -- from initial access to lateral movement.
Organizations need to move beyond siloed tools and adopt an approach that combines real-time prevention, advanced identity threat detection and response (ITDR) and risk-based access controls across on-premises, cloud and SaaS environments.
Critical to this is integrating signals from identity systems and endpoints, enabling security teams to detect and respond to malicious activity in real time. AI and automation can enhance this effort by helping prioritize threats and enforce dynamic access policies.
Ultimately, defending against identity-based attacks requires visibility, speed and coordination – achieved through tightly integrated technologies and proactive security operations.
BN: What are the specific tactics companies can start employing today to stay ahead of identity-based threats?
CR: Companies can adopt these five best practices to immediately strengthen their identity security:
- Enforce Conditional, Identity-Based Access Controls
Implement risk-based access policies that adjust permissions dynamically based on user behavior, location, device security and other contextual factors. This ensures only legitimate users gain access while reducing the risk of unauthorized entry. - Continuously Monitor for Anomalous Identity Activity
Detect potential credential misuse, lateral movement and unauthorized access attempts by monitoring behavior across identities. Leverage identity threat detection and response (ITDR) to flag suspicious activity and intervene before a breach occurs. - Strengthen Password and Credential Security
Enforce strong password policies, including periodic resets, disallowing duplicate passwords and requiring high complexity. Use threat intelligence feeds to monitor the dark web for stolen credentials and automate forced password resets for compromised accounts. - Secure SaaS and Cloud Configurations to Minimize Risk
Use SaaS Security Posture Management (SSPM) to harden configurations, mitigate weak default settings and prevent misconfigurations that could be exploited. Regularly review and remediate security gaps across SaaS applications and cloud environments. - Automate Threat Response and Identity Lifecycle Management
Integrate identity protection with endpoint security to automatically revoke access for compromised identities, restrict lateral movement and remove stale accounts. Leverage automation to proactively respond to threats, reducing exposure and response time.
With these best practices and a modern, unified approach to proactive identity security, companies can stay one step ahead of the surge of identity-based attacks.
Image credit: Milkos/depositphotos.com