People continue to think of hackers as people with the technical know-how to break in to systems using obscure loopholes or flaws in the technology. And yet, that outdated image of hackers forcefully breaking into systems through sophisticated exploits bears little resemblance to the increasingly typical pattern: attackers are simply logging in using stolen credentials. This shift underscores a critical point for security practitioners—identity is at the core of your security strategy.
The New Norm: Credential-Based Attacks
According to the 2024 Verizon Data Breach Report, “Over the past 10 years, stolen credentials have appeared in almost one-third (31%) of breaches.” Hackers get these credentials from phishing efforts, social engineering attacks, and plain old brute force. As long as systems continue to use passwords without phishing-resistant MFA, this attack vector will continue as a problem.
The Snowflake breach, possibly one of the largest data breaches in history, is an eye-opening example of how expansive a single credential-based breach can be. According to reports as to the breadth and depth of the breach, potentially 165 organizations may have been exposed. Ticketmaster, Santander Bank, Advanced Auto Parts, AT&T, and others, have all reported data breaches linked to Snowflake. The accounts breached did not use MFA.
These examples are not anomalies; they represent a growing trend where attackers leverage existing credentials, often obtained through phishing, social engineering, or purchasing from dark web marketplaces. RockYou2024 exposed over 10 billion credentials, and it is a fair bet that too many of those don’t use MFA. They no longer need to find and exploit zero-day vulnerabilities; they can simply walk through the front door.
The Supply Chain Challenge
In the case of Okta’s breach last year, a key player in identity and access management, the supply chain vulnerabilities were exploited, demonstrating that even the gatekeepers of digital identities are not immune. The entirety of Okta’s customer service accounts had their data exposed, including session tokens and cookies, as a result of stolen credentials.
The Okta incident particularly underscores the complexity of modern security environments. When your suppliers and partners are part of your security ecosystem, their vulnerabilities become your vulnerabilities. This interconnectedness requires a holistic approach to identity management that extends beyond your organization.
Session Hijacking
After a user authenticates (even if they are using strong authentication to do so), they are identified in subsequent interactions with a session token, typically stored in a browser cookie or in a mobile or desktop app the user uses to communicate with the app’s backend. Similar tokens are also used by identity providers. If an attacker is able to access this token (for example, in the Okta breach, the attackers were able to retrieve tokens from crash dump files stored in their customer service application), then they can assume the user’s identity, thereby negating even the strongest of authentication the user may have used.
Identity: The Keystone of Security
For security practitioners, there must be a greater understanding that robust identity management is no longer optional—it’s essential. Identity and access management (IAM) is not just about compliance or user convenience; it’s a fundamental pillar of your security posture.
- Comprehensive Authentication Strategies: Implement multi-factor authentication (MFA) to add an extra layer of security. It’s not foolproof, but it significantly reduces the risk of unauthorized access.
- Continuous Monitoring: Employ advanced analytics to continuously monitor user behavior. Anomalies in login patterns can be early indicators of compromised credentials.
- Zero Trust Architecture: Adopt a zero-trust approach where no user or system is trusted by default. Every access request is verified, regardless of its origin. There is no “trusted network perimeter”.
- Zero Standing Access / Zero Standing Privilege: Ensure that no one has access rights to any system by default. They are dynamically granted access to specific resources (e.g. a particular customer’s data) depending on their current tasks and organizational roles. (e.g. an on-duty customer service representative that is working on a case that relates to that specific customer).
- Communicate changes using SSF/CAEP: If any component or service in your organization recognizes changes to a user’s properties (e.g. the user behavior is now abnormal), such changes must be communicated to all services and systems that share the same user in order to prevent damage. Using open standards such as SSF and CAEP can propagate such changes instantaneously.
Conclusion
Hackers logging in instead of breaking is a fundamental change in the threat landscape. Security practitioners must integrate identity as a core component of their strategy and use a multifaceted approach to protect against credential-based attacks. This approach must include strong authentication measures, continuous monitoring, a zero-trust mindset, and proper SSF/CAEP signaling mechanisms. Additionally, minimizing the blast radius of a security breach through zero standing privilege is crucial—we must ensure that users only have access when necessary and for the shortest duration possible. With zero standing privilege, an identity compromise is reduced to being an incident for your SOC team to handle, rather than an calamitous event where your finance, legal, PR and leadership teams have to get involved.
By understanding and adapting to this new reality, organizations can better protect their assets and ensure that they remain resilient against the evolving tactics of modern cyber adversaries.