From credentials to identity: Understanding digital identity and access

CSIS-Security-Group-reports-on-risks-associated-with-digital-identity-and-access

Share this content

Facebook
Twitter
LinkedIn

Ford Merrill, Senior Director of the Cyber Intelligence Business Unit, CSIS Security Group A/S explores the understanding of digital identity and access.

To better understand the problems of online identity theft, we need to consider what we mean by ‘digital identity’.

At the start of its guidelines, the National Institute of Standards and Technology (NIST) defines digital identity as the ‘online persona of a subject’, recognising that there isn’t yet a single, widely accepted definition.

Here we can view digital identity simply to represent a person in online transactions.

Access to digital infrastructure traditionally relies on information associated with this digital identity.

In most cases, to access a digital service, a person (or “subject”) needs to know a “secret” which acts as a credential, like a password, PIN or API key.

When they provide this secret, the system assumes the person is who they claim to be.

If this credential is stolen, malicious actors can use it to impersonate the user, effectively committing identity theft.

Verifying identity

To reliably verify a person’s true identity, security systems often combine multiple factor credentials, such as:

  • Something they know: A secret, like a password or PIN
  • Something they have: A physical device, such as a security token or trusted platform module (TPM)
  • Something they are: Biometrics (a fingerprint or facial recognition)

This layered approach strengthens digital identity verification, helping ensure a person’s identity is accurately represented in online transactions.

It’s clear that the theft of a credential equals identity theft.

Reports

Verizon report

  • Credential Misuse is rising According to the 2024 Verizon Data Breach Investigations Report, human involvement in data breaches remains significant
  • The report indicates that 68% of breaches involved a (non-malicious) human element, such as individuals falling victim to social engineering attacks or making errors
  • The report notes that over the past decade, stolen credential incidents have appeared in almost one-third (31%) of all breaches, highlighting the persistent risk associated with credential-based attacks
  • Verizon observes a significant increase in attacks involving the exploitation of vulnerabilities, which nearly tripled from the previous year, accounting for 14% of all breaches
  • This surge underscores the evolving tactics of threat actors and the importance of robust security measures

CISA report

  • According to data gathered by the US Cybersecurity and Infrastructure Security Agency (CISA) Risk and Vulnerability Assessment (RVA) revealed that Valid Accounts [T1078] were the most common successful attack technique, responsible for 41% of successful attempts

2024 Microsoft Digital Defense report

  • The 2024 Microsoft Digital Defense report highlights a significant rise in credential misuse and identity theft, emphasising the evolving tactics of cyber-criminals and the necessity for robust security measures
  • Key findings note that cyber-criminals are increasingly targeting user credentials to gain unauthorised access to systems and data
  • This surge underscores the critical need for organisations to implement strong authentication protocols and monitor for suspicious activities
  • Microsoft also reports a notable increase in sophisticated phishing campaigns designed to deceive individuals into revealing sensitive information
  • These attacks often exploit human psychology, making them particularly effective and challenging to detect

Introduction to multifactor authentication (MFA)

The report advocates for the widespread implementation of MFA as a fundamental defence against credential theft.

MFA adds an additional layer of security, making it more difficult for attackers to compromise accounts even if credentials are obtained.

And it stresses the need to adopt a ‘Zero Trust’ approach, which assumes that threats could be both external and internal.

This model requires continuous verification of user identities and device health, reducing the risk of unauthorised access.

These insights underscore the importance of proactive security strategies, continuous monitoring and user education to combat the growing threat of credential misuse and identity theft.

Implementing MFA

Multi-factor authentication (MFA) prevents access to the system unless all required factors are verified, ensuring the user’s identity is confirmed.

A typical MFA setup asks users to enter a One-Time Password (OTP) sent via SMS in addition to their username and password.

While adding more factors strengthens security, the system can still be compromised if it is improperly configured or if there are vulnerabilities in the software or hardware components.

Credential threat incident

One example of an incident in relation to credential theft, is a customer under the protection of our Managed Detection and Response services receiving a phishing email from a compromised business partner.

The email contained a Google link redirect chain leading to a M365 phishing page.

These types of phishing links are much harder to detect due to the email sender being observed previously communicating with the recipient and the mails passing DMARK, DKIM and SPF checks.

These checks normally prevent users from receiving such a link, but that was bypassed using this technique.

As a result, few defences remain and only the email security solution raised an alert for CSIS to take action on.

The next stage involved a Man-in-the-Middle attack, the user’s login session was hijacked and a secondary MFA option was registered by the perpetrator, to gain persistent access to the account.

Fortunately, CSIS was able to stop the attack and take preventive measures to mitigate the threat in the initial access phase – leaving the perpetrator empty-handed.

Additional safety recommendations

To further safeguard against identity theft, implementing ‘Restrictive Conditional-Access Policies’ can provide an additional layer of security by ensuring that only trusted users and devices can access sensitive systems.

For organisations managing devices, requiring enrolment into Microsoft Intune for management enhances oversight and control, though it’s important to note that Bring Your Own Device (BYOD) policies may pose challenges in these cases.

Switching to Windows Hello for Business on devices equipped with Trusted Platform Modules (TPM) is another effective alternative.

This approach leverages advanced authentication methods such as biometrics or PINs, to improve resistance against phishing attacks while enhancing the overall security posture of endpoints.

These measures, when integrated into a robust cybersecurity framework, can significantly mitigate the risk of identity theft.

CSIS strongly recommends establishing a phishing-resistant multifactor policy, incorporating security devices like YubiKey, a hardware-based security key that provides strong two-factor, multi-factor and password-less authentication or similar.

Implementing such measures not only enhances protection but also makes it impossible to fall victim to malicious activities such as session stealing.

Managing digital identities

There are several ways to better manage organisational security online and help staff avoid the issues surrounding identity attack, including, but not limited to:

  • Implementing proper Access Control

Implementing robust access control mechanisms is essential to ensure only authorised users can access specific data and systems, reducing the risk of unauthorised access.

This includes setting up role-based access controls (RBAC) and applying the principle of least privilege, which limits user permissions to only what is necessary for their role.

CSIS offers services such as Active Directory (AD) Security Assessments to help organisations identify and remediate complex risks and threats within their access control systems.

  • Audit logs

Regular monitoring of audit logs is crucial for detecting unusual activity early on, providing insights into who accessed what, when and from where.

Analysing these logs can reveal signs of unauthorised access, privilege escalation or attempted credential misuse, enabling swift intervention.

CSIS Managed Detection and Response (MDR) services offer 24/7 monitoring and analysis of security events, ensuring prompt detection and response to potential threats.

  • Compromised credentials

Understanding the types of compromised credentials related to your organisation being bought and sold on the dark web and other criminal markets is critical to ensuring you do not allow an attacker to gain initial access foothold in your network using a valid account.

CSIS Compromised Credentials service provides continuous real-time monitoring of stolen credential data which may be used against your organisation.

During 2024, CSIS has observed approximately 24 billion credential combinations (i.e., usernames along with associated passwords and URLs) from Q1-Q3, or an average of three billion credential combinations per month.

Cyber incident response plan

Developing and maintaining a cyber incident response plan provides a clear roadmap for identifying, containing and resolving security incidents, helping to reduce damage and recovery time.

Regularly updating and testing the plan ensures it remains effective against evolving threats.

CSIS provides Emergency Response Consulting services to assist organisations in preparing for and responding to cyber incidents.

Benefits of an emergency response partner

Partnering with an external emergency response team ensures access to specialised expertise in the event of a breach.

These professionals can assist with containment, investigation and remediation efforts that will help restore operations quickly and securely.

FIRST – Emergency incident response

CSIS is a member of FIRST, the global forum for incident response and security teams and NCSC Assured in Incident Response, offers Emergency Response Retainers, guaranteeing immediate and round-the-clock access to world-class emergency incident response.

Through implementing multi-factor authentication, strengthening access controls and establishing proactive monitoring and incident response measures, organisations can reduce the risk of unauthorised access and protect against identity theft.

Using solutions like those provided by CSIS, including continuous monitoring, access control assessments and dedicated emergency response services, companies are better equipped to defend their digital infrastructure against sophisticated attacks.

A strong commitment to a robust, well-rounded security strategy is essential for any organisation to thrive in today’s digital landscape.

Newsletter
Receive the latest breaking news straight to your inbox