The rise of cloud and remote working led to the concept of ‘no-perimeter’ IT, and companies struggled to find a border to protect. The difficulty is the perimeter is no longer a ‘thing’ with a physical presence but a concept. That concept is the identity – for whatever and from wherever.
Identity has always been the key to security. But the industry became sidetracked into concentrating more on the content of traffic than on the source of the traffic. If we have authorized identities, and can authenticate authorized identities, we can block everyone and everything else. The bad guys just cannot get in – well, that’s the theory.
But in recent years, the volume of identities has burgeoned. Estimates that users have around 100 identities are common. Expansion within the cloud, increasing business transformation and the explosion of IoT all require identities. But only the volume has changed. The identity remains the key for access into the network, and for movement within the network.
“Identity security will become all the more vital as the ‘metaverse’ gains traction,” warns Larry Chinski, VP of global IAM strategy at One Identity “Ninety-five percent of businesses report challenges managing the number of identities that currently fall under their organization’s umbrella (human, digital, RPA, etc.). As adoption of the metaverse increases, identity security and management issues will only become more profound – and a bigger threat to business resiliency.”
There is no greater certainty than attacks on and with identities will increase in 2022.
Digital identity fraud
Fraud is the single most common identity-based attack. There are many sub-categories of fraud, but all require the misuse of someone’s identity. Fraud will continue to grow in 2020 because of the growing number of identities to misuse, the huge pool of stolen credentials on the dark web, and an increasing use of bot automation (for credential stuffing and more), and AI techniques by criminals.
Account takeover, account opening and BEC scams are three sub-categories to watch in 2022.
Account takeover occurs when the attacker has access to the legitimate user’s credentials. These are obtained through credential stuffing, now delivered through sophisticated bots; through direct phishing attacks (increasingly delivered by phishing-as-a-service – see Cyber Insights 2022: The Good Versus the Bad); through malware such as information stealers; and through session hijacking. Account takeovers can lead to financial fraud against the individual, or access to the user’s corporate network.
Account opening occurs when the criminal already has detailed knowledge of the target – usually through stolen PII. With that data, the criminal can open new accounts and use the services that come with the account.
BEC scams will undoubtedly increase. These occur when the attacker impersonates a corporate identity and requests or instructs a colleague to transfer funds to an account controlled by the attacker. There are suggestions that criminals are increasingly exploring the possibilities of using AI-based deepfake technology as part of the impersonation process (see Cyber Insights 2022: Adversarial AI for more information). The amounts involved in BEC scams means that they will inevitably increase in 2022.
Nikolay Gaubitch, director of research at Pindrop, expects to see a growth in call center fraud in 2022. In 2021, because of the pandemic, “We saw a large increase in remote working and reduced face-to-face interactions. This naturally resulted in increased traffic into call centers and for a long while it led to long call waiting times. One surprising effect of this was the reduction in fraudulent calls,” he explains.
“However, it seems that fraudsters are starting to return to normal working habits just like the rest of us. The last couple of months have shown a steady increase in fraudulent calls. Based on this observation and experience, in 2022 we can expect fraudsters to return to targeting call centers.”
But it won’t just be call centers in 2022 – it will be across the board. “We would expect that attacks against digital identity would continue to increase in 2022, both in volume and sophistication, for two primary reasons. Firstly, there are so many commercially viable targets available through account creation and account takeover automation, through which financial gain can be had,” says David Stewart, CEO at Approov. “Secondly, end users are not likely to stop reusing passwords across services any time soon, resulting in a data breach in one organization becoming a problem for every other organization as credential stuffing attacks are now highly weaponized via credential resale on the dark web.”
Non-human identities, collectively known as machine identities, generally outnumber the human identities within an organization. These include devices, services and workloads – and are usually ‘privileged’ accounts. Their growth is still accelerating in line with both business transformation and automation, and they have not traditionally been given as much security concern as human identities. This growing identity sprawl will prove challenging through 2022.
“The growth of machine identities will create an even larger identity sprawl challenge for organizations,” says Larry Chinski. “Due to the convergence of AI innovation, digitization, and the asynchronous workforce accelerated by the pandemic, enterprises are increasingly deploying solutions like RPA [robotic process automation] to automate tasks, boost productivity, and enhance customer service.”
But, he continued, “There’s one big issue that’s commonly overlooked when it comes to AI innovation – security. Today, 94% of organizations who have deployed bots or RPA report challenges securing them. What’s causing this challenge is that security professionals don’t realize that bots have identities just like humans.”
Since RPA requires access to data they ultimately need to be secured just like its human counterparts. “So as enterprises exponentially deploy AI solutions like RPA,” he added, “we should expect to see a string of bot-based breaches because security professionals aren’t equipped to handle the identity sprawl linked to the growth of machines.”
Identity-based attacks against the cloud
Cloud misconfigurations remain a serious issue. Databases, sometimes containing sensitive and personal information, are too often left exposed on the internet with no identity-based access control at all. Such databases are frequently discovered and disclosed by researchers.
It should be noted, however, that the tools used by researchers to find these misconfigurations are often the same tools used by cybercriminals. By the time a researcher has found the misconfiguration, researched and discovered the owner, and disclosed the fault to that owner, criminals will certainly have also found and accessed the database.
It can be hoped, without great conviction, that increasing awareness of the issue will lead to fewer misconfigurations in 2022. But “In 2022, we will see cybercriminals take advantage of misconfigured SaaS APIs to exploit private data at an unprecedented scale,” warns Josh Rickard, security solutions architect at Swimlane. “This will lead to a large distribution of core software code becoming compromised and impacting thousands of organizations across the globe.”
Misconfigurations are not, however, a reliable attack option for cybercriminals – all they can do is take their pick from the misconfigurations they find. The more important and attractive targets will almost certainly be better protected. For this reason alone, we can expect an increase in cloud attacks via Active Directory.
“On-premises Active Directory (AD), Windows’ directory service, remains a wide-open weak spot in most companies,” warns Guido Grillenmeier, chief technologist at Semperis. “As the core of the Windows operating systems, AD manages user permissions and holds the key to numerous business-critical processes and services – but its default configuration makes it an easy target.”
While businesses are increasingly shifting workloads from on premises to the cloud, AD remains a foundational piece of infrastructure for both environments for most organizations.
“Cybercriminals know this,” he continued, “and are increasingly using AD weaknesses as an inroad for attacks against data and applications in the cloud, thus bypassing classic cloud protection systems.”
But however the criminals obtain usable credentials, the quantity and severity of cloud attacks will increase. “Cloud breaches will become more common, with attackers compromising credentials to access essential data on public clouds,” comments Boaz Gorodissky, CTO and co-founder at XM Cyber.
Cloud identity systems
Grillenmeier also believes that attackers will increasingly target identity systems. “As the recent Facebook outage showed, when core identity providers go down, those applications that depend on them for user authentication are affected too.”
The more users rely on shared infrastructure, the more severe such outages will become. “This makes large identity providers a perfect target for hackers,” he continued. “For the fast-growing number of businesses around the world that depend on the Microsoft Azure cloud, Azure AD acts as a major identity provider, authenticating countless users every minute. Hackers compromising Azure AD could therefore take out several apps at once and do damage on a large scale.”
“Identity is the new perimeter and access is the new security,” says Joseph Carson, chief security scientist at ThycoticCentrify (consider the buzz around zero trust). “The paradigm shift to working remotely has been accelerating, making the traditional enterprise perimeter almost entirely redundant. In their bid to secure the new perimeter, organizations have had to first wrestle with the challenge of correctly defining it. Factors such as cloud computing, home office networks, endpoints, mobile apps, and legacy on-premise systems have exacerbated this issue. Some organizations have attempted to enforce multiple edge perimeter points, but this in turn becomes a major challenge to manage and secure.”
The key is the touch point across the organization, both internally and with external entities; and the common factor is identity. “This means access has become the new security control for the organization’s perimeter,” he continued. “In 2022, businesses must get back in control by making Identity and Access Security a top priority. Privileged access has become the digital polygraph test to verify that identities are authentic before enabling authorization to resources.”
Failure to do so in 2022 will lead to a growing number of breaches at the confluence of massive identity sprawl, increasing sophistication and professionalism among the attackers, and the arrival of adversarial AI assistance.
About SecurityWeek Cyber Insights 2022
Cyber Insights 2022 is a series of articles examining the potential evolution of threats over the new year and beyond. Six primary threat areas are discussed:
• Improving Criminal Sophistication
Although the subjects have been separated, the attacks will rarely occur in isolation. Nation state and supply chain attacks will often be linked ‒ as will supply chain and ransomware. Adversarial AI will likely be seen primarily in attacks against identity; at least in the short term. And underlying everything is the growing sophistication and professionalism of the cybercriminal.
SecurityWeek spoke with dozens of security experts and received almost a hundred suggestions for the series.