CrowdStrike’s findings show that 80% of all breaches use compromised identities and can take up to 250 days to identify.
Identity-driven attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.
Some on the most common identity-based attacks include:
| Type | Description |
|---|---|
| Kerberoasting | Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory (AD) where an adversary masquerading as an account user with a service principal name (SPN) requests a ticket, which contains an encrypted password, or Kerberos. |
| Man-in-the-Middle (MITM) Attack | A man-in-the-middle attack is a type of cyberattack in which an attacker eavesdrops on a conversation between two targets with the goal of collecting personal data, passwords or banking details, and/or to convince the victim to take an action such as changing login credentials, completing a transaction or initiating a transfer of funds. |
| Pass-the-Hash Attack | Pass the hash (PtH) is a type of attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. It does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session. |
| Golden Ticket Attack | In a golden ticket attack, adversaries attempt to gain unlimited access to an organization’s domain by accessing user data stored in Microsoft Active Directory (AD) by exploiting vulnerabilities in the Kerberos identity authentication protocol. This allows adversaries to bypass authentication methods. |
| Silver Ticket Attack | A silver ticket is a forged authentication ticket often created when an attacker steals an account password. A forged service ticket is encrypted and enables access to resources for the specific service targeted by the silver ticket attack. |
| Credential Harvesting | In credential harvesting, cybercriminals gather user credentials — such as user IDs, email addresses, passwords, and other login information — en masse to then access systems, gather sensitive data, or sell it in the dark web. |
| Credential Stuffing | Credential stuffing attacks work on the premise that people often use the same user ID and password across multiple accounts. Therefore, possessing the credentials for one account may be able to grant access to other, unrelated account. |
| Password Spraying | The basics of a password spraying attack involve a threat actor using a single common password against multiple accounts on the same application. This avoids the account lockouts that typically occur when an attacker uses a brute force attack on a single account by trying many passwords. |
| Brute Force Attacks | A brute force attack is uses a trial-and-error approach to systematically guess login info, credentials, and encryption keys. The attacker submits combinations of usernames and passwords until they finally guess correctly. |
| Downgrade Attacks | Downgrade attacks are a cyberattack where adversaries take advantage of a system’s backward compatibility to force it into less secure modes of operation, such as forcing a user to go into a HTTP version of a website instead of HTTPS. |