Secure Identities: Current trends

The turn of the year is just a few weeks away – a good time to look back on an eventful 2024.

The recent months have been characterized by numerous reports that have brought the topic of cybercrime to the attention of the general public. In its latest report on the IT security situation, which is based on data from the AV-TEST Institute (member of the SITS Group), the German Federal Office for Information Security (BSI) once again identified an increased threat situation for Germany. Ransomware attacks are considered the most significant operational threat to IT security. Increasing global networking and dependencies in supply chains are also significantly increasing the attack surface. These observations are in line with the cyber security trends analyzed in the Microsoft Digital Defense Report 2024. The report published in October provides some impressive figures that should give every decision-maker in the field of IT security food for thought:

• Password-based attacks: According to the Digital Defense Report, more than 99 % of identity attacks target passwords. These attacks often take advantage of predictable human behavior, such as easy-to-guess passwords and reusing them on multiple websites.
• Phishing and social engineering: These methods are often used to steal login credentials. Attackers use fake emails or websites to trick users into revealing their credentials.
• Ransomware attacks: Germany was one of the countries most affected by ransomware in 2024. Critical infrastructures were particularly targeted, especially companies in the IT services, finance and insurance, healthcare and energy sectors.
• DDoS attacks: Germany recorded a high number of DDoS attacks, making it the second most affected country, just behind the USA. These attacks aim to disrupt the availability of services and therefore business continuity by overloading networks with a flood of requests.

In the digital age, cyber attacks are one of the many challenges that companies in the private and public sectors have to deal with. That is exactly what we have to consider them to be: a business challenge that we address in a targeted manner.

The fact is that criminal actors are highly creative and innovative. Therefore, the response of security officers and defense teams must be well thought out and strategic, and every company needs an active monitoring and defense strategy that includes all employees, all devices, systems and applications used and the entire company network.

Let’s take ransomware attacks as an example: The threat is real, and such attacks make headlines due to their broad impact – such as high ransom payments or severe business disruption. It is important to know: In most cases, ransomware attacks are already the second phase resulting from a compromise of digital identities. So if you look for the common denominator in the many attention-grabbing headlines, you’ll find that identities are the number one gateway in most cyber attack techniques. This shows how important it is to keep up with sophisticated technical security measures when it comes to user identities.

Identity attacks can be visualized well using waves. Imagine the different types of attack as individual ocean waves that become stronger and stronger in the surf and can build up into a “monster wave”:

In the following, we outline the relevant components and their characteristics for each wave. It should also be noted that, in addition to the right technology, it also depends on its “navigators” – the admins and users – as well as their agility. Only with a truly flexible approach can organizations cope with the next “monster wave”.

We hope that this framing is a good starting point for you to develop a common strategic approach to address critical identity issues, prepare for new threats and establish a suitable solution for securing and defending your user identities. We will be happy to assist you at any time!

Simple password attacks are widespread. The three dominant types of attack are:

• Phishing: Phishing methods and tricks are becoming increasingly sophisticated, so that even enlightened users are tempted to submit their login details on a fake website or in response to a text message or e-mail.
• Breach Replay: Attackers use stolen credentials (username and password) from previous data leaks to log in to other services. This is possible because many users use the same login credentials on multiple websites.
• Password Spray: With this method – guessing common passwords – it is easy for malicious actors to hijack many accounts.

These attacks are highly scalable. In Microsoft cloud services alone, more than 7,000 password attacks are blocked every second worldwide. What is striking is that over 99.9% of compromised accounts did not have multi-factor authentication (MFA) enabled. Today, MFA is considered one of the most basic defenses against identity attacks. It is part of Microsoft Entra ID (formerly Azure Active Directory) and accordingly easy to deploy – but many organizations lack awareness of how big (and indispensable!) the contribution of MFA to an effective security strategy actually is. The correspondingly low coverage opens the door to attackers.

This poor acceptance rate is also an example of a central problem: in most companies, budgets and resources are limited and security teams are overstretched, meaning that basic measures for better cyber hygiene repeatedly fizzle out uncoordinated. Yet modern multi-factor authentication using apps or tokens is easier than ever before – and is frictionless or even “invisible” for users. With Microsoft Entra ID, MFA is included in all licenses, deeply integrated into the directory solution and can be used without additional administrative effort.

What is described above does not apply to you because you have already activated multi-factor authentication? Perfect, you have already effectively put a stop to the most common identity attacks. But cyber criminals are inventive – and they also shoot at targets that lie behind the MFA barrier. And they are attacking multi-factor authentication itself.

Some examples:

• SIM jacking and other phone-based attacks (which is why our tip is to hang up immediately if you receive a call with an alleged MFA verification).
• MFA fatigue through hammering or flooding – a constant sending of authentication requests to frustrate or confuse the user (which is why our tip is not to use simple authorization procedures).
• Adversary in the Middle attacks, where users are tricked into interacting with multi-factor authentication. That’s why phishing-resistant authentication is critical, especially for critical resources in your organization.

Such attacks naturally require more effort and investment on the part of the attackers, so their number is currently still significantly lower than classic password attacks. However, you should be aware that all of these types of attack are on the increase. The further MFA penetration progresses, the more frequently attacks at this security level will occur. To fend them off, it is crucial to use not just multi-factor authentication, but the right one. We recommend a combination of an authenticator app, Windows Hello and FIDO (Fast IDentity Online). This is easy to set up and maintain via the Microsoft Entra platform and provides users with a consistent user experience that does not affect productivity.

Sophisticated attackers also use malware to steal tokens from devices. For example, a validated user may perform correct multi-factor authentication on an approved device, but then credential stealers are used to steal cookies and tokens and use them elsewhere. This method has become increasingly common over the last three years or so and has been used in the recent past, particularly in attacks on high-profile targets. Tokens can also be stolen if they are mis-logged or intercepted by a compromised routing infrastructure, but by far the most common mechanism is malware on a device.

When a user logs on to a computer as an administrator, they are just one click away from token theft, in a way. Essential Zero Trust principles such as effective endpoint protection, device management and, most importantly, using the least privileged access possible (such as logging in as a user rather than an administrator on your computers) are very functional defenses. Watch out for signals that indicate token theft and request re-authentication for critical scenarios – for example, when enrolling new devices in a network.

Another attack that is similarly indirect is OAuth Consent Phishing. In this method, criminals trick an existing user into granting access authorization to an application in their name. Attackers send a link asking for consent (“consent phishing”), and if the user falls for the attack, the application can consequently access the user’s data at any time. Like other attacks in this category, they are rare but on the rise. We strongly recommend reviewing what application usage your employees consent to and limiting consent to applications from verified vendors.

The more effectively you use identity management to protect your organization and implement your own Zero Trust policies, the more likely attackers are to focus their energy on the identity infrastructure itself. Their main levers are outdated, unpatched or otherwise vulnerabilities in local networks. This allows them to gain access to internal information and trade secrets, compromise network servers or otherwise undermine the infrastructure an organization relies on. This mechanism is insidious, as attackers often use access to cover their tracks. If you lose control of your identity and access management, it becomes incredibly difficult to evict an actor from your network.

Our SITS team of experts helps companies design and deploy a modern identity infrastructure. And one of the most common problems we see is the increasing volume and intensity of attacks: on-premises and in the cloud. Here, as so often, technology is proving to be a lever to effectively complement human skill and expertise. Invest wisely and benefit in the long term.

The Microsoft Entra platform combines an impressive breadth and depth of security signals and is also constantly being expanded with new detection and protection mechanisms for hybrid and multi-cloud environments. This is another reason why we recommend it – as a future-proof and scalable solution.

Another tip is to move away from older on-premises deployments in the future. These are much more difficult to protect against malware, lateral movements and new threats than cloud-based deployments.

Last but not least, you should work closely with your security team to ensure that privileged user accounts (such as administrators) and local servers are subject to particularly close monitoring. You should also focus on non-human identities (such as devices and sensors) and the entire infrastructure where digital identities are stored and managed to close any potential gaps in your security chain.

Whether you are an administrator in a large company or just starting a start-up from your garage: Securing user identities is crucial. If you know who is accessing your resources and for what purpose, you create a security foundation on which everything else can be built.

How about a few good New Year’s resolutions for your identity security initiative?

1. Secure all your users with multi-factor authentication – always. For example, with an authenticator app, Windows Hello and Fast IDentity Online (FIDO).
2. Apply conditional access rules to your applications to secure against application-based attacks.
3. Use Mobile Device Management and Endpoint Protection policies, especially to prevent running as administrator on devices to prevent token theft attacks.
4. Strengthen collaboration within your security team so that everyone is pulling in the same direction to secure your identity infrastructure.
5. Focus on agility – with a cloud-first approach, adaptive authentication and automation so you can be more responsive in times of crisis.

Each of these recommendation has value on its own, but taken together they form the picture of a true Defense in Depth approach. Our experts are here to help you build multiple layers of defense and prevent compromises of your user identities by optimizing your identity and access management and, if needed, adding additional building blocks such as endpoint protection, automated incident response and posture agility.

SITS not only supports you with the implementation of Microsoft Entra, but also provides tailored consulting and end-to-end modernization strategies; and comprehensive managed services to ensure your identity management systems are operating optimally in terms of security, efficiency and compliance.

Our 24/7 managed service includes:

• Consulting approach: We are with you every step of the way, from strategy to implementation, ensuring lightning-fast transitions from legacy systems such as SAP IdM.
• 360° Managed Services: Our team continuously monitors, maintains and optimizes your identity management system and provides 24/7 support.
• Proven expertise: With many years of experience in identity governance, SITS ensures integration with your existing systems and offers future-proof solutions in line with industry standards.