Full Report
Cisco Talos observed identity-based attacks in 60% of the incidents it responded to last year. The post Identity lapses ensnared organizations at scale in 2024 appeared first on CyberScoop.
Analysis Summary
# Incident Report: Dominance of Identity-Based Attacks in 2024
## Executive Summary
In 2024, identity-based attacks became the primary intrusion vector, accounting for 60% of incidents responded to by Cisco Talos. Attackers exploited weaknesses in identity controls, such as stolen credentials, session cookies, and API keys, to gain initial access, escalate privileges, and move laterally, often leading directly to ransomware operations. A critical failure identified was the widespread misconfiguration and insufficient security surrounding Active Directory and the pervasive absence of or weak Multifactor Authentication (MFA).
## Incident Details
- **Discovery Date:** Not specified (Annual report covering 2024 incidents)
- **Incident Date:** Throughout 2024
- **Affected Organization:** Multiple organizations globally (Based on Cisco Talos IR data)
- **Sector:** Various (Implied broad enterprise impact)
- **Geography:** Global (Based on data from 46 million devices globally)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2024
- **Vector:** Valid compromised accounts (legitimate credentials, session cookies, API keys). This was the main way attackers gained entry for the second consecutive year.
- **Details:** Attackers found it easier and safer to log in using stolen credentials than to use complex exploit methods.
### Lateral Movement
- **Date/Time:** Post-initial access
- **Vector:** Use of legitimate credentials.
- **Details:** Attackers used compromised accounts and credentials to move laterally within the network and escalate privileges.
### Data Exfiltration/Impact
- **Date/Time:** Post-lateral movement
- **Vector:** Ransomware execution or data theft.
- **Details:** 50% of identity-based attacks led directly to ransomware or pre-ransomware execution. 10% of cases involved data theft for future espionage, and 8% targeted financial fraud.
### Detection & Response
- **Date/Time:** Upon incident response engagement by Talos.
- **Vector:** Traditional detection mechanisms were often bypassed because traffic originated from legitimate-looking accounts.
- **Response actions taken:** Actions were taken by organizations under Cisco Talos' guidance, though specific details of containment/eradication are not provided in this summary.
## Attack Methodology
- **Initial Access:** Valid accounts (stolen credentials, session cookies, API keys).
- **Persistence:** Not explicitly detailed, but implied via maintained access through valid accounts.
- **Privilege Escalation:** Use of compromised legitimate accounts to achieve higher privileges.
- **Defense Evasion:** Traffic originating from legitimate accounts provides inherent evasion against standard perimeter defenses.
- **Credential Access:** Implied theft of credentials used for illicit sales (observed in nearly 30% of incidents).
- **Discovery:** Targeting Active Directory (44% of identity-based attacks).
- **Lateral Movement:** Use of stolen credentials/cookies across systems.
- **Collection:** Data gathering observed in 10% of incidents for espionage.
- **Exfiltration:** Occurred as a follow-on activity, particularly resulting in ransomware.
- **Impact:** Primarily ransomware deployment (50% of identity attacks) and financial fraud (8%).
## Impact Assessment
- **Financial:** Motivation for 69% of ransomware attacks observed by Talos.
- **Data Breach:** Data theft for espionage/malicious activity observed in 10% of cases.
- **Operational:** Significant disruption due to ransomware activity.
- **Reputational:** Implied negative impact due to widespread ransomware and data compromise.
## Indicators of Compromise
*Note: The source material focuses on methodology and systemic failures; specific indicators (IPs, hashes) were not published in this summary.*
- **Network indicators:** N/A (Focus on TTPs, not IOCs)
- **File indicators:** N/A
- **Behavioral indicators:** Use of stolen valid credentials, session activity, and lateral movement patterns originating from legitimate user accounts.
## Response Actions
*Note: Specific organizational IR actions are not detailed in the high-level summary, but inferred general steps based on investigation findings:*
- **Containment measures:** Focus likely centered on immediate disabling/revocation of compromised credentials and isolating affected systems.
- **Eradication steps:** Remediation of Active Directory security misconfigurations and policy deficiencies.
- **Recovery actions:** Re-enrollment and enforcement of MFA across all services.
## Lessons Learned
- Attackers overwhelmingly prefer leveraging existing, valid credentials over complex technical exploits due to lower risk and higher success rates.
- Active Directory remains a primary, weakly defended target (44% of attacks).
- Excessive or incorrect user privileges significantly aid attacker progression.
- Widespread MFA failure remains the single greatest deficiency enabling successful identity attacks (24% unenrolled, 22% not fully enabled, 19% MFA missing on VPN).
## Recommendations
- Implement and strictly enforce Multifactor Authentication (MFA) across all services, especially user accounts, administrative access, and VPN connections.
- Audit and reduce excessive or incorrect privilege assignments for user and service accounts.
- Strengthen Active Directory security posture through rigorous configuration checks and adherence to security policies.
- Implement monitoring specifically designed to detect and flag abnormal behavior originating from valid user sessions, as traffic from authenticated sources is highly trusted by default.