Full Report
Cisco Talos observed identity-based attacks in 60% of the incidents it responded to last year. The post Identity lapses ensnared organizations at scale in 2024 appeared first on CyberScoop.
Analysis Summary
# Incident Report: Pervasive Identity-Based Attacks in 2024
## Executive Summary
In 2024, identity-based attacks became the dominant intrusion vector, featuring in 60% of the incidents responded to by Cisco Talos. Cybercriminals successfully leveraged legitimate credentials, session cookies, and API keys to bypass defenses, leading frequently to ransomware deployment. Organizations suffered from systemic weaknesses in identity management, particularly concerning Active Directory security and widespread Multifactor Authentication (MFA) deficiencies.
## Incident Details
- Discovery Date: Throughout 2024 (Data reported in annual review)
- Incident Date: Primarily throughout 2024
- Affected Organization: Multiple organizations globally (Cisco Talos responded to cases)
- Sector: Not explicitly specified, but includes sectors susceptible to ransomware and enterprise infrastructure.
- Geography: Global (Data based on analysis from over 46 million devices globally)
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2024
- Vector: Valid accounts, legitimate credentials, session cookies, and API keys.
- Details: Attackers found accessing systems easier and safer by simply logging in with stolen legitimate credentials, circumventing complex exploit chains.
### Lateral Movement
- Date/Time: Post-Initial Access
- Vector: Use of stolen valid credentials, session cookies, and API keys.
- Details: Attackers used these legitimate artifacts to move through the network and escalate privileges.
### Data Exfiltration/Impact
- Date/Time: Varied
- Vector: Compromised legitimate accounts.
- Details: 50% of identity-based attacks resulted in ransomware or pre-ransomware operations. Other goals included credential theft for sale (nearly 33%), espionage/future malicious activity (10%), and financial fraud (8%).
### Detection & Response
- Date/Time: Varied
- Vector: Cisco Talos incident response engagements.
- Details: Response involved addressing environments with misconfigured security products or insufficient policies, particularly surrounding Active Directory environments.
## Attack Methodology
- Initial Access: Valid accounts (Using stolen credentials, session cookies, API keys).
- Persistence: Implied through the continued use of valid accounts/session tokens.
- Privilege Escalation: Achieved using compromised account privileges.
- Defense Evasion: High success due to traffic originating from seemingly legitimate accounts, leading to minimal resistance or detection.
- Credential Access: Directly involved obtaining legitimate credentials.
- Discovery: Implicit in reconnaissance activities following initial access.
- Lateral Movement: Achieved using valid credentials and tokens.
- Collection: Data theft observed in 10% of cases.
- Exfiltration: Part of the goal in 10% of the cases.
- Impact: Predominantly ransomware deployment (50% of identity attacks).
## Impact Assessment
- Financial: High likelihood due to ransomware deployment and credential sales revenue generation.
- Data Breach: Data theft and espionage recorded in 18% of identity attacks (10% espionage/future use + 8% financial fraud).
- Operational: Significant disruption implied by the high prevalence of ransomware activity.
- Reputational: Impacted organizations attempting to recover from major identity breaches.
## Indicators of Compromise
(Specific IOCs were not detailed in this summary, focusing instead on methodology)
- Network indicators: Traffic appearing to originate from legitimate user sessions/API calls.
- File indicators: Not specifically mentioned.
- Behavioral indicators: Use of valid credentials to pivot and escalate privileges within Active Directory environments.
## Response Actions
- Containment measures: Focused on managing compromised identities and systems affected by ransomware.
- Eradication steps: Required remediation of misconfigured security products and inadequate security policies, especially around Active Directory.
- Recovery actions: Restoring operations following ransomware incidents (where applicable).
## Lessons Learned
- Identity is the primary entry point: Cybercriminals find leveraging stolen identity far easier than complex vulnerability exploitation.
- Widespread MFA failure: A significant percentage of organizations lacked MFA enrollment (24%), full enablement (22%), or critically, MFA on VPN services (19%).
- Active Directory weakness: Organizations fail to adequately secure AD, which was targeted in 44% of identity-based attacks.
## Recommendations
- Enforce complete MFA coverage: Ensure 100% enrollment and enforcement across all user accounts, especially for remote access/VPN services.
- Harden Active Directory: Audit and correct excessive or incorrect privileges, enforce strong password policies, and secure AD infrastructure against targeted access.
- Review authentication mechanisms: Regularly audit legitimate access artifacts (session cookies, API keys) for secure lifecycle management.