Commissioned by CrowdStrike
1 Executive Summary
Cyberattacks continue to grow more sophisticated. Malicious actors seek to exploit known and unknown software vulnerabilities, infrastructure and application misconfigurations, and weak implementations of security measures. As expected, malware is commonly used in attacks. The types of malware deployed by adversaries are multifarious: ransomware, spyware, crypto-jackers, mobile overlays, keyloggers/rootkits, etc. Ransomware is a leading threat and garners much attention in the technical press. The prevalence and severity of ransomware attacks has risen dramatically in the last few years. Ransomware perpetrators have hit companies of all sizes and in all industries. Government agencies across national, state, and local levels have been attacked. Public utilities are ransomware targets. The stakes are high for defenders: statistics show that ransomware demands and payouts are increasing year over year, with $1.79M being a recent average.
The Colonial Pipeline ransomware incident in May 2021 disrupted fuel supplies in the eastern US, though only IT systems and not the industrial control systems were reportedly affected. This resulted in canceled flights, caused fuel prices to temporarily increase, and led to rationing in some areas. The entry point for the attack was a password authentication-based VPN, for which the compromised password was found on the dark web.
Industrial control systems were targeted in the 2021 Oldsmar, FL water treatment plant incident. A guessed password on a remote-control application, out-of-support endpoints, and no firewalls allowed an attacker to gain access to critical infrastructure. Fortunately, plant personnel noticed and were able to prevent damage.
Keyloggers and rootkits are malware types that are designed to surreptitiously take over a system for the purpose of collecting usernames, passwords, other credentials, and user data. In consumer cases, keyloggers can be used to get bank account information for financial fraud. In enterprise cases, the captured usernames, passwords, or other credentials can be used by fraudsters, hacktivists, and Advanced Persistent Threat (APT) actors to move laterally from one compromised machine to another for a variety of nefarious activities: fraud, doxxing, reputation damage, sabotage, and intellectual property theft / corporate espionage.
Other high profile and high consequence attacks have been predicated upon compromising computing assets of key vendors in the software supply chain. The initial vectors in these attacks have varied, including watering hole tactics, spear phishing, social engineering, and brute-force password guessing against improperly secured systems. Attackers are now using Machine Learning algorithms to aid in reconnaissance, to discover weaknesses in targets' identity and security architectures and plan attack paths. Attackers increasingly understand how common security tools and authentication services work and develop techniques to bypass those measures. The goals of these attacks have been to introduce malware into the upstream supply chain in order to compromise customer systems.
A common thread running through these diverse attacks is the utilization of compromised credentials.
This paper will consider how cybersecurity threat detection and response techniques and technologies can be applied to IAM systems to discover and mitigate suspicious and malicious activities more effectively. It will also explore how CrowdStrike's Identity Threat Detection and Protection offerings aim to improve security by monitoring, detecting, and remediating against cyberattacks involving digital identities.