Defenders Think in Resources, Attackers Think in Identities

In the 2024 Verizon DBIR report, Use of Stolen Credentials is again the top action variety in breaches. One way to understand this trend is by examining how each side thinks about security: defenders typically think in terms of resources, while attackers think in terms of identities. This difference in approach reveals the current state of cyber security.

Overhead shot of cargo ship stacked with shipping containers

Defenders Think in Resources

For defenders, the focus is primarily on securing resources. Resources include physical and virtual assets such as virtual machines, storage, databases, and network infrastructure. This desire to build walls around the resources that are important is human nature.  Several key elements can characterize the approach:

  1. Resource Protection: Defenders focus on protecting individual resources from various attacks. This involves applying security best practices to each cloud resource and periodically verifying their configurations against violations. This approach protects resources against known vulnerabilities and attack vectors.
  2. Resource Isolation: Enterprises often segment their resources into physical or virtual networks or cloud accounts and projects to enhance security. This separation limits the potential impact of a breach by isolating critical production systems and data from less sensitive ones, such as sandbox or development environments.
  3. Resource Management & Response: Effective resource management involves maintaining an inventory of physical and virtual assets, regularly patching systems, and monitoring for unusual activity.
  4. Incident Response:  Defenders follow pre-defined playbooks to respond to incidents when a resource is compromised. It often involves isolating affected resources, conducting forensic analysis, and restoring them to a secure state.
pexels-cottonbro-8721342

Attackers Think in Identities

On the other hand, adversaries realize that the walls that have been built around resources are much easier to get around than to break through.  The approach revolves around exploiting identities, including humans and non-humans. This makes perfect sense because identity as an attack surface is by nature a pathway around resource defenses. Given all operations are performed using identities, exploiting them gives attackers unfettered access to customers’ cloud infrastructure. Using identity as an attack surface also provides the attackers with the ability to conceal their activity and cover their tracks. This identity-centric perspective includes:

  1. Identity Exploitation: Attackers often seek to compromise both human and non-human identities to gain unauthorized access to infrastructure and data. Techniques such as phishing, credential stuffing, and social engineering are used to steal login credentials, keys, tokens, service accounts, and other sensitive information.
  2. Privilege Escalation: Once attackers have compromised an identity, they attempt to escalate their privileges to gain higher levels of access using the initial access as a stepping stone. By leveraging stolen credentials, attackers can gain control over more critical systems, cloud accounts, and sensitive customer data.
  3. Identity Mapping: We already know that attackers think in graphs. Using such techniques, attackers map out the relationships among identities and how those human and non-human identities interact with each other and the rest of the infrastructure. By identifying key employees or service accounts, attackers can target them more effectively.
  4. Evasion Techniques: To avoid detection and maintain persistent access, attackers often use techniques to hide their identities and activities. This might involve creating new identities or removing system logs.

The Attack Surface of Identities is Getting Bigger

There are two factors that are making the identity attack surface larger and harder to defend.  The first is that we have experienced an exponential increase in the number of non-human identities that require access and permissions.  Most organizations did not have the ability to put controls into place ahead of time and, as a result, had to retrofit a security plan.  The second factor that is making identity as an attack surface harder to defend is that the steady proliferation of roles and identities has left most enterprises with a problem so large in scope that it is difficult to know where to begin.  

Embracing the attacker mindset is the first step toward building and maintaining a viable defense. In the next article, we will discuss some practical ways to bridge the gap between the traditional, resource based defenses, and the forward looking, identity based methodology. More importantly, we will see how real-time identity telemetry and behavior anomaly detection can allow defenders to counter attackers’ advantages.

Stay tuned!