Abuse of valid accounts by threat actors hits a high, says IBM

For years, cybersecurity experts have been warning organizations of the importance of identity and access management processes — including password management and protection against compromise of multifactor authentication — to secure IT assets.

A new report from IBM, released Wednesday, suggests failure to do that is increasingly costing firms badly.

Abusing valid accounts was in a three-way tie as the most common way threat actors entered organizations’ IT environments in incidents that IBM’s X-Force intelligence service investigated in 2023.

Graphic from IBM X-Force 2024 report
Source: IBM

It represented 30 per cent of initial entry vectors for incidents studied, tying with phishing. Exploiting public-facing applications was right up there, with 29 per cent of incidents.

The position of abusing valid accounts is even more notable because it was quite a jump over 2022’s report, when it was the initial access vector of 16 per cent of incidents looked at that year.

Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives, says the report.

“In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns,” it noted.

“As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available—and easily accessible—on the dark web.”

Researchers found that cloud account credentials alone make up 90 per cent of cloud assets for sale on the dark web. That, the report says, makes it easy for threat actors to take over legitimate user identities to establish access into IT environments. Attacker use of valid accounts as an initial access vector appears to have a significant impact on the required response efforts as well, the report adds.

Another related significant finding: A 100 per cent increase in “Kerberoasting.” It’s a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations, the report notes.

Perhaps no coincidence, researchers saw a 266 per cent increase in the use of information stealers — which steal credentials as well as other computer information — by threat actors last year.

In nearly 85 per cent of incidents on critical infrastructure that X-Force responded to, the initial access vector could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening, and the principle of least privilege.

Among Canadian data pulled from the numbers gathered by IBM, half of attacks here were against the government sector. Compared to other countries, Canada had the most security incidents on government entities responded to by X-Force.

The IBM X-Force Threat Intelligence Index 2024 report is available here. Registration is required.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs