How to protect your organization from identity-based attacks

A significant and increasing number of attacks are identity-based, targeting your organization's users, such as employees, customers, and partners. This article will outline the most common identity-based attacks and the necessary steps to protect your organization.

Cybercriminals are more frequently targeting human behavior to breach systems. Instead of relying solely on technical vulnerabilities, they exploit weaknesses like stolen credentials and privilege misuse, or use social engineering tactics such as phishing. Unlike traditional attacks that focus on infrastructure, these threats are designed to manipulate people rather than technology.

The human factor in cybersecurity

According to the Verizon's 2023 Data Breach Investigations Report, three-quarters of data breaches can be traced back to human error, negligence, or manipulation. This problem isn’t isolated to any particular group of users. It’s a widespread issue because everyone who connects to your organization’s resources—employees, customers, and partners—can be a target for cyberattacks.

One of the biggest challenges is securing the human element, as people naturally prioritize convenience over security. Unfortunately, this often leads to behaviors that put the organization at risk.

Take password management, for example:

How many times have you reused passwords across multiple accounts?
Are your passwords often simple or based on patterns, like Winter2024?

While common, these habits make organizations vulnerable. Attackers know that humans are often the weakest link in the security chain, and they use this knowledge to their advantage.

Five common identity-based attacks

Here are the five most common identity-based attacks and how they exploit human weaknesses.

1. Password spraying
In this attack, cybercriminals use common passwords to try and access multiple accounts within an organization. Password spraying is a form of brute-force attack that operates gradually and discreetly to evade detection, increasing the likelihood of success without triggering alerts.

Why it works: Many users choose simple passwords or fail to change default ones, leaving accounts vulnerable.

2. Credential stuffing
Credential stuffing is similar to password spraying but uses previously stolen username-password pairs from data breaches. Attackers try these on new services, exploiting the fact that many people reuse passwords across different platforms.

Why it works: Since many users reuse the same credentials, breaches in unrelated services can be used to access other accounts.

3. Phishing
Phishing is a common social engineering tactic where users are tricked into giving away sensitive information, such as login information or financial details. These attempts can come via email, SMS, or phone calls and are often disguised as legitimate messages. Targeted versions include spear phishing, aimed at specific individuals, and whaling, which targets high-profile executives.

Why it works: Phishing preys on emotions like fear, urgency, or trust, making users more likely to click malicious links or reveal sensitive information.

4. MFA Fatigue attack
Multi-factor authentication (MFA) is a great defense, but it’s not perfect. Attackers exploit MFA fatigue by sending users repeated push notifications until they approve a login out of frustration or confusion.

Why it works: In a typical MFA setup, users may approve a login they didn’t initiate just to stop the constant notifications.

5. Session hijacking
Session hijacking happens when an attacker steals a user’s session token, allowing them to pretend to be that user without needing to log in again. This can happen through things like malicious code on a website (cross-site scripting) that steals the user's session token, or when malware is installed that captures the session token or performs actions not authorized by the user. Once they take over the session, attackers can move around the system and gain higher access.

Why it works: Even with MFA, once the session is active, attackers can bypass additional checks and continue their attack.

The cost and motivations behind identity-based attacks

Most identity-based attacks, like other cyberattacks, are driven by financial motives. In fact, 95% of breaches aim to make money through ransom, credit card theft, or selling identities on the dark web. Some attacks focus on espionage, while others are simply launched by disgruntled employees or customers to cause disruption.

These attacks are costly for organizations. IBM’s 2023 report puts the average breach at $5.5 million, with identity-related breaches costing $4.62 million for stolen credentials and $4.75 million for phishing. Beyond financial losses, organizations also face disruption, fines, and damage to their reputation, which can harm customer trust. Protect

How to protect your organization

Defending against identity-based attacks requires a combination of technical controls and user education. Both are essential for reducing risk and stopping attacks before they cause harm.

Key technical defenses:

Single Sign-On (SSO): Centralizes authentication and enforces strong password policies, reducing the number of passwords users need to manage.

Phishing-resistant MFA: Go beyond traditional MFA and implement phishing-resistant options that use strong cryptographic protections. This makes it difficult for attackers to hijack sessions, even if they have a user’s credentials.

Threat Intelligence: Leverage AI and machine learning to detect real-time suspicious activity, such as unusual login locations or behaviors.

Automated response: Use workflows that automatically lock accounts, reset passwords, or alert security teams when threats are detected.

User Education:

Technology alone can’t prevent human error. Training users to recognize and avoid threats is essential. Here are some key strategies:

Password hygiene: Promote long, unique passphrases that only change when necessary.

Passwordless authentication: Remove passwords entirely by adopting methods like biometrics or hardware tokens to eliminate password risks.

Recognizing phishing attacks: Teach employees to spot phishing across all communication channels, and ensure they know how to report it. Step ahead

Staying one step ahead of attackers

Cybersecurity is not just about prevention; it's also about detection and response. By using signals based on who is trying to access systems, companies can spot and deal with threats early on, before they become big problems.

A key way to do this is through dynamic authentication, which adjusts security requirements in real time based on the level of risk. For example, if someone tries to log in from a new place or device, they might need to go through extra steps to prove who they are.

Monitoring user activity after login is also an important step. This includes tools that allow you to collect information from different sources to find and stop attacks early, even before they reach the login step. By automating threat responses, organizations can quickly respond to unusual activity, like stopping a session or locking an account. This quick action helps reduce possible damage efficiently and effectively.