The Numbers Are In: Identity-Based Attacks (Still) Reign Supreme in 2022

By Greg Notch, CISO, Expel

The list of challenges security professionals face will not let up, as new threats emerge on a weekly—even daily—basis. Security teams need to stay informed if they want to effectively protect themselves and their organizations, so they’re constantly asking themselves a stream of questions: How are attackers behaving? Are certain attack types becoming more prevalent? What vulnerabilities are attackers exploiting, and how can organizations fight back?

Today’s businesses can’t afford to wait–they need information they can act on right away. That’s why Expel recently released its first Quarterly Threat Report (QTR), highlighting cybersecurity trends from the first quarter of 2022 that provide insight into what organizations can expect as the year continues. It won’t come as a shock to learn that identity-based attacks loom large and should be considered public enemy number one.

Attackers Continue to Exploit Poor Identity Security

Identity-based attacks accounted for 65% of all incidents observed by Expel during Q1, with business email compromise (BEC) and business application compromise (BAC) accounting for 63% on their own. The remaining 2% were identity-based attacks within cloud environments like Amazon Web Services (AWS) and Google Cloud Platform (GCP). This keeps with the broader trend: attackers are leveraging stolen credentials and other vulnerabilities to exploit poor identity security and gain access to networks. The 2022 Verizon Data Breach Investigations Report underscores these findings, noting that stolen credentials led to nearly 50% of all attacks in 2021—an increase of nearly 30% in the past five years alone.

BEC is particularly widespread. Of the incidents observed by Expel, 57% were BEC attempts in Microsoft Office 365 (O365), and 24% of customers reported experiencing at least one BEC attempt within O365. Expel findings showed that 2% of those attacks even managed to bypass multi-factor authentication (MFA) using OAuth applications. What’s more, 7% of BAC attempts in Okta successfully satisfied MFA requirements by continuously sending Duo push notifications to the victim until they accepted—sometimes known as MFA fatigue or “prompt bombing.” Security and IT teams need to be prepared to remove malicious OAuth applications and permissions in addition to resetting passwords and MFA tokens. As MFA becomes more common, attackers will also become more adept at bypassing it—which means defenders must be ready.

One interesting note was the uptick in BEC attempts during the week of Valentine’s Day. It’s not uncommon for phishing scammers and other attackers to attempt to tug the heartstrings of their victims to trick them into a risky click. The FBI issued warnings regarding the potential for BEC scams around the holidays, but it’s notable that this extends beyond holidays like Christmas and Thanksgiving. Organizations should train their employees to be wary of the potential for BEC scams, year-round.

Ransomware Isn’t Going Anywhere

It should come as little surprise that ransomware attacks persist in 2022, given the number of headlines already this year. Attackers are targeting hospitals, municipalities, tech companies, and anyone else they suspect might be worth the time and effort. During Q1, 5% of incidents observed by Expel were attributed to pre-ransomware activity where an attacker looked to gain a foothold within the network to launch an attack. If left undetected, those incidents could have led to potentially costly attacks.

This year, we have observed ransomware attackers shifting their tactics, with macro-enabled Word documents and Zipped JavaScript files serving as the initial attack vector in 82% of all pre-ransomware incidents. What’s more, commodity malware and known malware families linked to pre-ransomware activity accounted for 26% of incidents. What does this mean? Using commodity malware, attackers can target organizations of all sizes with relatively little cost to themselves. It isn’t just the big dogs that need to worry about ransomware anymore—small and mid-sized businesses should have strategies in place to defend themselves.

The big takeaway? Having a plan can make all the difference. Knowing what to do when an attacker is detected and keeping the time between initial detection and eventual remediation low are both critical components. That means knowing who to turn to—whether it’s an in-house security leader or a managed security provider. The faster the security team can begin implementing recommendations, the less time the attacker has to gain a foothold and branch out from the initial point of entry. Organizations should track this data—if the time between detection and remediation is too long, they should consider serious changes to their security setup.

Using Current Data to Project Future Trends

Understanding the current cybersecurity landscape is critical, and organizations must have a plan in place to address today’s most pressing threats. Annual threat reports, such as those produced by Expel and other security experts, can provide valuable insight into the way these threats evolve over time, while more frequent Quarterly Threat Reports can highlight new changes and trends as they emerge. BEC, ransomware, and other attack tactics are not new, but understanding the ways in which today’s attackers are leveraging them can provide organizations with the knowledge they need to more effectively combat them.

About the Author

Greg Notch is the Chief Information Security Officer at Expel (CISO). As CISO (pronunciations may vary), he is responsible for ensuring the security of our systems, as well as keeping customers educated on the threat landscape and latest techniques for mitigating risk in their environments.

He’s been doing the security and tech thing for over 20 years – helping companies large and small through all three dot-com booms to build high-performing engineering teams, and improve their technology, process, and security.

Before Expel, Greg spent 15 years as the CISO and Senior Vice President of Technology at the National Hockey League (NHL), where he led their information security program. He also led the league’s technology strategy, digital transformation, and cloud initiatives.

Prior to the NHL, Greg worked on infrastructure, security, and software systems for Apple, Yahoo Search, eMusic, and several other NYC based tech startups.