To better understand the problems of online identity theft, we need to consider what we mean by ‘digital identity’. At the start of its guidelines, the National Institute of Standards and Technology (NIST) defines digital identity as the “online persona of a subject,” recognising that there isn’t yet a single, widely accepted definition. But here, we can view digital identity simply to represent a person in online transactions.
Access to digital infrastructure traditionally relies on information associated with this digital identity. In most cases, to access a digital service, a person (or “subject”) needs to know a “secret,” which acts as a credential—such as a password, PIN, or API key. When they provide this secret, the system assumes the person is who they claim to be. But if this credential is stolen, malicious actors can use it to impersonate that person — effectively committing identity theft.
To more reliably verify a person’s true identity, security systems often combine multiple factors — credentials — such as:
- Something they know: A secret, like a password or PIN.
- Something they have: like a physical device, such as a security token or trusted platform module (TPM).
- Something they are: such as biometrics, like a fingerprint or facial recognition.
This layered approach strengthens digital identity verification, helping ensure a person’s identity is accurately represented in online transactions. It’s clear that the theft of a credential equals identity theft.
Credential Misuse is rising
According to the 2024 Verizon Data Breach Investigations Report , human involvement in data breaches remains significant. The report indicates that 68% of breaches involved a (non-malicious) human element, such as individuals falling victim to social engineering attacks or making errors.
The report notes that over the past decade, stolen credential incidents have appeared in almost one-third (31%) of all breaches, highlighting the persistent risk associated with credential-based attacks.
Verizon observes a significant increase in attacks involving the exploitation of vulnerabilities, which nearly tripled from the previous year, accounting for 14% of all breaches. This surge underscores the evolving tactics of threat actors and the importance of robust security measures.
According to data gathered by the US Cybersecurity and Infrastructure Security Agency (CISA) Risk and Vulnerability Assessment (RVA) analyses revealed that Valid Accounts [T1078] were the most common successful attack technique, responsible for 41% of successful attempts.”
Meanwhile, the 2024 Microsoft Digital Defense Report highlights a significant rise in credential misuse and identity theft, emphasising the evolving tactics of cybercriminals and the necessity for robust security measures. Key findings note that cybercriminals are increasingly targeting user credentials to gain unauthorised access to systems and data. This surge underscores the critical need for organisations to implement strong authentication protocols and monitor for suspicious activities.
Microsoft also reports a notable increase in sophisticated phishing campaigns designed to deceive individuals into revealing sensitive information. These attacks often exploit human psychology, making them particularly effective and challenging to detect.
The report advocates for the widespread implementation of MFA as a fundamental defence against credential theft. MFA adds an additional layer of security, making it more difficult for attackers to compromise accounts even if credentials are obtained.
And it stresses the need to adopt a ‘Zero Trust’ approach, which assumes that threats could be both external and internal. This model requires continuous verification of user identities and device health, reducing the risk of unauthorised access.
These insights underscore the importance of proactive security strategies, continuous monitoring, and user education to combat the growing threat of credential misuse and identity theft.
Bypassing MFA?
Multi-factor authentication (MFA) prevents access to the system unless all required factors are verified, ensuring the user’s identity is confirmed. A typical MFA setup, for example, asks users to enter a One-Time Password (OTP) sent via SMS in addition to their username and password.
While adding more factors strengthens security, the system can still be compromised if it is improperly configured or if there are vulnerabilities in the software or hardware components.
One example of an incident in relation to credential theft, is a customer under the protection of our Managed Detection and Response services receiving a phishing email from a compromised business partner.
The email contained a Google link redirect chain leading to a M365 phishing page. These types of phishing links are much harder to detect due to the email sender being observed previously communicating with the recipient and the mails passing DMARK, DKIM, and SPF checks. These checks normally prevent users from receiving such a link , but that was bypassed using this technique
As a result, few defenses remain, and only the email security solution raised an alert for CSIS to take action on.
The next stage involved a Man-in-the-Middle attack – the user’s login session was hijacked and a secondary MFA option was registered by the perpetrator, to gain persistent access to the account.
Fortunately, CSIS was able to stop the attack and take preventive measures to mitigate the threat in the initial access phase – leaving the perpetrator empty-handed.
To further safeguard against identity theft, implementing Restrictive Conditional-Access Policies can provide an additional layer of security by ensuring that only trusted users and devices can access sensitive systems. For organisations managing devices, requiring enrolment into Microsoft Intune for management enhances oversight and control, though it’s important to note that Bring Your Own Device (BYOD) policies may pose challenges in these cases.
Switching to Windows Hello for Business on devices equipped with Trusted Platform Modules (TPM) is another effective alternative. This approach leverages advanced authentication methods, such as biometrics or PINs, to improve resistance against phishing attacks while enhancing the overall security posture of endpoints. These measures, when integrated into a robust cybersecurity framework, can significantly mitigate the risk of identity theft.
CSIS strongly recommends establishing a phishing-resistant multifactor policy, incorporating security devices like YubiKey — a hardware-based security key that provides strong two-factor, multi-factor, and passwordless authentication — or similar. Implementing such measures not only enhances protection, but also makes it impossible to fall victim to malicious activities such as session stealing.
Managing digital identities
There are several ways to better manage organisational security online, and help staff avoid the issues surrounding identity attack, including, but not limited to:
Implementing proper Access Control
Implementing robust access control mechanisms is essential to ensure only authorised users can access specific data and systems, reducing the risk of unauthorised access. This includes setting up role-based access controls (RBAC) and applying the principle of least privilege, which limits user permissions to only what is necessary for their role. CSIS offers services such as Active Directory (AD) Security Assessments to help organisations identify and remediate complex risks and threats within their access control systems.
Monitoring infrastructure – audit logs
Regular monitoring of audit logs is crucial for detecting unusual activity early on, providing insights into who accessed what, when, and from where. Analyzing these logs can reveal signs of unauthorised access, privilege escalation, or attempted credential misuse, enabling swift intervention. CSIS Managed Detection and Response (MDR) services offer 24/7 monitoring and analysis of security events, ensuring prompt detection and response to potential threats.
CSIS Compromised Credentials service provides continuous real-time monitoring of stolen credential data which may be used against your organisation. During 2024, CSIS has observed approximately 24 billion credential combinations (i.e., usernames along with associated passwords and URLs) from Q1-Q3, or an average of 3 billion credential combinations per month.
Develop and maintain a cyber incident response plan
Developing and maintaining a cyber incident response plan provides a clear roadmap for identifying, containing and resolving security incidents, helping to reduce damage and recovery time. Regularly updating and testing the plan ensures it remains effective against evolving threats. CSIS provides Emergency Response Consulting services to assist organisations in preparing for and responding to cyber incidents.
Have an Emergency Response partner
Partnering with an external emergency response team ensures access to specialised expertise in the event of a breach. These professionals can assist with containment, investigation and remediation efforts, helping restore operations quickly and securely. CSIS is a member of FIRST, the global forum for incident response and security teams, and NCSC Assured in Incident Response, offers Emergency Response Retainers, guaranteeing immediate and round-the-clock access to world-class emergency incident response.
Through implementing multi-factor authentication, strengthening access controls, and establishing proactive monitoring and incident response measures, organisations can reduce the risk of unauthorised access and protect against identity theft.
Using solutions like those provided by CSIS, including continuous monitoring, access control assessments and dedicated emergency response services, companies are better equipped to defend their digital infrastructure against sophisticated attacks. A strong commitment to a robust, well-rounded security strategy is essential for any organisation to thrive in today’s digital landscape.
