Even more worrisome is that, according to our 2023 Threat Hunting report the top 5 verticals in order of intrusion frequency in Asia Pacific and Japan were the technology, telecommunications, retail, financial and manufacturing sectors. Many of these have access to consumer data and so the risk moves from beyond the business to the general public.

In fact, CrowdStrike observed a 40 percent year over year increase in interactive intrusions globally, with over 80 percent increase in activity against the financial sector.

Perhaps more concerning is that 71 percent of interactive intrusions were malware-free making it even more challenging for defenders to protect their businesses against attack, adding credence to the need to deploy a proactive approach to cybersecurity.

So how are adversaries finding so much success? They’re typically leveraging legitimate access to companies’ infrastructure as an entry point to then conduct more malicious activities, including data theft and ransomware attacks.

According to our 2023 Threat Hunting Report, there has been an alarming 583 percent year-over-year increase in Kerberoasting attacks — a form of identity-based threat — and a 147 percent increase in access broker advertisements on the dark web.

Adversaries are evolving their tradecraft, building custom tooling and leveraging more than usernames and passwords to breach your environments.

Let’s examine two of the most prevalent identity-related attack trends from 2023 thus far.

Trend number 1: 583 percent increase in Kerberoasting attacks.

Kerberoasting is a technique adversaries use to obtain valid credentials for Microsoft Active Directory (AD) service accounts. These accounts are hot targets because they often provide higher privileges and allow attackers to lurk undetected for longer stretches of time.

Kerberoasting attacks are also notoriously difficult to detect amid everyday telemetry, further increasing their popularity among cyber criminals.

There is also the sheer popularity of AD: 90 percent of Fortune 1000 companies use AD. The abuse of AD mechanisms to gain access, escalate privileges and persist in target environments undetected is a common theme among today’s more advanced cyberattacks.

Even organizations with mature cybersecurity programs and intimate knowledge of AD and its related technologies can still be breached, heightening the need to hunt for identity threats.

According to the 2023 Threat Hunting Report, a closer look at the techniques involved in identity-based attacks reveals an interesting duality between old and new. Kerberoasting is an old and well-understood technique; however, our experts also observed the abuse of network provider dynamic link libraries (DLLs) as a means to harvest valid credentials. A network provider DLL enables the Windows operating system to communicate with other types of networks by supporting different networking protocols.

This newly documented sub-technique sees adversaries operate without the need to interact with services that are often highly monitored by security tools, including the Local Security Authority Subsystem Service. It provides an evasive way for them to access valid account data.

Trend number 2: 147 percent increase in access broker advertisements on the dark web.

In the past year, CrowdStrike’s threat hunters have observed a 147 percent increase in access broker advertisements in criminal or underground communities, a notable jump from the 112 percent increase reported in the 2023 Global Threat Report.

This growing supply of compromised credentials indicates a demand among adversaries looking to buy valid credentials for follow-on activity. By purchasing valid credentials, adversaries don’t need to leverage traditional vulnerability exploits to breach organizations. Instead, they can simply log in to victim environments and then move laterally toward their objectives.

Given how easy initial access has become, it’s no wonder that 62 percent of all interactive intrusions involve the abuse of valid accounts, with 34 percent of intrusions specifically involving the use of domain accounts or default accounts, according to the 2023 Threat Hunting Report.

The onslaught of identity-related attacks requires new defensive countermeasures. Identity threat hunting is a practice that uses identity telemetry to identify potential intrusions and safeguard an organization's network and systems.

By continuously monitoring user behaviors, access controls and authentication mechanisms, organizations can detect and mitigate threats that specifically target user credentials.

Here are some of the capabilities you should consider.

First, supplementing endpoint telemetry with identity telemetry empowers organizations to monitor and detect compromised user accounts. By analyzing user identity data, login patterns and authentication data, we can promptly identify signs of compromised credentials, such as brute-force attacks, account takeover, privilege escalation or suspicious login activities from unfamiliar locations or devices. This early detection allows to take immediate action to mitigate the impact of unauthorized access in customer environments.

Second, lost or stolen credentials on the deep dark web (DDW) pose a significant risk as adversaries exploit this information for unauthorized access. We leverage Falcon Intelligence to identify compromised credentials on the DDW and use it as a lead with Identity Threat Hunting - a proactive methodology that leverages identity telemetry to identify potential intrusions and safeguard an organization's network and systems. By continuously monitoring user behaviors, access controls, and authentication mechanisms, organizations can detect and mitigate threats that specifically target user credentials.

Identity threat protection is critical for businesses in Indonesia and across Southeast Asia to protect themselves against credential and identity-based attacks. This attack vector isn’t going away and is in fact becoming a growing concern so businesses in the region need to prepare their security approach to manage against such attacks or risk their reputation, financial security and overall productivity.

In today’s cyber threat landscape, identity threat protection is a must have, not a nice to have.

 ***

The writer is chief technology officer international at CrowdStrike.