Tuebora Blog

Vectors to the Nearest Data Breach

Identity Attack Vectors (Methods and Tactics)

Identity attack vectors extend the surface area for cyber attacks beyond the open ports, database vulnerabilities, and insecure protocols that malicious intruders often seek to exploit. The purpose of identity attacks is to compromise identities on a network and impersonate that identity for a nefarious purpose. This article describes identity attack vectors by focusing on the methods and tactics used to take over compromised identities on a corporate network. 

Key Identity Attack Methods

Identity attack methods typically depend on exploiting user accounts in some way. The method used can either be physical or electronic. These methods, when successful, can wreak havoc and lead to costly data breaches. 

Social Engineering

Social engineering attacks typically involve outsiders manipulating people into revealing sensitive information. In the context of identity attacks, this information is typically a username-password pair for accessing a resource on your network. An extremely common way to socially engineer user identity information is to send seemingly legitimate phishing emails to employees and get them to disclose their passwords. 

In one of the most high-profile instances of an identity attack in history, Edward Snowden convinced dozens of NSA employees to disclose their usernames and passwords to him under the guise of completing system administration tasks. If social engineering is deceiving people into revealing confidential information, Snowden’s actions were a case-in-point of social engineering from within. 

Orphaned Accounts

User accounts that don’t have a valid owner within your organization are termed orphan accounts and they represent a significant security risk. In fact, both Avast and NordVPN experienced months-long network intrusions resulting from orphaned accounts

Malicious insiders or outside hackers can both exploit orphaned accounts. Such accounts often persist on a network due to a lack of visibility over user accounts or reliance on manual de-provisioning. 


Privileged Escalation

Whether due to poorly configured or inadequate access controls, privileged escalation is a method favored by many attackers to get elevated rights on a network. The attack typically involves exploiting a standard user account and vertically increasing privileges to higher levels of access, such as those of a system administrator. With higher privileges comes more access to the type of sensitive information that intruders can exfiltrate from your network or demand hefty ransoms to return.

Biometric Spoofing

In a world where multifactor authentication is becoming normalized, systems can request biometric information as a second piece of evidence to verify user identities. The latest trends show that half of organizations use biometrics, such as fingerprints and facial recognition technology, for granting access to privileged accounts. 

While requesting biometrics does enhance security, there is a risk of biometric spoofing. At organizations holding extremely valuable data, it’s not far-fetched to imagine a scenario in which a malicious insider copies a privileged user’s fingerprint and uses that to access the privileged account. Another example could be showing a photograph of a user to a facial recognition scanner in an attempt to gain access. 

Tactics for Attacking Identities

All of the methods used for identity attacks depend upon the use of various tactics. Getting usernames and passwords doesn’t happen by magic, and the determined cybercriminal has a large array of tactics to assist with account compromise. The tactics for gaining access to accounts range from non-technical to extremely technical.  

Trading Stolen Credentials

The dark web acts as a veritable marketplace for the trading of stolen credentials. When successful data breaches occur, the perpetrators often list the credentials they steal for sale on the dark web. Other hackers, hoping they can use this information for their own gain, can pay for stolen credentials and attempt to log in to different systems or networks with those same credentials. 

Brute Force

The password portion of stolen credentials may be rendered useless because the compromised users typically received a disclosure about a data breach and a warning to change their password. However, there are automated ways to guess passwords tens of thousands of times in an attempt to gain brute force access. The hope is that by going through every possible combination, the attacker eventually gets access. 

Manual Informed Guessing

Often powered by information gleaned during social engineering, manual guessing simply means that the intruder into a network attempts to guess a user’s password by finding out details about who they are. For example, an employee’s Twitter account may reference the name of their pet, which they happen to also use as the password to log in to a corporate resource. 

Over The Shoulder

The statistics show that more than 34% of businesses around the globe are affected by insider threats every year. While negligence rather than malice is the primary cause, malicious insiders still make a sizable contribution to this threat. One old-school way to steal privileged access credentials is to peer over an employee’s shoulder as they type their password into a system. 


Keyloggers are a type of malicious software that records keystrokes made by a user. If an attacker can trick a user into installing a keylogger, for example, by getting them to download an email attachment, the attacker can use information collected by the keylogger to capture access credentials. 

Combatting Identity Attacks

With identity attacks continuing to grow in frequency and sophistication, there are some tools and methods to combat such threats, including:

  • Least Privileges—only give users the access strictly need to perform their work.
  • Multifactor Authentication—require users to provide evidence from two distinct before authenticating access to resources on your network. 
  • Behavioral Analysis—use statistical analysis to determine behavioral anomalies in terms of the times people request access, the devices used, and the location. For example, infrequently used access that becomes much more frequent can indicate account compromise. 
  • Automated Provisioning/De-Provisioning—incorporate automation into provisioning and de-provisioning so that you avoid orphaned accounts persisting on your network. 
  • Time-Restricted Access—grant time-restricted access for contractors and other temporary users. 

How Tuebora Helps

The methods for combatting identity attacks depend on having a robust identity and access management strategy and solution in place. Tuebora’s self-service IAM solution comes with machine learning capabilities to discover unused access and analyze provisioning behaviors. You can also monitor, detect, and remediate access violations to corporate files and folders. 

Get your demo here.  

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Leave a Reply