This article was written by Chris Henderson, chief information security officer at Huntress.
Cybercriminals aren’t wasting time breaking into networks anymore—they’re logging in. As traditional endpoint defenses improve, attackers have shifted their focus to targeting identities. With tactics like credential theft, phishing, and session hijacking, threat actors are gaining access to systems and data. And the worst part? It’s working.
Huntress observed that identity-based attacks accounted for 67% of all critical incidents in 2024, emphasizing their rapidly growing threat. High-profile breaches, such as the Caesars Entertainment and MGM cyberattacks in 2023, showcase how threat actors are finding success in launching such attacks.
These attacks bypass endpoint protection and exploit weak multifactor authentication (MFA), often without raising alarms. As these types of attacks continue to make headlines, clients will increasingly rely on MSPs to guide them in adopting effective identity security strategies.
The Rise of Identity-based Attacks
Many identity-based attacks still rely on tried-and-true methods, like credential stuffing or password spraying. However, threat actors are also becoming more innovative in how they launch identity-based attacks.
Recent attacks have targeted corporate workflows that aren’t necessarily part of companies’ threat models. For example, the rise in bring your own device (BYOD) policies has enabled threat actors to compromise victims’ personal devices or accounts, and pivot from there into corporate environments. Another example is business process outsourcing (BPO), which many companies are leveraging as a cost-effective way to manage their operations. Threat actors are taking advantage of this by targeting BPO workflows, like third-party help desks, with identity-centric techniques.
Threat actors are also skirting around existing identity security measures. For example, attackers have used SIM swapping attacks to intercept SMS-based two-factor authentication (2FA). They have also used MFA fatigue attacks to flood end users with MFA requests, in hopes that they will approve a malicious login attempt.
Scattered Spider and Lapsus$: Attacks in the Wild
Threat groups like Scattered Spider and Lapsus$ have made headlines through their brazen identity-centric techniques. They have used these tactics to gain initial access or bypass security protections in place at targeted organizations.
Scattered Spider, which was behind major hacks like the Caesars Entertainment and MGM cyberattacks in 2023, used social engineering methods to carry out SIM swapping attacks and perform account takeovers. Scattered Spider’s targeting of IT help desk personnel was particularly troubling. The group used employees’ personally identifiable information (PII) to convince help desk workers to reset passwords or MFA tokens. This then allowed them to take over the accounts of users across their SSO environments.
Lapsus$ similarly targeted third-party IT help desks in their hacking spree against major tech firms in 2023. The threat group used SIM swapping, MFA fatigue attacks, and in some cases even impersonated help desk personnel to convince employees to approve MFA prompts.
There are several reasons why identity-based attacks work well for these groups. As the Cyber Safety Review Board has outlined, the attacks aren’t in line with organizations’ traditional threat models. Many techniques extend beyond the traditional security perimeter for companies, targeting third-party, outsourced IT help desks, for example. These attacks are also notoriously difficult for defenders to detect. Once attackers take over an account, their behavior can blend in with the normal behavior of the compromised user.
Best Identity Security Practices
There are several ways you can help protect your clients against identity-based attacks.
MFA is a solid safeguard against many of the attacks we know of today, like credential stuffing. However, many of the attacks we’ve seen have targeted weaknesses in certain forms of MFA, like SMS-based 2FA. Phishing-resistant MFA, like FIDO2 security keys, is currently considered the best MFA implementation.
Here are some other security measures you can arm your clients with:
1. Educate employees with security awareness training.
Security awareness training is an effective way to help identify and prevent social engineering attacks, especially as threat actors get more creative with their attacks. Employees who have a solid understanding of the threat landscape and know when and where to report potential incidents can help improve security.
2. Apply the principle of least privilege.
Limit privileges so that users have the lowest level of access needed to carry out their tasks. This minimizes the impact of a successful identity attack by limiting the access the attacker gains.
3. Implement an Identity threat detection and response (ITDR) solution.
ITDR can help teams detect and respond to threats like credential theft or rogue apps in real time. Unlike IAM (identity and access management) or PAM (privileged access management), which center on access control, ITDR focuses on detecting and responding to misuse of that access.
4. Implement password best practices—or reduce reliance on passwords overall.
Businesses should use password managers and ensure employees use strong, unique passwords. The very best practice for companies with the appropriate resources is to shift to passwordless authentication, using biometrics or hardware security keys.
The Future of Identity-based Attacks
As more companies implement security measures to protect digital identities, threat actors continue to find new ways to target those protections or move outside of traditional threat models.
Recent security incidents like the one at MGM show us that identity-based attacks aren’t going anywhere, and businesses need to stay one step ahead. You can play a critical role in helping your clients navigate the most effective ways to protect against identity-based attacks.
RELATED: Chris Henderson on 3 Security Conversations Every MSP Needs to Have with Clients
