The State of Identity Security for 2022: Identity-Based Threats, Breaches, & Security Best Practices

There is one important truth that organizations need to face right now: the number and nature of identities is changing, and these changes are posing a direct risk to enterprise IT security.

According the recently published 2022 Trends in Securing Digital Identities report from the Identity Defined Security Alliance (IDSA), 84% of organizations experienced at least one identity-related breach in the past year. This represents a 6.3% increase YoY (79% of organizations reported an identity-related breach in both 2020 and 2021). Moreover, 78% of the organizations that incurred an Identity-based breach over the past year suffered a direct business impact as a result. Impacts can range anywhere from the high costs of recovery to damages from tarnishing of the business’s reputation.

It is not a coincidence that the rise in number and complexity of identities has coincided with a rise in identity-related breaches. Identities are increasing both in type and number, and this changes the dynamic of identity management.

The new IDSA report also revealed some intriguing stats related to how organizations are (and should be) responding identity-based threats and the changing landscape. This blog will break down the key findings from this year’s report to help you determine:

• The source of highest identity-based risk for organizations
• Core impacts of an identity-related breach
• Details on the identity security implementation trends across organizations
• Proven key strategies to help with identity-related threat prevention.

Breach Breakdown: This Year’s Reported Breach Findings

This year’s IDSA report findings painted a jarring picture of the growing complexity of identity management and its impact on organizations. Here’s a more detailed breakdown of the key factors contributing to this trend, as outlined in the 2022 Trends in Securing Digital Identities report.

More identities

According to the report, 98% of identity and security professionals say the number of machine and human identities in their organizations is increasing, citing such factors as the adoption of more cloud applications (52%); an increase in third-party relationships (46%); and a spike in bots, Internet-of-Things devices, and other machine identities (43%). What these figures reveal is that there is a direct relationship between the number of technologies required for businesses to operate and the number of identities (accounts) any single user in an organization may have. Each user needs access to multiple accounts, devices, etc., and each of those access points creates a new identity attack vector

Growth of cloud adoption

Most organizations today have either multiple IaaS, SaaS, or PaaS cloud services or operate a hybrid cloud and on-prem model. These cloud environments create a proliferation of permissions, entitlements, and privileged identities—many of which are ephemeral, yet still need to be managed and secured. Ultimately, this makes for a complex security framework that tends to have gaps in both security and visibility.

An increasingly perimeterless IT world

The normalization of the work-from-anywhere (WFA) environment has increased the number of employees who are remotely accessing network resources, and the number of unsecured remote locations from where they may be accessing those network resources. Organizations are experiencing a similar increase in the number of contractors, third-party resources, vendors, partners, etc. who need to access certain network resources.

In other words, this year’s increase in identity-related breaches points to a proliferating attack surface that continues to offer threat actors an exponentially growing number of opportunities for exploitation.

Top Identity-Based Breaches of 2022

Now that we’ve peeked at what’s driving up the numbers on identity-related breaches, let’s take a closer look at the specific types of breaches most often reported by organizations in 2022, along with the best ways to defend your organization against them.

Phishing (broad-based campaigns and targeted spear phishing attacks)

As the figure above illustrates, phishing (59%) was the number one cited cause of identity-related breach in 2022. This isn’t a coincidence. According to the APWG’s Phishing Activity Trends Report, phishing reached an all-time high in the first quarter of 2022, with 1,025,968 total phishing attacks over the course of the three months, and with a record-breaking 384,291 attacks occurring in March 2022. This follows the 600% YoY increase in phishing attacks that was reported leading into 2021 (2021 Malware Threat Report, BeyondTrust Labs).

What are Phishing attacks and their risks?

Phishing attacks are perennially a top entry point for threat actors. These attacks succeed in the initial compromise of an environment, usually with a malicious link or attachment, and then commonly perform information gathering, which can be used later to exploit a weakness that presents itself.

What are the top ways to mitigate the risk of phishing attacks?

• Enforce frequent installation of updates company-wide to ensure the latest security patches are in place
• Implement least privilege access and removal of admin rights
• Deploy SPAM filters and firewalls to intercept malicious emails before they reach a user’s inbox
• Provide regular training to all employees so they can better identify and report phishing attempts.

Inadequate Management of Privileges / Privileged Identities

In the 2022 APWG report, 36% of the organizations surveyed by the IDSA reported that inadequately managed privileges resulted in a breach. A further 21% reported excessive privileges leading to an insider attack, and another 23% confirmed a compromised privileged identity to be the source of breach.

The combined increase in identities, the growth of cloud environments, and erosion of the network perimeter have all contributed to the explosion of unmanaged privileged identities, access, and sessions, and wherever unmanaged privileges reside exists a high risk of exploitation.

What are the top risks associated with unmanaged privileges?

The consequences of a privileged identity breach to an organization are also quite high. Breaching an organization’s network via a privileged account gives an attacker fast-tracked access to sensitive data a standard user would not have access to. It also becomes easier for an attacker to execute lateral movement, escalate privileges, and even hijack other accounts.

Top ways to mitigate the risk of privilege attacks

The best ways to mitigate the risk of a cyberattacker breaching your organization through a privileged account are to:

• Remove admin privileges
• And enforce least privilege and just-in-time access (both of these are considered critical to a zero trust security posture)
• Closely monitor privileged sessions and other privileged analytics

Removing admin rights and applying least privilege provides proactive protection—even against many zero day vulnerabilities and exploits. Based on 2015-2020 findings listed in the BeyondTrust 2021 Microsoft Vulnerabilities Report, and corroborated again in the 2022 Microsoft Vulnerabilities Report, as many as 75% of critical vulnerabilities can be eliminated simply by removing admin privileges.

Poor password hygiene

The IDSA report identified passwords as another critical point when it comes to identity security. Stolen credentials (33%) came in second from the top on the list of identity-related breaches experienced by organizations this year. Another 27% of the organizations surveyed reported social engineered passwords as a source of breach they’ve encountered in 2022, and 23% experienced a brute force attack, including credential stuffing and password spraying attacks. And when it comes to credentials, privileged credentials provide the most sensitive and broadest access, so their compromise or misuse causes the biggest impact. This helps corroborate Forrester Research’s estimate that 80% of breaches involve compromised or abused privileged credentials.

What are the top credential-based risks?

Passwords are one of the weak links when it comes to enterprise cybersecurity. Compound this with poor password management policies, the surge of technology devices and applications being used by each employee, and the fact that threat actors are becoming increasingly more sophisticated, and you have a perfect storm railing against your cybersecurity infrastructure. A breach of credentials can have serious implications for an organization, including:

• Enabling lateral movement of threats within the network
• The compromise of multiple systems, accounts, and users
• The launch of ransomware and other malware attacks
• Threat actors gaining access to funds, sensitive data, intellectual property, customer information
• Data breaches

As an example of how much damage can be inflicted upon an organization through one compromised set of credentials, just look at the 2021 attack on Colonial Pipeline. On May 7, 2021, hackers infiltrated Colonial Pipeline’s network through a compromised set of credentials and then launched a brutal ransomware attack forcing the company to shut down its systems. This ultimately led to the shutdown of access to 45% of the fuel supplied to the U.S. East Coast region, creating fuel outages, fuel shortages across the U.S., and consumer panic.

What are the top mistakes organizations make when it comes to passwords?

• Common and reused passwords
• Embedded credentials
• Default credentials
• Shared credentials
• Reused security questions
• Lack of automated password managers

Top ways to reduce the risk of password attacks

Since it may not be possible to go fully passwordless yet, here are the best practices for mitigating the risk of password attacks:

• Use password managers and vaults
• Discover and onboard all passwords
• Create long, random, unique passphrases (NIST recommends up to 64 characters, including spaces)
• Enforce the prevention of password reuse or credential sharing
• Implement multi-factor authentication (MFA)
• Implement password rotation (only for privileged credentials or standard user credentials that are compromised or at risk)

Third-Party or Supply Chain Attack

Breaches originating from suppliers, often referred to as supply chain attacks, are becoming more widespread and have been occurring more frequently over the past five years. In 2021, Gartner issued a release predicting 45% of organizations worldwide will incur attacks on their software supply chains by 2025. This would represent a three-fold increase from 2021, which already topped the scales in number of attacks.

What are the top risks associated with a supply chain attack?

Supply chain attacks are cyberattacks that target a third-party vendor or contractor who offers services or software that are vital to the supply chain in order to infiltrate an organization. These third parties may present a weak link due to an inadequately hardened system, an overprivileged user, an unmonitored machine identity, an unsecured port, or a VPN vulnerability. Once inside, the threat actor will compromise a trusted piece of software (by injecting malicious code into an application) or hardware (by compromising a physical component) to infiltrate many more victims. For instance, with the Solar Winds and Kaseya breaches, attackers infiltrated a piece of software that was being used by thousands of customers.

Software supply chains tend to be more vulnerable because software is seldom written from scratch and often involves third-party APIs, open source code, proprietary code from software vendors, and numerous dependencies, meaning the number of points of entry are increased and the number of victims can be exponentially high.

Top ways to mitigate the risk of supply chain attacks

• Deploy security solutions that offer behavior-based threat detection
• Leverage threat analysis and threat intelligence to stay ahead of threats
• Remove admin privileges and enforce Just-in-time access to minimize points of entry

Man in the Middle Attack

This year, 15% of the organizations surveyed by the IDSA reported experiencing a Man in the Middle (MitM) attack. This is a type of cyberattack where a perpetrator positions themselves between communicating parties, or secretly intercepts and relays messages between two parties who think they are communicating with each other. Once intercepted, the attacker can then control or manipulate the conversation or data involved. Commonly, a MitM attacker will introduce malware through a phishing email so they can infiltrate and steal or tamper with information.

What are the top risks associated with a MitM attack?

• The capture and manipulation of personal information in real time
• The compromise of sensitive information as it is being shared between endpoints
• One or multiple communicating parties being tricked into sharing sensitive data
• Threat to the integrity of servers
• Content injection or alteration

Top ways to mitigate the risk of MITM attacks

• Endpoint protection
• Encryption
• User behavioral monitoring and alerting
• Continual authentication and verification of identities (a key tenet of zero trust security principles)
• Routinely rotate system credentials

What were the biggest impacts of an identity-based breach on organizations in 2022?

According to the 78% of organizations in the IDSA survey who recorded an identity-related breach in 2022, the top impacts were:

• Cost of recovery (44%), which can be compounded by the need to purchase additional equipment
• Distraction from core business (42%), due to the time it takes to recover from damages and disruption, implement repairs, and provide employees with any required additional training
• Reputation loss (35%), which can include a loss of confidence from stakeholders
• Customer attrition (16%)
• Loss of revenue (29%)
• Disruption of operations, including any periods where IT systems were rendered unavailable or degraded (28%), or where products, services, or solutions delivered by the organization were compromised (21%).
• Malicious attacks on applications or systems (32%)

What types of identities are organizations most concerned about in 2022?

1) Employee identities

Employee identities are still perceived to be the biggest threat to organizations in 2022, with 70% of the organizations surveyed suggesting employee identities are the most likely to be breached, and with 58% concerned that an employee-based breach would have the most significant direct business impact. Factors influencing this perception may include the fact employees tend to have more privileges and more access to sensitive data than other users.

Furthermore, the normalization of the work-from-anywhere environment has driven an increase in shadow IT and BYOD (Bring Your Own Device), which pose challenges to network security teams while unsecured remote access is escalating. Add to the mix of these dramatically increasing threat vectors, ransomware—which in many cases directly targets employees on both their professional and personal accounts—has been listed as the top threat vector for 2022 by the Allianz Risk Barometer and you have a recipe for vulnerability.

2) Vendor Identities (third parties)

Vendors ranked second from the top in terms of perceived risk (35%) and third from the top in terms of perceived business impact (25%). Vendor identities surrounded B2B business customer identities, which had 25% of respondents mark as a perceived risk and 31% claim to have the highest business impact.

While third-party partners will more than likely have less (or at least more controlled) access to sensitive data, allowing it to represent a slightly smaller perceived risk of impact, the main risk stemming from a third party is the fact that their security protocols are completely outside of your organization’s hands. Improper security hygiene practices, weak and shared credentials, reused and stale passwords, and orphaned accounts that you are unaware of are all common third-party risks. These risks are compounded when that third party is given privileged access.

How are organizations responding to these threats? What are the latest identity security trends?

With government mandates, like zero trust, encouraging more organizations to put identity first, and with situations like the Russia/Ukraine crisis giving identity security more visibility, this year’s report indicates a clear upward trend in the prioritization of identity security strategies.

In 2022, 64% of the identity and security professionals surveyed reported managing and securing identities to be in their top three priorities, and 94% reported that their identity program was a strategic component of other security initiatives, including cloud (62%), Zero Trust (51%), vendor management (25%), digital transformation (42%), and cyber insurance (31%) initiatives.

In addition, 96% of survey respondents acknowledged that implementing a security outcome could have prevented or minimized a breach.

The IDSA survey respondents identified the following three security strategies as being most likely to have prevented their experienced breaches:

• Multifactor authentication (MFA) (43%),
• Timely reviews of privileged access (41%)
• Continuous discovery of user privileges (34%)

It is worth calling out here that most of the preventative measures indicated by the respondents point to a single solution: privilege management. More timely reviews of privileged access (41%), continuous discovery of all user access rights (34%), revoked access upon detection of high risk event associated with that identity (32%), granting privileged access according to the Principle of Least Privilege (31%), continuously discovering all privileged access rights (30%), and more timely reviews of sensitive data (29%) can all be performed through privilege management and the removal of admin privileges. Some of these preventative security strategies (continuous discovery of privileges and the removal of privileges in response to high-risk events) can even be automated with the right Privileged Access Management (PAM) solution.

What this report also revealed is that the strategies observed to effective at preventing identity-based breaches and mitigating identity attack vectors are not in all cases the ones organizations are now trending towards adopting. Implementation of MFA ranked highest for both perceived breach prevention and future investment (30%). Continuous discovery of all user access rights and more timely reviews of access to sensitive data were ranked second and third for perceived breach prevention and tied for second in future investment (28%). Despite being ranked the fourth highest in breach prevention, revoked access upon detection of a high-risk event lands towards the bottom of the investment list, with only 20% of respondents planning investment for the coming year.