Digital identity is the foundation of computing in the modern age. In the words of Cloudflare, digital identity represents “the recorded set of measurable characteristics by which a computer can identify an external entity.” These characteristics, which include things like passwords, voice frequencies, IP address, and media access control (MAC) addresses, assist in the identification of humans (i.e., “users”) and machine identities. As you’ll recall, the human identities are protected by usernames and passwords, whereas machine identities rely on keys and certificates for security.
Human identities are being phished…
Malicious actors can compromise an identity and misuse its trust within the organization to target employees, partners, and/or contractors. Attackers resort to such activity more often than not in their campaigns. Indeed, Verizon Enterprise wrote in its Data Breach Investigations Report (DBIR) 2021 that credentials—both for human and machine identities—constituted the top variety type in 60% of analyzed breaches for the year.
This explains the rise in phishing attacks targeting users. According to Help Net Security, the Anti-Phishing Working Group (APWG) detected 260,642 phishing attacks in July 2021. That’s the highest volume of attempts spotted in a single month since APWG first initiated its reporting program back in 2004.
Not only that, but phishers also expanded their number of targeted brands during that period. APWG found that email attackers were targeting just over 400 brands in early 2021. But by the end of Q3, that number had nearly doubled to 700.
The issue is that users can’t always spot a phishing attempt. In fact, 22% of employees are likely to fall for a phishing attack, per a report covered by BetaNews. Of those employees who opened a phishing message, more than half (53%) were likely to click on an embedded link, while 23% were prone to enter their account credentials on a fake login site. These tendencies enable digital attackers to assume control of an email account or another human identity, access which they can then use to conduct follow-up attacks such as vendor fraud or W-2 fraud.
…But machine identities are a bigger concern
Notwithstanding the risks discussed above, human identities still pose less of a concern than machine identities. Part of the reason why is that machine identities are increasing in volume more quickly than are human identities. Forbes reported that machine identities are going twice as fast as human identities on corporate networks, for instance, with software bots used in finance, accounting, business, and IT outpacing other types of devices. What’s more, machine identities are now worth more than human identities on the dark web, which gives digital attackers even more of an incentive to compromise them.
Yet there’s a disconnect. Every year, organizations spend billions of dollars on protecting human identities, yet many still misunderstand and neglect their responsibility to manage their machine identities. Hence why machine identity attacks are so prevalent. In 2018 and 2019, for instance, the volume of reported digital attacks related to machine identities grew by over 400%. Broaden the view out to 2015-2020, and that figure rises to 700%. Vulnerabilities, commodity malware, and advanced persistent threats involving machine identities all experienced triple-digit growth during that period, as well.
How can organizations protect their human and machine identities?
It goes without saying that organizations need to continue to protect their human identities. They can do that by leveraging security awareness training to augment their familiarity with phishing attacks and other social engineering techniques. They can also complement those human controls with technical email security measures designed to flag messages from disallowed domains or those containing known malicious attachments.
With that in mind, organizations need to pay equal attention to machine identities.
“We have seen machine use skyrocket in organizations over the last five years, but many businesses still focus their security controls primarily on human identity management,” explained Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, as quoted by BetaNews. “Digital transformation initiatives are in jeopardy because attackers are able to exploit wide gaps in machine identity management strategies. The COVID-19 pandemic is driving faster adoption of cloud, hybrid and microservices architectures, but protecting machine identities for these projects are often an afterthought.”
To meet those demands, organizations need to create comprehensive machine identity management programs comprehensive machine identity management programs that receive equal emphasis as employee security awareness training and email security programs. They can then combine all those initiatives into an identity-centric approach to zero trust where they validate identities and other resources on an ongoing basis.