Each year, the total number of cyberattacks and cost of ransomware-related damage increases globally. Microsoft recently reported that attempted password attacks have soared “from around 3 billion per month to over 30 billion.” Clearly, a proactive approach to mitigating identity-based attacks is a good New Year’s resolution.

To help you get the most out of your identity threat detection and response (ITDR) planning this year, our identity security experts have noted three trends that we expect to gain speed in 2024:

  • Threat actors will ramp up cyberattacks on critical infrastructure, including energy, healthcare, and education.
  • Evolving threat tactics, techniques and procedures (TTPs) will make layered identity security more important than ever.
  • Identity-first security will continue to be a primary factor in operational security and resilience.

Here’s what you need to know about these trends.

Trend 1: Identity-based attacks on critical infrastructure

Remember when cyberattackers claimed to steer clear of hospitals and other critical agencies and organizations? Those days are gone.

Consider the BlackCat/ALPHV ransomware group’s retaliation for the FBI’s disruption of its operation late last year. The group notified affiliates of its ransomware-as-a-service (RaaS) program: “[You] can now block hospitals, nuclear power plants, anything, anywhere.”

What’s driving the trend?

Rising geopolitical tensions and simple greed have put infrastructure in the crosshairs of identity-based attacks.

When it comes to the public sector—a category that includes police, emergency medical services (EMS), and Level 1 trauma centers, water, power, airports, ports, and other “always-on” critical infrastructure—“the stakes aren’t just tabulated in terms of dollars and Bitcoins. Human lives hang in the balance,” says Jeff Pitts, Semperis Public Sector Director.

Federal and state, local, and education (SLED) organizations in the US and around the world are sounding the alarm.

The UK’s National Cyber Security Center (NCSC) Annual Review 2023 highlighted “state-aligned actors as a new and emerging cyber threat to critical national infrastructure,” noting that the “challenge is global and systemic.” Of particular concern:

  • China state-sponsored hackers targeting US infrastructure
  • Russian-aligned DDoS and wiper attacks against Ukraine
  • Spear-phishing campaigns against governmental and education targets of “interest” to Iran
  • “Prolific” North Korean cyberattacks, including against government organizations

The Five Eyes intelligence sharing network—comprising intelligence officials from the US, Britain, Canada, Australia, and New Zealand—also warned that a state-sponsored Chinese group known as “Volt Typhoon” was targeting critical infrastructure, including telecommunications, transportation, and education.

“With critical infrastructure operators in the crosshairs of nation-state sponsored groups, attacks that could impact an entire nation or even the developed world are coming,” says Gil Kirkpatrick, Chief Architect at Semperis.

“Organizations must prepare for potential cyber-related attacks on governments and the critical infrastructure operators of nuclear power plants, electricity grids, telecommunications networks, wastewater treatment plants, and more.”

Nation states could use cyberattacks to supplement on-the-ground warfare, by disrupting critical infrastructures or finance systems…

Simon Hodgkinson, Semperis Strategic Advisor

Simon Hodgkinson, former CISO of bp and a Semperis Strategic Advisor, agrees. “Nation states could use cyberattacks to supplement on-the-ground warfare, by disrupting critical infrastructures or finance systems, for example.”

Furthermore, he warns, sanctioned “nations and organizations may turn to cybercrime to fund their activities—attacking businesses who will pay ransoms or stealing cryptocurrencies.”

What you can do

Fortunately, says Kirkpatrick, “the public and private sector are becoming increasingly resilient” to identity-based attacks. A growing focus on ITDR is key.

For example, Active Directory, which manages access to virtually every user and system in environments that include it, is involved in the majority of cyberattacks. Securing Active Directory, then, is key to identifying and stopping attackers before they can cause damage.

“[Critical infrastructure] services are vulnerable to identity—typically Active Directory—vectored cyberattacks,” explains Pitts.

Active Directory domain-joined critical infrastructure systems, especially SCADA systems, must include a purpose-built platform to manage threats to Active Directory.

Jeff Pitts, Public Sector Director, Semperis

“Active Directory domain-joined critical infrastructure systems, especially SCADA systems, must include a purpose-built platform to manage threats to Active Directory”, Pitts says. “And operators of such systems must be able to recover Active Directory in hours—not days—in the event of a crippling cyberattack.”

Trend 2: Evolving identity-based attack TTPs

Most organizations recognize the need for endpoint protection, multifactor authentication (MFA), and user training. After all, attackers favor phishing and social engineering as ways to gain entry to victims’ environments.

But threat actors are nothing if not inventive. As more organizations employ MFA or refuse to pay ransom, attackers are developing new ways to evade defenses and wreak havoc through identity-based attacks.

For example, the BlackCat group recently filed a complaint about one of its alleged victims with the Securities and Exchange commission (SEC), claiming that the company had been breached—and then using the complaint to either apply additional pressure for payment or as a warning shot to future targets.

What’s driving the trend?

This behavior “isn’t surprising in the ever-evolving ransomware economy,” says Semperis Principal Technologist and Hybrid Identity Protection (HIP) Podcast host Sean Deuby. MFA fatigue attacks, for example, have skyrocketed as more organizations deploy MFA. Deuby expects to see more “creative” behavior from attackers in 2024.

Even users with a high level of security awareness can now get caught out by such incredibly well-engineered phishing attempts.

Guido Grillenmeier, Principal Technologist, Semperis

“To predict what cybercriminals will come up with next, just follow this simple recipe,” advises Deuby. “Maximize profit while minimizing time and effort, remove all morality, and add a dash of avoidance of government scrutiny.”

New technology has also influenced the evolution of attackers’ initial entry methods, says Guido Grillenmeier, Principal Technologist at Semperis.

“Artificial intelligence is enabling cybercriminals to create ever more sophisticated and convincing phishing campaigns that play tricks with users’ emotions. Even users with a high level of security awareness can now get caught out by such incredibly well-engineered phishing attempts.”

What you can do

To fight back against evolving TTPs, our experts have a simple piece of advice: Get back to basics.

“The core weak spots that attackers use haven’t changed over the years and are still exploited successfully,” notes Grillenmeier. “Take Active Directory, Microsoft’s core identity service. Attackers use Active Directory to gain user privileges and penetrate deeper into their victim’s network.”

Grillenmeier is looking forward to the upcoming Windows Server 2025 release, which promises to introduce additional security features in Active Directory. “It is good to see that there is a bigger focus being placed on identity protection,” he says.

Attackers use Active Directory to gain user privileges and penetrate deeper into their victim’s network.

Guido Grillenmeier, Principal Technologist, Semperis

In the meantime, identity-first security doesn’t need to be onerous. Organizations can begin by downloading a free Active Directory auditing tool like Purple Knight, which quickly scans the hybrid Active Directory environment (including Entra ID and Okta) and provides an easy-to-understand list of potential vulnerabilities and indicators of compromise (IOCs).

Trend 3: Operational resilience and identity-first security

Our third trend stems from the first two. With increasing cyberattack sophistication and a growing desire to target infrastructure, threat actors that were once confined to IT threats are turning their attention to operational technology (OT) and supply chains. The goal: to fly under the radar long enough to disrupt operations.

What’s driving the trend?

Traditionally, IT and OT teams have had separate goals and areas of focus.

“IT cybersecurity professionals focus on IT security first,” Hodgkinson recently told Cyber Magazine. “They want to protect information from theft, prevent unauthorized access to IT systems, and stop phishing attacks on their users. OT engineers however are less concerned with these things. Instead, their focus is on controllers and sensors that affect physical processes and systems.

“As such, they’re preoccupied with operational uptime, physical security and safety. [One] obstacle for security practitioners is to bridge the cultural chasm with OT engineers.”

The infamous Colonial Pipeline attack of 2021 is an early example of the type of cross-over attack that experts expect to see increasing in 2024. (It was also an early indicator of attackers’ shift toward critical infrastructure.)

What you can do

“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems,” NCSC Director Paul Chichester noted last year.

The first step, says Deuby, is to “identify your critical systems—including infrastructure such as Active Directory—before attacks occur, and build resiliency into those systems.”

Identify your critical systems—including infrastructure such as Active Directory—before attacks occur.

Sean Deuby, Principal Technologist, Semperis

Network segmentation and administrative tiering are also important steps. Deuby recommends isolating IT and authentication systems from process control systems, as well as ensuring that these two groups of systems each use unique credentials.

Semperis CEO Mickey Bresman points out that identity infrastructure resilience is the key to overall operational resilience. After all, attackers almost always attempt to invade the identity infrastructure in an effort to escalate privileges and gain elevate access.

“What is the difference between a company that bounces back in a relatively short amount of time after an identity-related attack versus a company whose recovery drags on for days or weeks, incurring huge costs to the organization? From my firsthand experience, I’ve concluded that the biggest difference is the organization’s ability to orchestrate, automate, and test the recovery process.”

Knowledge is power

Insight into cybersecurity trends and attacker behavior and motivation can help you develop a strong cyber and operational defense strategy to fend off identity-based attacks. Planning for the worst isn’t paranoia; it’s a smart—and necessary—move.

Need help building your strategy? Our Breach Preparedness & Response Services team can help.