Light Dark
April 17, 2024 By John Velisaris 3 min read
Risk Management
Security Services

The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.

In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.

The report identified six action items:

  1. Remove identity silos
  2. Reduce the risk of credential harvesting
  3. Know your dark web exposure
  4. Establish secure AI and models
  5. Implement a DevSecOps approach to planning and testing
  6. Reduce the impact of an incident

I’m going to focus on the first three. Why? Because the last three are things you should be doing now irrespective of the results of the 2024 Threat Intelligence Index report and are much larger than the SOC. While the first three action items involve more than just the SOC, the call to action for the SOC is clear: focus on identity risk.

Remove identity silos

The report notes that 30% of all observed entry points to incidents in 2023 used valid credentials. The use of valid credentials is more damaging when accounts do not use enterprise identity systems with built-in controls. We need to make sure our insider risk capabilities are up to date. The SOC checklist includes:

  • Centralized monitoring: Ensure the SOC continuously monitors user activities and access controls through a centralized identity management system. For high-risk systems off the enterprise identity platform, capture authentication activity. Ensure user and entity behavior analytics are in place with the appropriate use cases in the SOC detection platforms. Validate your identity visibility in the cloud, where abuse of permissions and privileges is more prevalent.
  • Incident response: Establish protocols and playbooks for rapid response to incidents related to suspected insider risk, unauthorized access or compromised identities.
  • Threat intelligence integration: Integrate threat intelligence sources into SOC workflows for threats targeting identity silos.
  • Identity threat detection and response: If your organization doesn’t have identity threat detection and response (ITDR) capabilities, 2024 would be a great time to implement this additional control. The SOC should have telemetry, use cases, analytics and response playbooks in place for ITDR.
Read the Threat Intelligence Index report

Reduce the risk of credential harvesting

The best way to prevent attackers from using valid credentials for malicious activities is to prevent those credentials from being compromised in the first place. The SOC checklist includes:

  • Authentication failures: The Identity and Access Management team should have controls in place to limit login attempts and even lockout accounts that repeatedly fail authentication. The SOC needs to have visibility into account status and logs and/or alerts noting accounts being disabled for failed authentication attempts. Ideally, those accounts are placed on SOC temporary watch lists even after accounts have been re-enabled.
  • Multifactor authentication: The SOC needs visibility into multifactor authentication (MFA) failures. Additionally, the SOC should have the ability to force users to re-authenticate as part of response playbooks and/or the ability to invalidate sessions.
  • Privileged access management: SOC visibility to privileged identity activity is key, especially changes of account entitlements to move from standard user access to privileged user status. This is especially important for systems not connected to Privileged Account Management (PAM) tools. Revisit your lateral movement use cases.
  • Phishing incident response: Develop and conduct regular training exercises for SOC analysts to identify and respond to phishing attempts effectively.

Know your dark web exposure

SOC analysts aren’t going to spend time poking around the dark web. Their threat intelligence counterparts, however, are on the dark web and what they find can be invaluable for the SOC team.  The SOC checklist here includes:

  • Dark web monitoring: Intelligence on compromised credentials, session keys and leaked sensitive information needs to be incorporated into the appropriate watch lists. If the incident in which the account information was stolen is not evident, an immediate post-incident analysis should be launched, including threat hunting, digital forensics and other analysis to identify when and how the account data was compromised.  Once the tactics, techniques and procedures (TTPs) used in the compromise are identified, detection analytics need to be updated to enhance future threat detection.
  • Executive digital identity protection: Executive accounts, as well as accounts directly supporting executives, need to be on account lists used in high-risk identity use cases. Specific response playbooks for these accounts need to be in place.

The fact that valid credential misuse tied with phishing as the initial point of access to incidents in 2023 is a call to action for SOC teams to revisit their detection and response capabilities related to identities and insider risk. If the checklist in this blog puts some items on your to-do list, we have resources that can help.

To implement any of the actions above, you can request a no-cost threat management workshop for your organization.

If you’d like to get more details on these insights, check out the full 2024 Threat Intelligence Index report.

For help preparing for when, not if, a cyberattack occurs, learn more about our X-Force Cyber Range immersive simulations.

If you’re already in a great place for each of the checklist items, even better!

 |  |  |  | 
John Velisaris
Associate Partner, IBM Cyber Threat Management Services

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature