Digital identities have emerged as a cybersecurity battleground in 2024, with a significant portion of authentication requests originating from malicious automated systems, according to research by F5 Labs.
The 2023 Identity Threat Report: The Unpatchables provides insights into digital identity security analysing 320 billion data transactions occurring within the systems of 159 organisations from March 2022 to April 2023.
One of the key findings of the research reveals that when no mitigations were in place, 19.4 per cent of authentication requests were driven by automated systems, a strong indicator of credential stuffing attacks. Credential stuffing attacks involve malicious actors exploiting stolen usernames and passwords from one system to breach others, leveraging automated tools to maximise their attempts.
This underscores the critical importance of cybersecurity measures in safeguarding digital identities. As attackers increasingly target digital identities, the need for effective mitigation strategies becomes paramount.
Mitigations, when introduced proactively, led to a substantial reduction in malicious automation, decreasing the rate to six per cent. This data highlights the effectiveness of security measures in discouraging attackers and driving them to seek easier targets.
Sander Vinberg, threat research evangelist at F5 Labs, said: “Our research shows the extent to which digital identities are under attack, and the importance of effective mitigation. Significantly, we found a consistent pattern in which the use of malicious automation immediately declined to a lower level when protections are in place, with attackers tending to give up in search of easier targets.”
Evolving tactics
The study also explored the impact of mitigations on various aspects of credential stuffing attacks, shedding light on the evolving tactics employed by attackers:
- Attacks exhibited higher prevalence on mobile endpoints than on web endpoints, but the introduction of mitigations resulted in a more significant reduction in mobile attacks, subsequently shifting the focus towards web endpoints.
- The sophistication of attacks also saw significant shifts. Basic attacks, characterised by minimal efforts to emulate human behaviour or circumvent bot protection, decreased from 64.5 per cent to 44 per cent following the implementation of mitigations. In contrast, intermediate attacks, making some attempts to manipulate anti-bot solutions, increased from 12 per cent to 27 per cent post-mitigation. Advanced attacks, which closely emulate human browsing behaviour, including mouse movement and keystrokes, rose from 20 per cent to 23 per cent.
Moreover, the research examined the supply chain of compromised credentials, revealing that defenders had less visibility than anticipated. Seventy-five per cent of credentials submitted during attacks were previously unknown as compromised.
The study also highlighted the adaptive nature of attackers, who employed tactics such as using ‘canary’ accounts to manipulate authentication success rates and evading detection through techniques like AntiRed, a Javascript tool designed to bypass browser-based phishing analysis.
“Attackers that continue to target a system with mitigations in place are clearly more determined and sophisticated, harnessing tools that allow them to closely replicate human behaviour or work harder to conceal their activities,” Vinberg also said.
The increasing sophistication and decreasing costs of AI are expected to lead attackers to employ automated AI-driven phishing calls more frequently, creating new challenges for defenders.
Taking action
To counter identity-based attacks and protect digital identities, organisations should proactively implement anti-bot solutions to mitigate malicious automation, especially when dealing with unsophisticated credential stuffing attacks. Additionally, cryptography-based multi-factor authentication (MFA) solutions, such as those based on the WebAuthn or FIDO2 protocols, can enhance defence mechanisms.
Ultimately, the F5 Labs report underscores the dynamic and ever-shifting nature of identity-based attacks, emphasising the need for continuous monitoring, detection as well as adaptation to mitigate the inherent vulnerabilities in systems where users must authenticate their identities.
