The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.

In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.

The report identified six action items:

  1. Remove identity silos
  2. Reduce the risk of credential harvesting
  3. Know your dark web exposure
  4. Establish secure AI and models
  5. Implement a DevSecOps approach to planning and testing
  6. Reduce the impact of an incident

I’m going to focus on the first three. Why? Because the last three are things you should be doing now irrespective of the results of the 2024 Threat Intelligence Index report and are much larger than the SOC. While the first three action items involve more than just the SOC, the call to action for the SOC is clear: focus on identity risk.

Remove identity silos

The report notes that 30% of all observed entry points to incidents in 2023 used valid credentials. The use of valid credentials is more damaging when accounts do not use enterprise identity systems with built-in controls. We need to make sure our insider risk capabilities are up to date. The SOC checklist includes:

  • Centralized monitoring: Ensure the SOC continuously monitors user activities and access controls through a centralized identity management system. For high-risk systems off the enterprise identity platform, capture authentication activity. Ensure user and entity behavior analytics are in place with the appropriate use cases in the SOC detection platforms. Validate your identity visibility in the cloud, where abuse of permissions and privileges is more prevalent.
  • Incident response: Establish protocols and playbooks for rapid response to incidents related to suspected insider risk, unauthorized access or compromised identities.
  • Threat intelligence integration: Integrate threat intelligence sources into SOC workflows for threats targeting identity silos.
  • Identity threat detection and response: If your organization doesn’t have identity threat detection and response (ITDR) capabilities, 2024 would be a great time to implement this additional control. The SOC should have telemetry, use cases, analytics and response playbooks in place for ITDR.
Read the Threat Intelligence Index report

Reduce the risk of credential harvesting

The best way to prevent attackers from using valid credentials for malicious activities is to prevent those credentials from being compromised in the first place. The SOC checklist includes:

  • Authentication failures: The Identity and Access Management team should have controls in place to limit login attempts and even lockout accounts that repeatedly fail authentication. The SOC needs to have visibility into account status and logs and/or alerts noting accounts being disabled for failed authentication attempts. Ideally, those accounts are placed on SOC temporary watch lists even after accounts have been re-enabled.
  • Multifactor authentication: The SOC needs visibility into multifactor authentication (MFA) failures. Additionally, the SOC should have the ability to force users to re-authenticate as part of response playbooks and/or the ability to invalidate sessions.
  • Privileged access management: SOC visibility to privileged identity activity is key, especially changes of account entitlements to move from standard user access to privileged user status. This is especially important for systems not connected to Privileged Account Management (PAM) tools. Revisit your lateral movement use cases.
  • Phishing incident response: Develop and conduct regular training exercises for SOC analysts to identify and respond to phishing attempts effectively.

Know your dark web exposure

SOC analysts aren’t going to spend time poking around the dark web. Their threat intelligence counterparts, however, are on the dark web and what they find can be invaluable for the SOC team.  The SOC checklist here includes:

  • Dark web monitoring: Intelligence on compromised credentials, session keys and leaked sensitive information needs to be incorporated into the appropriate watch lists. If the incident in which the account information was stolen is not evident, an immediate post-incident analysis should be launched, including threat hunting, digital forensics and other analysis to identify when and how the account data was compromised.  Once the tactics, techniques and procedures (TTPs) used in the compromise are identified, detection analytics need to be updated to enhance future threat detection.
  • Executive digital identity protection: Executive accounts, as well as accounts directly supporting executives, need to be on account lists used in high-risk identity use cases. Specific response playbooks for these accounts need to be in place.

The fact that valid credential misuse tied with phishing as the initial point of access to incidents in 2023 is a call to action for SOC teams to revisit their detection and response capabilities related to identities and insider risk. If the checklist in this blog puts some items on your to-do list, we have resources that can help.

To implement any of the actions above, you can request a no-cost threat management workshop for your organization.

If you’d like to get more details on these insights, check out the full 2024 Threat Intelligence Index report.

For help preparing for when, not if, a cyberattack occurs, learn more about our X-Force Cyber Range immersive simulations.

If you’re already in a great place for each of the checklist items, even better!

More from Risk Management

Why do software vendors have such deep access into customer systems?

4 min read - To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software…

How CTEM is providing better cybersecurity resilience for organizations

4 min read - Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.The importance of developing cybersecurity resilienceRegardless of the industry, all organizations are subject to certain…

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today