The technology landscape is ever-changing, and businesses must adopt new technologies to stay ahead. According to recent research from F5 Labs, digital identities have evolved into a battleground for cybersecurity, where one-fifth of authentication requests originate from malicious automated systems.
The 2023 Identity Threat Report: The Unpatchables examined 320 billion data transactions within the systems of 159 organisations from March 2022 to April 2023. In cases where no protective measures were implemented, the average automation rate, a key indicator of credential stuffing attacks, stood at 19.4%. However, this figure dropped significantly to 6% when proactive measures were put in place.
Credential stuffing attacks involve malicious actors using stolen usernames and passwords from one system to infiltrate others, with automated tools playing a central role in enabling attackers to maximise their attack attempts.
Sander Vinberg, Threat Research Evangelist at F5 Labs, says: “Digital identities have long been a priority for attackers, and the threat is growing as the prevalence of non-human identities increases.
“Our research shows the extent to which digital identities are under attack and the importance of effective mitigation. Significantly, we found a consistent pattern in which the use of malicious automation immediately declined to a lower level when protections are in place, with attackers tending to give up in search of easier targets.”
The growing problem of credential stuffing
Credential stuffing is a rising threat for two main reasons. Firstly, it's due to the widespread accessibility of extensive databases containing breached credentials, such as "Collection #1-5," which openly disclosed 22 billion username and password combinations in plaintext to the hacker community.
Secondly, nowadays there are more sophisticated bots that are capable of conducting simultaneous login attempts, seemingly originating from various IP addresses. These sophisticated bots can often bypass rudimentary security safeguards, like blocking IP addresses with excessive failed login attempts.
The benefits of effective mitigation on credential stuffing attacks
One of the main points of the study delved into the influence of security measures on mitigating credential stuffing attacks. These measures had the effect of altering attacker behaviour, leading to a decrease in the use of malicious automation. F5 Labs discovered that in the absence of security mitigations, attacks were more frequent on mobile endpoints than on web endpoints.
However, although it seemed that the introduction of mitigations led to a substantial reduction in mobile attacks, there was a subsequent increase in attacks being directed at web endpoints. As well as this, the application of mitigations seemed to play a role in the sophistication of attacks.
“Our analysis shows that many attackers simply move on when protections are implemented,” said Vinberg. “Attackers that continue to target a system with mitigations in place are clearly more determined and sophisticated, harnessing tools that allow them to closely replicate human behaviour or work harder to conceal their activities.
“For example, we observed one attack that emulated 513,000 unique user interactions across 516,000 requests – recycling identifiable features in less than 1% of instances. With the most sophisticated attacks, manual observation is sometimes required to identify malicious behaviour and create a new signature.”
A wave of new threats are emerging
Alongside the ever-evolving landscape of cybersecurity, F5 Labs also noted the emergence of a fresh wave of threats. For example, in August 2022, an advertisement surfaced on the Dark Web showcasing a voice phishing system that would employ artificial intelligence to automate phishing calls, therefore with the increasing sophistication and declining costs of AI, means that such approaches are set to become more routine and effective over time.
“Looking ahead, Identity providers should employ an anti-bot solution to mitigate malicious automation such as credential stuffing. Even simple anti-bot solutions can mitigate the bulk of unsophisticated credential stuffing,” Vinberg added.
“Organisations can further strengthen their defences through the use of cryptography-based MFA solutions, such as those based on the WebAUthn or FIDO2 protocols. Ultimately, there is no silver bullet for combating identity-based attacks. Defenders must monitor and detect attacks, quantify the error rate of their detection, and adapt accordingly.
“The more we study these attacks and their constantly shifting nature, the better we can manage the risk of vulnerabilities that are inherent in any system which users must prove their identity to access.”
Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.