The top identity-based attacks and how to stop them: Part 2
Part two of this two-part article series examines phishing and third-party account attacks, techniques and tools for mitigation, and tried and true best practices for reducing overall identity-based attack risk.
In part one of this series, we discussed some of the top identity-based attacks, including password spray, credential stuffing and machine-in-the-middle attacks. To recap from the first part, in a password spray attack, a threat actor attempts to use a few commonly known passwords across multiple accounts with the hope that even a single user has set that specific password for their login credential. Enforcing specific password requirements during the initial account creation process can defend against such an attack.
In a credential stuffing attack — a subset of the brute force attack category — the threat actor attempts to stuff different credentials (often username and password harvested from an online data dump) into as many different sites and portals as possible with the hopes of one of them being successful. Mitigating such an attack involves the use of Adaptive Multi-Factor Authentication.