As was briefly explained in Chapter 1, Security Posture the protection surrounding the identity must be enhanced, and that's why the industry is in common agreement that identity is the new perimeter. This occurs because every time a new credential is created, the majority of the time this credential is composed only of a username and password. While multifactor authentication is gaining popularity, it is still not the default method used to authenticate users. On top of that, there are lots of legacy systems that rely purely on usernames and passwords in order to work properly.

Credential theft is a growing trend in different scenarios, such as:

• Enterprise users: Hackers that are trying to gain access to a corporate network and want to infiltrate without making any noise. One of the best ways to do that is by using valid credentials to authenticate, and be part of, the network.
• Home users: Many banking Trojans, such as the Dridex family, are still actively in use because they target a user's bank credentials, and that's where money is.

The problem with this current identity threat landscape is that home users are also corporate users, and are bringing their own devices to consume corporate data. Now you have a scenario where a user's identity for his personal application, resides in the same device that has his corporate credentials in use to access corporate-related data.

The problem with users handling multiple credentials for different tasks is that users might utilize the same password for these different services.

For example, a user using the same password for his cloud-based email service and corporate domain credentials will help hackers because they only need to identify the username, since once one password is cracked, all others will be the same. Nowadays, browsers are being used as the main platform for users to consume applications, and browser's vulnerabilities can be exploited to steal a user's credentials. Such a scenario happened in May 2017, when a vulnerability was discovered in Google Chrome.

Although the issue seems to be related to end users and enterprises, the reality is that no one is safe, and anyone can be targeted, even someone in politics. In an attack revealed in June 2017 by The Times, it was reported that the email addresses and passwords of Justine Greening (the education secretary) and Greg Clark (the business secretary) of the UK government, were among the tens of thousands of government officials' credentials that were stolen, and later sold on the darknet. The problem with stolen credentials is not only using those credentials to access privileged information, but also being used to start a targeted spear-phishing campaign. The following diagram shows an example of how stolen credentials can be used:

An interesting part of the workflow shown in the previous diagram, is that the hacker doesn't really need to prepare the entire infrastructure to launch the attack. Nowadays, they can just rent bots that belong to someone else. This strategy was used in 2016 during the IoT DDoS attack, and according to ZingBox, "the price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10-minute cooldown time is approximately $3,000 to $4,000 per 2 weeks."

As cloud computing grows, the amount of Software as a Service (SaaS) apps that use the cloud provider's identity management system also grows, which means, more Google accounts, more Microsoft Azure accounts, and so on. These cloud vendors usually offer two-factor authentication, to add an extra layer of protection. However, the weakest link is still the user, which means this is not a bulletproof system. While it is correct to say that two-factor authentication enhances the security of the authentication process, it has been proved that it is possible to hack into this process.

One famous example of broken two-factor authentication involved the activist DeRay Mckesson. Hackers called Verizon, and using social engineering skills, they pretended they were Mckesson, and convinced them that his phone had a problem. They convinced the Verizon technician to reset his SIM card. They activated the new SIM with the phone in their possession, and when the text message came the hackers were able to get the code and it was game over.