According to Verizon's 2017 Data Breach Investigations Report (9), the association between threat actor (or just actor), their motives and their modus operandi vary according to the industry. However, the report states that stolen credentials is the preferred attack vector for financial motivation or organized crime. This data is very important, because it shows that threat actors are going after user's credentials, which leads to the conclusion that companies must focus specifically on authentication and authorization of users and their access rights.

The industry agreed that a user's identity is the new perimeter. This requires security controls specifically designed to authenticate and authorize individuals based on their job and need for specific data within the network. Credential theft could be just the first step to enable cybercriminals to have access to your system. Having a valid user account in the network will enable them to move laterally (pivot), and at some point find the right opportunity to escalate privilege to a domain administrator account. For this reason, applying the old concept of defense in depth is still a good strategy to protect a user's identity, as shown in the following diagram:

Here, there are multiple layers of protection, starting with the regular security policy enforcement for accounts, which follow industry best practices such as strong password requirements, a policy requiring frequent password changes, and password strength. Another growing trend to protect user identities is to enforce MFA. One method that is having increased adoption is the callback feature, where the user initially authenticates using his/her credentials (username and password), and receives a call to enter their pin. If both authentication factors succeed, they are authorized to access the system or network. We are going to explore this topic in greater detail in Chapter 6, Chasing User's Identity.