In this Help Net Security interview, Adam Bateman, CEO of Push Security, talks about the rise in identity-based attacks, how they’re becoming more sophisticated each year, and how AI and ML are both fueling these threats and helping to defend against them.
Bateman also discusses the role of employee training and how businesses can balance strong security with user-friendly experiences.
What is the scale of identity-based attacks today?
Identity-based attacks are becoming a bigger problem each year. In 2023, there were over 22 billion credential-stuffing attacks worldwide. By 2024, nearly 80% of cyber incidents were tied to stolen or compromised credentials — even though multi-factor authentication has been around for some time.
Not only are they becoming more widespread, the techniques and tools that attackers use are becoming more sophisticated. Phishing attacks are now reliably bypassing MFA when it is in place, and attackers are leveraging session-stealing infostealers on an industrial scale.
The watershed moment for identity attacks in 2024 was the attacks on Snowflake customers, targeting 165 organizations worldwide using credentials stolen in infostealer infections dating back to 2020. In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of their respective customers. This wasn’t just the biggest breach of the year, it was possibly one of the biggest ever.
To raise awareness of this changing landscape, our research team created an open-source matrix that talks about the latest identity-based techniques, particularly those targeting cloud identities and related SaaS services. The fact that so many of these breaches involve high-profile companies shows just how serious the scale of identity-based attacks has become.
What role do emerging technologies, such as AI and machine learning, play in both the advancement of identity attacks and the development of defenses?
AI and ML are a double-edged sword in cybersecurity. On one hand, cybercriminals are using these technologies to make their attacks faster and wiser. They can create highly convincing phishing emails, generate deepfake content, and even find ways to bypass traditional security measures. For example, generative AI can craft emails or videos that look almost real, tricking people into falling for scams.
On the flip side, AI and ML are also helping defenders. These technologies allow security systems to quickly analyze vast amounts of data, spotting unusual behavior that might indicate compromised credentials. Adaptive authentication, which uses ML, can even adjust security measures based on the level of risk. So, logging in from a trusted device’ll be easy, but if you’re using a new device, extra security steps can be triggered to keep you safe.
How critical is employee training in preventing social engineering and identity-based attacks, and what best practices should organizations adopt?
Human error is a big problem, so you can have the best security systems in place, but if employees aren’t trained, you’re still at risk: Verizon’s 2024 DBIR found that 69% of breaches involved a human element.
Targeted security training can be useful but generally you want to reduce the human dependency as much as possible. This is why controls that can meet a user where they are at is critical. If you can deliver point-in-time guidance, or straight up technically prevent something like a user entering their password into a phishing site, it significantly reduces the dependency on the human to make the right decision unassisted every time. When you consider how hard it can be for even security professionals to spot the more sophisticated phishing sites, it’s essential that we help people out as much as possible with technical controls.
People inevitably make mistakes even with all the training in the world — the amount of password reuse we see, for example, really highlights this. Even the most sensitive IdP creds, used for single sign on (SSO) across multiple services, aren’t safe from password reuse. This is where employee education and technology can go hand-in-hand. Employees can be trained to stop reusing passwords, but security teams must have tools in place to guide them — like by forcing automatic password resets or MFA deployment, or intervening when they do try to enter their creds into a phishing site.
How can businesses balance security with usability, ensuring their defenses do not become barriers to legitimate user activity?
This is a tricky balance, for sure. Stringent security can frustrate users and slow down workflows, while too much ease of access can leave systems vulnerable to attacks. Furthermore, if security measures are too strict, people get frustrated and look for shortcuts that weaken security. Tools like SSO and passwordless authentication make logging in easier while maintaining strong protection.
I feel that it’s essential that organizations look at their attack surface — the apps they’re using, how employees are logging in, how these identities are becoming interconnected — and are empowered to tailor those controls or restrictions accordingly.
For example, some apps will always be of a higher sensitivity than others, so you absolutely want to ensure strong passwords, no credential reuse, phishing-resistant MFA, etc. On the other hand, you can be a little more lenient in other cases, but that might change very quickly in the context of an ongoing third-party breach affecting one of these apps. A big part of our philosophy is giving companies the tools to be as user-friendly as they need to, but also have the power to dial up those security safeguards as and when required.