How federal agencies can combat identity-related cyber threats and unmask cybercriminals

Digital identities are embedded in our lives, blurring the line between personal and professional information. However, criminals are increasingly profiting from stolen data, including personally identifiable information, usernames and passwords, and other authentication credentials like session cookies, leading to an increase in next-generation identity attacks.

Digital identity exposure is especially problematic in the federal government. Compromised authentication data and PII fuel cyberattacks that threaten government entities and our national security. This year's SpyCloud Identity Exposure Report found identity exposures across government to be high. In 2023, there were 723 breaches containing .gov emails and exposing 281,000 .gov credential pairs. Password reuse rates also remain high. For .gov users exposed in two or more breaches, there is a 67% reuse rate, often with passwords dating back to 2016.

Although agencies invest significant effort and resources in changing user behavior through security awareness training and password policies, these programs have not moved the needle far enough.

To stay ahead of cybercriminals, agencies must act both defensively to proactively identify threat actors and neutralize the threat, while also taking aggressive offensive measures to investigate and dismantle cyber syndicates and counteract cybercrime. To achieve this, a new approach is needed.

Defending against digital identity cyber threats

To succeed in defending against account takeover, fraud, session hijacking and ransomware, agencies must consider next-generation approaches.

Security teams need quick and accurate evidence when any component of an employee, contractor, vendor or constituent’s identity is compromised. With early access to recaptured identity intelligence, they can negate the value of stolen information by quickly identifying their riskiest users and acting swiftly to protect them.

Modern tools with access to Open Source Intelligence darknet data aid this process by continuously monitoring for compromised credentials and identities and alerting security teams so they can act quickly and with confidence.

These tools query billions of recaptured assets, such as credentials, cookies, SSNs, physical addresses, social media account info, device data and more from third-party breaches and malware-infected devices, empowering security teams to proactively detect exposures and reveal what data has been stolen. With access to real-time, contextualized OSINT data, teams can swiftly remediate employees’ identities and credentials by forcing password or credential resets, removing malware infections from devices, enforcing more robust BYOD policies and ensuring PII is not linked to IP addresses.

On the offensive: The power of the digital exhaust to unmask the bad actors

While remediation is crucial, to understand the full scope of criminal threats, security analysts need easy access to identity-centric intelligence derived from recaptured data. Only then can they move fast to optimize their profiling and complete investigations.

Other investigation tools often take time to learn proprietary query skills or have stringent deployment options. But by drawing on recaptured data and automating the process of piecing together criminals’ digital breadcrumbs, security analysts can reveal the identities, behaviors, campaigns and processes of adversaries involved in cybercrimes that threaten federal programs, data, critical infrastructure and even third-party contractors.

Everyone, from regular citizens to cybercriminals, leaves behind a digital trail that spans years, if not decades. This trail often includes usernames and passwords linked to websites and applications that individuals interact with, and these details can never be entirely removed from the public domain.

The concept of digital exhaust is not new, but it's so vast and voluminous that malicious actors assume legitimate entities can’t capture, aggregate and perform forensic research on this high-volume data. However, with robust identity intelligence, analysts can rapidly connect the dots and identify the individuals under investigation, thus transferring the advantage to the agency.

Consider this real-life scenario in which our team of federal security analysts investigating a case of pandemic fraud discovered that a search target's digital exhaust included a password linked to a decades-old Myspace account created before the individual engaged in criminal activity. With this information, our analysts could link the individual to multiple security breaches involving a variation of the same password — a common giveaway. By quickly piecing together decades-worth of digital breadcrumbs and previously unknowable connections, analysts unmasked the true identity of the research subject without digging through mountains of data and noise.

Leveraging recaptured data to outpace criminal innovation

With cybercriminals becoming more sophisticated and stealing and trading increasing amounts of data each year, federal agencies often lack the resources and budgets for vital forensic research to fight against identity-related breaches.

But with the power of the digital exhaust, quality analytics, and a full profile of an adversary and their accounts, analysts can quickly assess and mitigate internal and external risks to the agency.

By following these strategies and utilizing rich identity intelligence both defensively and offensively, agencies can greatly improve the accuracy and speed of investigations, take decisive action with confidence, and enhance the outcomes of criminal and intelligence investigations.