Cloudflare Report: Identity Attacks Are the New Zero-Days

The weaponization of legitimate credentials has shifted the primary vector of ransomware attacks away from malware. Attackers are now more likely to use stolen account credentials, which allows them to blend in with normal traffic until they are ready to launch their extortion efforts. This trend transforms the threat from one of external intrusion to one of architectural subversion, where attackers operate undetected as legitimate users. North Korean-linked threat actors are reportedly using AI-generated identities and deepfakes to successfully pass hiring checks for remote IT positions at Western companies. This tactic allows them to embed themselves within an organization, gaining insider access to corporate payrolls and other sensitive systems. This "high-trust exploitation" signifies a move beyond traditional brute-force methods. For detection engineering in Splunk, this necessitates a focus on behavioral anomalies. One critical use case is detecting "impossible travel," where a user account logs in from geographically distant locations in an impossibly short time frame. This can be achieved by enriching authentication logs with geolocation data for the source IP address and then using Splunk's `geodistance` macro or custom SPL to calculate the distance and speed between consecutive logins for the same user. Another key detection is for MFA fatigue or "prompt bombing." A Splunk query can be crafted to identify a high volume of failed MFA attempts for a single user from a single IP address within a short time window. For example, you can search for more than ten failed MFA prompts within a ten-minute period, which could indicate an attacker attempting to annoy a user into approving a fraudulent push notification. These detection rules directly support the "User" pillar of the DoD Zero Trust model, which mandates continuous authentication and the detection of anomalous user behavior. By building a Splunk dashboard with panels for "Impossible Travel Alerts," "MFA Fatigue Attempts," and "Multiple Account Logins from a Single IP," you can visualize identity-based threats and demonstrate compliance with DoD's Zero Trust principles. To manage this across multiple clients in a defense and commercial context, Splunk's forwarder management and server classes are essential. You can create a distinct server class for each client, allowing you to deploy tailored `inputs.conf` and `outputs.conf` files. This ensures that data from different clients is segregated and sent to the correct indexes, a critical requirement for both security and compliance in multi-tenant environments. For rapid client onboarding, this multi-tenant architecture allows for the quick deployment of a baseline security monitoring configuration. New clients can be added to a default server class that provides immediate visibility into common identity-based threats. This approach aligns with emerging Zero Trust assessment methodologies, such as the CISA Zero Trust Maturity Model, which emphasize starting with foundational controls and iteratively improving. Automating the response to these identity-based attacks is the next logical step. Splunk SOAR playbooks can be triggered by the detection rules for impossible travel or MFA fatigue. These playbooks can automatically enrich the alert with threat intelligence, disable the user account in the identity provider, and create a ticket in a case management system for further investigation, significantly reducing response times.