Dormant accounts are a low-hanging fruit for attackers

Successful attacks on systems no longer require zero-day exploits, as attackers now focus on compromising identities through methods such as bypassing MFA, hijacking sessions, or brute-forcing passwords, according to Oort.

“The vast majority of successful breaches in the past year were the result of account takeover (ATO). This research illustrates just how easy enterprises are making it for attackers to target their identities and launch successful ATO attacks,” says Oort CEO, Matt Caulfield. “IAM and security teams simply don’t have the visibility and control they need to see these risks, leaving them blind to the most common threats they are likely to face this year – account takeover.

Enterprises use weak second factors

Oort reports that 40.26% of accounts in an average enterprise are using either weak second factors or none at all, leaving them vulnerable to targeting with simple techniques like phishing and social engineering.

Additionally, the report finds that phishing-resistant second factors were used in only 1.82% of all logins. The lack of strong MFA adoption has implications not only for potential account takeover attacks, but also regulatory compliance, citing several compliance frameworks that have requirements for MFA.

The report unveils the most commonly targeted accounts are either dormant or those that belong to executives and administrators. Dormant accounts are the lowest hanging fruit for attackers, and yet represent 24.15% of all accounts for an average enterprise.

Dormant accounts attacks are on the rise

Oort found an average of 501 monthly attacks against dormant accounts per company emphasizing the importance of cleaning up and having oversight of suspicious behavior within dormant accounts. The findings show that administrator accounts, which give attackers the highest degree of permissions, are targeted more than three times the average account and often lacked, or were excluded from, MFA controls.

Oort’s research also revealed that 79.87% of application accounts go unused every month, highlighting that users have access to too many applications and sensitive data. The implications of having unnecessary access and the financial burden of excessive licenses are quick wins that organizations can avoid with the proper visibility over their identities and their associated behavior.

Proper MFA adoption

By reducing user access to excessive applications and the data contained within, organizations can fairly easily reduce costs and improve visibility over their identities and their associated behavior.

Oort’s research impresses the importance for enterprises to gain visibility across all their identities to decrease their attack surface, enforce proper MFA adoption, and ensure poor IAM hygiene is not leaving them at risk. This includes regularly reviewing and updating user accounts, groups, and permissions, as well as implementing access controls and monitoring systems to detect and respond to any suspicious activity.

“Organizations can easily decrease the risk of account takeover by prioritizing identity security. Understanding their identity attack surface, having visibility into basic IAM hygiene issues and MFA compliance can go a long way in eliminating the easiest targets for attackers to succeed,” adds Caulfied regarding the opportunity organizations have to address these challenges and reduce their risk of breach.