While the concept of identity as the new security perimeter has been around for some years, it has now switched from an authorization-based strategy to one with a broader remit, including credential theft, misuse, and privilege escalation in its security coverage. Indeed, Gartner recently categorized identity-first security as one of the Top Security and Risk Management Trends for 2021.
Identity-first security means an increased emphasis on verifying the identity of users rather than relying on user/password combinations that attackers easily steal or brute-force. Multi-factor authentication (MFA) has proven to be one of the most popular and effective approaches here, requiring additional verification through a secondary source such as SMS or a dedicated app. Single sign-on (SSO) is another popular choice, as it drastically reduces the number of credential sets floating around and mitigates the risk of re-used combinations. Combining these methods with a zero-trust policy adds further assurance and helps match the level of authentication to the risk involved.
While identity-based methods such as these should be present in all security strategies, they are not complete without Identity Detection and Response (IDR) as an element of the program. Unlike what traditional identity protection solutions offer, IDR solutions look deeper for identity exposures that create attack paths, detect credential theft and misuse, prevent privilege escalation, and protect the systems that manage them from being exploited.
Identity-based cyber-attacks are increasing
Along with hailing identity-first security as a top trend for the year ahead, Peter Firstbrook, research vice president at Gartner, noted that organizations must do more in the field. While firms are investing heavily in identity verification, he pointed out that they often fail to consider how to protect the infrastructure itself, with the SolarWinds and Microsoft attacks being leading examples.
The SolarWinds breach was one of the most prominent examples of a supply chain attack. After infiltrating SolarWinds’ network, threat actors accessed and tampered with the source code of its Orion software. A software update then spread the Trojanised software to thousands of customers, primarily part of, or working with, the US Government.
Supply chain attacks like this are a powerful example of attack tactics that require identity detection and response security measures for an effective security program. Further, as part of the following attacks on compromised targets, the threat actors appear to have specifically exploited measures such as SSO. A representative of the US Treasury reported that threat actors compromised multiple Microsoft-hosted after they acquired the cryptographic keys to the Treasury’s SSO infrastructure.
Attacks of this level of sophistication are primarily the realm of state-sponsored advanced persistent threat (APT) groups. They have greater access to resources than the average criminal group, which means high-risk areas like the public sector, finance, and critical national infrastructure are particularly at risk. Further, such advanced tactics always rapidly filter through common criminals, so one can expect them to become more common soon enough.
Side-stepping traditional security
In another recent high-profile incident, criminals chained a series of vulnerabilities together that made it possible first to access the target’s Microsoft Exchange server, emails, and calendar, falsely authenticate and connect to the server, and then escalate to gain admin rights. Again, this method entirely bypassed standard authentication methods. While Microsoft quickly patched the vulnerabilities, it is impossible to predict when threat actors may unearth similar flaws.
Alongside high-level external attacks, identity access management security can be vulnerable to insider threats, as seen in roughly 57 percent of breaches. These include malicious insiders actively damaging the company for their gain, but more commonly, employee negligence that creates security gaps. As well as direct employees, the inside threat extends to any suppliers, contractors, or other third parties granted any degree of network access.
Regardless of whether it’s a malicious insider or external intruder, once a threat actor has passed or evaded Identity and Access Management security measures, the organization faces serious trouble unless it can quickly and reliably identify suspicious behavior inside the network.
Prioritize critical assets like Active Directory
Security teams should prioritize identity security capabilities around the most critical assets. In particular, one of the primary targets for attackers is the company’s Active Directory, which more than 90 percent of Global Fortune 1000 organizations use for authentication, identity management, and access control. Accessing AD will significantly increase the attacker’s ability to move laterally through the network and escalate privileges, potentially acquiring admin or even superuser capabilities. Privileged access exploitation has played a vital role in at least 80 percent of known security breaches.
Despite the threat of attackers accessing the Active Directory, its critical role for business means that organizations often prioritize reliable performance and ease of management over security. However, this preference for simplicity and accessibility, coupled with its dynamic nature, means that AD is usually easy for threat actors to access and exploit.
Defending AD should be the top priority for all organizations when considering that threats will highly target it to access the credentials and privileges they need to elevate their attacks. Firms need to achieve accurate, real-time visibility of any exposure that attackers can leverage or activity that points to a compromise. Further, organizations should continually assess AD to validate that there are no misconfigurations attackers can exploit or leverage for possible attack paths.
Providing effective support for identity-first security
Today’s diffuse, decentralized organizational structure means identity-based security measures are one of the most important defenses an organization can implement. However, as cases like the SolarWinds and Microsoft Exchange breaches demonstrate, these measures are far from absolute. organizations need to take the next step and add Identity Detection and Response to fill the gap left open when attackers mascarade as real employees or prey on exposures for privilege escalation.
To mitigate the threats posed by attackers bypassing traditional measures, firms must also have a high level of visibility and threat detection capabilities. They must detect suspicious user activity such as unauthorized scans or attempting to access sensitive data, signifying a potential intruder with stolen credentials that has slipped by external defenses. Security teams must also detect malicious insiders attempting to access files outside of their remit or violating policies.
One effective method for detecting suspicious behavior inside the network is to create a false network containing realistic fakes of production assets. Organizations can use these deception environments to mirror high-risk assets such as AD or sensitive data. If attackers interact with the counterfeits, they immediately alert the security team, who can investigate and prevent any further action and analyze the perpetrator’s identity and motive. Deceptive tactics are perfect for catching intruders trying to move undetected but can also help discover employees moving outside their remit, whether due to negligence or malice.
Identity and Access Management security measures are a vital first line of defense, but are incomplete when used alone. When paired with IDR solutions, businesses will close critical security gaps while gaining protection and detection for unauthorized credential use, overprovisioning of entitlements and privileges, and attack surface reductions. With these innovations in IDR, crafty attackers that have been able to break out undetected from endpoints and leverage identities to leap from on-premise to the cloud will be in for a surprise as they are no longer able to advance their attacks.
Carolyn Crandall is Chief Security Officer, Attivo Networks
