Even organizations with EDR/XDR protection may be vulnerable to identity-based threats. Implementing ITDR could bridge the missing link…

Cybersecurity practitioners have understood for a long time that human behavior is a core security vulnerability. So, what is changing? Answer: the way malicious actors are taking advantage of humans as the weakest link in the attack chain.

Increased numbers of attacks on identity service providers in recent months indicate that threat actors are extending proven tactics such as phishing and credential theft and targeting the supply chain. Compromising the supply chain can potentially yield a very high return on investment. So malicious actors are throwing their weight behind their most successful tactics — attacking identity — to maximize those returns.

Once threat actors have successfully compromised even a single identity, they can move laterally throughout the organization with ease. At this point, they have nearly won the battle. Escalating privileges, gathering intelligence, distributing payloads, and carrying out other objectives are a simple exercise from there.

They can achieve all of this without touching any of your traditional perimeter defenses. And without much technical knowledge and effort.

Top three identity risks

Many organizations have invested substantially in fortifying their identity infrastructure. However, they may be missing the most vulnerable components, such as stored and cached credentials, session cookies, access keys, shadow privileged accounts, and various misconfigurations associated with accounts and identities.

Understanding how cybercriminals are attacking identity within your organization is the first step to protecting the new attack surface and breaking the attack chain. Start by determining which human entry points are the most vulnerable and the most targeted in your organization. You cannot mitigate every risk, which means you will need to prioritize.

Jennifer Cheng, Director of Cybersecurity Strategy (Asia Pacific & Japan), Proofpoint

Threat actors typically target three identity areas:

    • Unmanaged identities: These include identities used by applications—service accounts—and local admins. Many local admins are not enrolled in a privileged account management solution, yet this types of identities is often undiscovered during deployment or is forgotten after serving its purpose. Many of these accounts use default or outdated passwords, further increasing the risk.
    • Misconfigured identities: “Shadow” admins, identities configured with weak or no encryption, and accounts with weak credentials are examples of misconfigured identities. Our own studies suggest that as much as 40% of misconfigured identities, or shadow admin identities, can be exploited in just one step — for example, by resetting a domain password to escalate privileges. As some shadow admins identities already have domain admin privileges, and when hijacked these can enable malicious actors to harvest credentials and infiltrate further into the organization.
    • Exposed identities: This category includes cached credentials stored on various systems, cloud access tokens stored on endpoints, and open remote access sessions. Some endpoints contain exposed privileged account passwords, such as cached credentials. This practice is just as risky as allowing employees to leave sticky notes with usernames and passwords on their devices, yet it is commonly overlooked.

Whatever type of identity malicious actors compromise, it only takes one vulnerable account to provide unfettered access to your organization. And the longer they go undetected, the more devastating the potential consequences can be.

Managing identity risks

Combating any type of threat necessitates several core activities: detecting and identifying threats in real-time, prioritizing them, and promptly remedying the situation by automating responses as much as possible. This is where the best practices of threat detection and response come into play.

However, organizations typically only implement threat detection and response for their technology. This is not enough in today’s people-centric threat environment.  As the human perimeter has become the most vulnerable component, identity threat detection and response (ITDR) has emerged as a critical part of identifying and mitigating gaps in identity-driven exposure.

ITDR requires a combination of comprehensive security processes, tools, and best practices. Treat identities the same way you treat any other asset type, including your network and endpoints.

    1. Start with proactive, preventative controls so you can discover and mitigate identity vulnerabilities before cybercriminals can exploit them. Continuous discovery and automated remediation are your best way of keeping malicious actors out.
    2. Next, you need the ability to swiftly neutralize threats should they slip through defenses. As no controls are foolproof, consider the full attack chain. Stopping privilege escalation quickly is paramount because threat actors will attempt that step as soon as they have achieved initial access. If they cannot get anywhere, they will have to give up and move on. Advanced tools with machine learning or analytics capabilities can detect unusual or suspicious events and behavior patterns, along with automated response, to help admins stop privilege escalation quickly.
    3. Similar to tools such as endpoint detection and response and extended detection and response, robust ITDR solutions provide an in-depth approach to mitigating exposure.
    4. Finally, effective ITDR relies on best practices such as ensuring good cyber hygiene. After all, people are your biggest security hole. People-centric defenses do not work if you do not empower employees to break the attack chain by changing their behavior patterns and habits. Also, improving cyber hygiene is a simple activity that does not have to require a lot of resources.

Cybercriminals are simply moving too fast for security teams to keep up with identity threats without the right tools for the job. We predict that identity-based attacks will dominate breaches this year. So —do not just brace for it: make identity-centric risks your priority, and prepare to adapt your strategies as these risks evolve.