Jennifer Cheng, Director of Cybersecurity Strategy (Asia Pacific & Japan), Proofpoint

Threat actors typically target three identity areas:

    • Unmanaged identities: These include identities used by applications—service accounts—and local admins. Many local admins are not enrolled in a privileged account management solution, yet this types of identities is often undiscovered during deployment or is forgotten after serving its purpose. Many of these accounts use default or outdated passwords, further increasing the risk.
    • Misconfigured identities: “Shadow” admins, identities configured with weak or no encryption, and accounts with weak credentials are examples of misconfigured identities. Our own studies suggest that as much as 40% of misconfigured identities, or shadow admin identities, can be exploited in just one step — for example, by resetting a domain password to escalate privileges. As some shadow admins identities already have domain admin privileges, and when hijacked these can enable malicious actors to harvest credentials and infiltrate further into the organization.
    • Exposed identities: This category includes cached credentials stored on various systems, cloud access tokens stored on endpoints, and open remote access sessions. Some endpoints contain exposed privileged account passwords, such as cached credentials. This practice is just as risky as allowing employees to leave sticky notes with usernames and passwords on their devices, yet it is commonly overlooked.

ITDR requires a combination of comprehensive security processes, tools, and best practices. Treat identities the same way you treat any other asset type, including your network and endpoints.

    1. Start with proactive, preventative controls so you can discover and mitigate identity vulnerabilities before cybercriminals can exploit them. Continuous discovery and automated remediation are your best way of keeping malicious actors out.
    2. Next, you need the ability to swiftly neutralize threats should they slip through defenses. As no controls are foolproof, consider the full attack chain. Stopping privilege escalation quickly is paramount because threat actors will attempt that step as soon as they have achieved initial access. If they cannot get anywhere, they will have to give up and move on. Advanced tools with machine learning or analytics capabilities can detect unusual or suspicious events and behavior patterns, along with automated response, to help admins stop privilege escalation quickly.
    3. Similar to tools such as endpoint detection and response and extended detection and response, robust ITDR solutions provide an in-depth approach to mitigating exposure.
    4. Finally, effective ITDR relies on best practices such as ensuring good cyber hygiene. After all, people are your biggest security hole. People-centric defenses do not work if you do not empower employees to break the attack chain by changing their behavior patterns and habits. Also, improving cyber hygiene is a simple activity that does not have to require a lot of resources.