Identity is a battleground upon which all organizations must now fight. Responding to this growing threat is non-optional because identity is at the heart of the processes and technologies that power the new world of remote and hybrid working.
The “human element” is involved in 85 percent of breaches, with credential data theft and misuse now factoring into 61 percent of incidents, the Verizon Data Breach Investigations Report 2021 reported last year. Attackers know this, so they are constantly searching for ways of accessing valid credentials which they can use to gain access to the network and then move undetected in search of new targets.
Once inside the network, adversaries are well beyond the protections of a traditional perimeter. If the target organization has not deployed relevant defenses, threat actors can strike deep within the network at unsecured infrastructures. They often target assets such as Active Directory (AD), which 90 percent of Global Fortune 1000 companies use to provide authentication and authorization. If the attacker manages to extend their privileges and access a powerful admin account on AD, it is game over for defenders.
There is no doubt that identity security is in a state of emergency. But organizations can address it using identity threat detection and response (ITDR) solutions capable of detecting attack escalation and lateral movement on-premises and in the cloud.
Identity Under Threat
The shift to remote work has gifted cybercriminals with many targets to exploit, particularly enterprise identities. With the growth of public cloud and a considerable rise in the number of human and non-human identities such as applications, databases, and data stores, organizations must create identities rapidly, in high volume, and often without clear visibility to the attack surface risks being created. There is an unfortunate irony to this explosion of identity generation because the infrastructure that powers modern workforces also contain the weakness that can bring them down.
Traditional security tools cannot cope with the recent explosion in the number of identities, meaning they over-provision access and further exasperate security risks. Gartner has estimated that 75 percent of security failures will “result from inadequate management of identities, access, and privileges” by 2023, an increase of 50 percent from 2020″.
This security shortfall leaves attackers in a strong position. Stealing identities allows them to impersonate authorized users to access resources and move laterally through the organization’s network and cloud environment. Launching this type of attack is now worryingly straightforward. There will always be one employee who attackers can trick into handing over a password. If not, they can buy credentials on the dark web. The perimeter can no longer hold in an era where external defenses are porous and permeable.
After gaining an initial beachhead, attackers typically look for opportunities to elevate privileges. They conduct reconnaissance to identify subsequent targets, compromise identities that enable them to steal data, seed a ransomware infection, or disrupt services. If defenders fail at this stage of the attack and adversaries are able to exploit AD, there is a genuine risk that it will be too late to stop the attack. On the other hand, the correct deployment of ITDR technology can surface unauthorized queries and indicators of attack, halting adversaries in their tracks.
Detect, Respond, Defeat
Organizations must cope with today’s threats by protecting identities across the entire enterprise with identity-based, least-privilege access defences capable of detecting attack escalation and lateral movement on-premises and in the cloud.
ITDR solutions can detect credential theft, privilege misuse, attacks on AD, and potentially risky entitlements that create attack paths. This technology focuses on protecting identities, entitlements, and the systems that manage them. It goes further than tools like IAM, PAM, or IGA, which covers authorization and authentication to grant controlled access to resources. ITDR moves beyond other identity solutions to provide visibility to credential misuse, highlight entitlement exposures, and spot privilege escalation wherever it occurs, from endpoints to AD or the little-noticed corners of cloud estates.
But ITDR is not simply a pane of glass. It also grants organizations the ability to take proactive action using deception. Defenders can place fake data in the attackers’ path, which draws them away from real targets like AD and steers them towards a decoy, where defenders can derail, isolate, and observe them. An ITDR solution can also gather telemetry and forensic data during an incident, arming defenders with the intelligence that will allow them to defeat similar attacks.
Organizations that deploy ITDR will be able to secure themselves for the future by gaining visibility of all exposures that could allow attackers to target identities. This visibility enables security teams to assess the safety of credentials stored on endpoints or AD misconfigurations that open the door for data exfiltration. It also identifies excessive entitlements that allow attackers to access sensitive data or workloads in cloud environments. Limiting exposures reduces an attacker’s options.
ITDR can also protect machine identities in the cloud. Today, it is not just human users that need identities to do their jobs. Containers, applications, and other assets require entitlements and often get overprivileged, causing permission sprawl and giving attackers more valuable targets to exploit. ITDR lets defenders understand the complex web of identities and credentials in the cloud and gives them the insights they need to lockdown these potential attack surfaces.
In the coming months and years, organizations will face what may appear to be a daunting task of securing enterprise identities, crucial for their digital infrastructure. If they stick to traditional or manual tools, enterprises will likely find that they cannot keep up with their dynamic cloud environments. Yet if defenders deploy ITDR and adopt the right approach to gain visibility to identity risks, they will mitigate the risk of their cloud deployment becoming their weakest security link.
Image credit: Elnur_/depositphotos.com
Carolyn Crandall is chief security advocate at Attivo Networks