There has been a recent uptick in identity-based cyberattacks. The majority of respondents (79%) experienced an identity-related breach within the last two years, according to IDSA-sponsored research. Identity theft and abuse are at the heart of most cyberattacks. To get access to a network, cybercriminals no longer need to crack a firewall; they simply only steal legitimate user credentials.
How are threat actors attacking today’s organizations?
Identity-based attacks take advantage of weak authentication, excessive access rights, and a lack of oversight. They use less obvious attack vectors than code-based attacks, making them more dangerous. As such, threat actors are particularly incentivized to exploit the identity sprawl induced by cloud adoption, the development of non-human accounts and the usage of heterogeneous systems to handle identities.
Intruders have wasted no time adapting the standard “land and expand” tactics to these settings. They profit from businesses’ struggles to monitor cloud, multi-cloud, and hybrid systems and from the lack of standardized identity telemetry.
Identity is problematic since it can be used as an almost flawless disguise.
It can be quite difficult to tell the difference between the acceptable use of an identity and its illegitimate usage. A threat actor can mimic a user and obtain access to resources, compromise systems, move laterally, and compromise further identities by first compromising one identity.
Organizations struggle to effectively mitigate identity-related risks because they lack continuous visibility of identities across all systems, which is especially problematic for quickly growing cloud-based infrastructures. Identity advantages and rights are poorly understood even for well-established identities. Threat actors’ actions may go undetected due to misconfigurations, which are exacerbated in dynamic settings where new users, systems, and integrations are continually opening up new attack pathways.
How can one best defend against an assault that uses a victim’s identity?
Attack vectors in today’s modern IT settings must be discovered, eliminated, and audited. All of these are essential for lowering the attack surface, discovering previously unseen hazards, and fixing problems without relying on malware detection.
By bridging the gap between IAM and security teams, Identity Threat Detection and Response (ITDR) offers a substantial opportunity to achieve these security goals. Cyber threat intelligence, detection, investigation, and reaction can be consolidated into a single security discipline, giving businesses a significant advantage in protecting their identity systems.
What is the best way to use ITDR to prevent an identity-based attack?
Building up an interconnected ecosystem that actively helps you lower your attack surface is the ideal approach. An effective ITDR reaction can be constructed as follows:
Build a robust foundation.
If you don’t nail down the fundamentals, you could end up hurting your own investment. Get a handle on the devices and software that make up your identity infrastructure and make sure they’re following best practices before you go chasing the next-gen, cyber buzzword. After all, you don’t want your hard work to be undone because a domain controller wasn’t patched.
Second, make sure you can see who has access and who hasn’t.
In so many identity security breaches that make the headlines, a threat actor was able to compromise an over-privileged user and use VPN access to go laterally, elevate privileges further and do broad damage without needing to build an attack. This is where concepts like identity governance, identity lifecycle management, privileged access management, and entitlements management for cloud infrastructure come into play.
Third, incorporate procedures to verify that there are no holes or shadow infrastructure developing by continually auditing the controls you have in place in accordance with best practices.
When dealing with a wide variety of cloud and on-premise systems, it can be difficult to acquire visibility into all identities, be proactive, and ensure best practices are being followed. Resource-intensive and potentially ineffective in the face of rapidly evolving threats is the practice of scripting this, manually scouring systems and data for misconfigurations, or purchasing point solutions that focus on things like Active Directory hardening.
BeyondTrust’s identity security insights are one example of a tool that may add a proactive layer of intelligence to your risk mitigation strategy by integrating with your ecosystem and exchanging data to deliver a single, comprehensive view of your identity.
Detection, as a fourth layer.
The next step in improving your identity security program is to add layers of detection after the groundwork has been laid. This allows you to bridge the gaps between identity and access management (IAM) solutions and SOC tools.
Again, you can try to fill in the gap by hand by feeding identity data into SIEM and XDR technologies, but these don’t always provide sufficient visibility into an identity. For instance, in the event of a successful MFA fatigue attack, how much access and power does the identity have? Does this identity have permission to access other potentially damaging delegated or machine accounts?
Lean into tools that can offer you with a degree of knowledge and intelligence that can help you answer these questions quickly to locate and contain the blast radius of a compromised identity.
Now that you can see identities and take action, it’s time to start looking for the right tools, signals, and integrations to help you quickly and automatically spot and counteract identity security issues. As a secondary line of defense, you should work to develop indicators of attack/compromise for identity security and make use of user behavioral analysis.
Create a strategy manual
Last but not least, flesh out your identity threat playbook to ensure you have a plan of action in place for dealing with potential attacks.