Identity security is more important than ever. Gartner® released its first standalone report on identity threat detection and response (ITDR),“Improve Your Preparedness for Cyberattacks with Identity Threat Detection and Response,”on October 20, 2022. The full report is available here. (subscription required)

Thanks to this report, security and risk management professionals now have access to new research, insights, and recommendations for addressing identity security challenges. Here are five key points you need to know about the ITDR: 

    1. Identity is the primary vector for cyberattacks

    According to Gartner, “Organizations’ reliance on their identity infrastructure to enable collaboration, remote work, and customer access to services has turned identity systems into prime targets for threat actors, with credential misuse being the most common path to security breaches in 2021.”

    In recent years, organizations have had to grapple with the operational realities of a workforce that could not come into the office. The COVID-19 health crisis accelerated what should have been multi-year digital transformation initiatives into a matter of months. As with any adoption of new technology, attackers have turned their attention to exploiting this change.

    According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and doubled again in 2021. This increased frequency of ransomware attacks can be partly attributed to the challenges organizations have faced in enabling remote work, the expansion of new cloud-based systems, and “zero trust” security initiatives—all of which center on identities; identities that attackers have proven to be vulnerable to exploitation.

    Research by Illusivehas revealed that privileged account credentials, such as cached RDP sessions that allow remote administrators to access computers, are left exposed on more than one in ten computers. Furthermore, RDP and VPN credentials are the most popular and valuable accounts among ransomware attackers seeking initial access. The theft of cached credentials is the primary method of attack. Account takeover (ATO) attacks are widespread.

    2. Identity is the new vulnerability

    With the adoption of cloud computing and the need to support remote work, we often hear that identity is the new perimeter—many argue that identity is the foundation of cybersecurity. As the new perimeter, this implies that identity is also the new vulnerability, because all an attacker needs to compromise corporate resources is a single set of exposed privileged credentials.

    According to Gartner, “There are many identity-related threats. Misconfigurations and vulnerabilities in the identity infrastructure can be exploited.”

    Research by Illusive has revealed that these identity-related security vulnerabilities are present in 1 out of every 6 assets and are classified into three categories:

    Unmanaged: Privileged accounts should be stored in privileged access management (PAM) solutions, but it can be difficult to gain the visibility needed to fully inventory these accounts. For example, 87% of local administrators are not registered in Microsoft’s “Local Administrator Password Solution.”

    Misconfigured: Incorrect configurations in Active Directory and other identity and access management (IAM) solutions can lead to the creation of “ghost administrators”—users who have been granted unnecessarily high privileges due to Group Policy settings or other configuration errors, with no visibility into their permissions.

    Exposed: Even when privileged identities are properly provisioned and managed, they can still become exposed during normal business operations. Cached credentials are frequently stored on endpoints and servers in memory, in logs, or on disk, where they can be extracted by commonly used attack tools.

    Because they are multifaceted, identity-related risk factors can manifest in multiple ways. It’s bad enough when an identity is granted unnecessary administrator privileges; it’s worse when its password hasn’t been updated in over a year; and the worst happens when its credentials are exposed—especially if they haven’t been protected by a PAM solution.

    3. Attackers exploit gaps between identity and security systems

    The complexity of an organization’s identities necessitates the deployment of identity systems such as IAM, PAM, and MFA in multi-phase projects, leaving identities exposed until these deployments are fully completed. These deployments, which span several years, are also subject to constant changes in identities, which must be re-discovered over time for these deployments to be successful.

    Furthermore, the process of discovering and auditing accounts against IT policies and other compliance requirements—such as password policies and PAM audits—is a tedious, manual, and error-prone process that is managed in spreadsheets. Beyond the cost of these labor-intensive discovery efforts, they become obsolete almost immediately, leaving organizations unaware of the extent of their vulnerable identities and unable to prioritize remediation efforts or optimize identity-related projects.

    On the other hand, the behavioral analysis approach—which is increasingly used to detect cyberattacks—fails when monitoring privileged accounts for malicious activity due to the difficulty in distinguishing between an administrator’s legitimate use of a privileged account and the malicious activities of attackers who have compromised the account. This leads to false-positive and false-negative indicators of compromise (IOCs) that leave security teams in the dark. As a result, account takeover attacks regularly go undetected until it is too late to prevent the attack.

    By targeting privileged accounts, threat actors can also speed up the stages of their attack. For example, during a well-known Lapsus$ ransomware attack, RDP credentials allowed an ATO to establish persistence and escalate its privileges simply by downloading a tool from GitHub.

    According to Gartner, “Conventional preventive security controls and identity and access management measures are insufficient to protect identity systems from attacks. To strengthen preparedness against cyberattacks, security and risk management leaders must add ITDR capabilities to their security infrastructure.”

    4. An ounce of prevention is worth a pound of cure

    Threat actors use automated attack tools, such as Mimikatz, to discover and exploit vulnerable credentials. In fact, Mimikatz was the very attack tool that Lapsus$ downloaded from GitHub to steal the cached credentials they needed to escalate their privileges.

    Although these attacks may seem new, the reality is that Mimikatz is a well-known attack tool that has been documented in the MITRE ATT&CK framework since 2017. This attack by Lapsus$ and many others like it serve as evidence of how attackers’ tools enable threat actors to accelerate the stages of their attacks.

    Consequently, it stands to reason that if organizations want to demonstrably reduce risk, they should focus on eliminating identity-related vulnerabilities that threat actors commonly exploit, allowing them to evade detection and carry out their attacks in just a matter of days. While this was virtually impossible in the past without automation, it can be achieved today thanks to the availability of ITDR solutions that continuously discover these vulnerabilities, prioritize their resolution based on the risks they pose, and, in some cases, automate their resolution.

    According to Gartner, “Prepare for ITDR by implementing security hygiene measures, including identifying existing preventive controls and auditing your IAM infrastructure for misconfigurations, vulnerabilities, and exposures.”

    5. ITDR is a top priority in cybersecurity

    According to Gartner, “Modern identity threats can bypass traditional preventive identity and access management (IAM) controls, such as multi-factor authentication (MFA). This makes identity threat detection and response (ITDR) a cybersecurity priority for 2022 and beyond.”

    Cybercriminals have made exploiting identity infrastructure their primary target. Their rationale for doing so has become clear following evidence of their ability to carry out privileged ATO attacks quickly and undetected.

    Over the years, security and IT professionals have worked together to secure networks, endpoints, applications, and many other layers of their IT infrastructures. With attackers now focusing on exploiting vulnerable identities, organizations must now make identity security a top priority.

    In conclusion, identity security has become a top priority for organizations, as cybercriminals are increasingly exploiting vulnerabilities in identity infrastructures to carry out successful attacks. Automated attack tools, such as Mimikatz, are used to discover and exploit vulnerable identities, allowing attackers to bypass traditional preventive controls such as multi-factor authentication. Identity Threat Detection and Response (ITDR) solutions have therefore become essential for discovering and eliminating these vulnerabilities, a process that can be automated using modern tools. Ultimately, it is clear that organizations must make identity security a top priority to reduce risks and prevent successful attacks.

    Source: Illusive

    Share on: 

    Share: