Identity security is more important than ever. Gartner® released its first standalone Identity Threat Detection and Response (ITDR) report, " Improve your cyber-attack preparedness with identity threat detection and response" , on October 20, 2022. The full report is available here. (subscription required)

Thanks to this report, security and risk management professionals now have access to new research, information and recommendations for tackling identity security issues. Here are five key points you need to know about ITDR: 

    1. Identity is the main vector for cyber attacks

    According to Gartner, "organizations' reliance on their identity infrastructure to enable collaboration, remote working and customer access to services has turned identity systems into prime targets for threat actors, with the misuse of credentials being the most popular route to security breaches in 2021."

    In recent years, organizations have had to deal with the operational realities of a workforce that couldn't come into the office to work. The COVID-19 health crisis accelerated what should have been multi-year digital transformation initiatives into a few months of implementation. As with any adoption of new technology, attackers turned their attention to exploiting this change.

    According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and doubled again in 2021. This increased frequency of ransomware attacks must be partly attributed to the challenges organizations have faced in enabling a remote working philosophy, the expansion of new cloud-based systems and zero-trust security initiatives, all with identities at their core; identities that attackers have proven to be vulnerable to exploitation.

    Illusive's researchrevealed that privileged account credentials, such as cached RDP sessions that enable remote administrators to access computers, are left exposed on more than one in ten computers. Furthermore, RDP and VPN credentials are the most popular and valuable accounts among initial access brokers for ransomware attacks. Theft of cached credentials is the main method of attack. Account takeover (ATO) attacks are widespread.

    2. Identity is the new vulnerability

    With the adoption of cloud computing and the need to support working from home, we often hear that identity is the new perimeter - many argue that identity is the foundation of cybersecurity. As the new perimeter, this implies that identity is also the new vulnerability, as all an attacker needs to compromise corporate resources is a single set of exposed privileged credentials.

    According to Gartner, "identity-related threats are manifold. Identity infrastructure misconfigurations and vulnerabilities can be exploited".

    Illusive's research has revealed that these identity-related security vulnerabilities are present on 1 in 6 assets, and they are classified into three categories:

    Unmanaged: Privileged accounts must be stored in Privileged Access Management (PAM) solutions, but it can be difficult to obtain the visibility needed to fully inventory these accounts. For example, 87% of local administrators are not registered in Microsoft's Local Administrator Password Solution.

    Misconfigured: Misconfigurations in Active Directory and other identity and access management (IAM) solutions can lead to the creation of "shadow administrators", who have been granted unnecessarily high privileges through group policies or other misconfigurations without visibility into their rights.

    Exposed: Even when privileged identities are properly provisioned and managed, they can still become exposed in the course of normal business activities. Cached credentials are frequently stored on endpoints and servers in memory, record or disk, where they can be extracted by commonly used attack tools.

    Because they are multifaceted, identity-related risk factors can exist in several dimensions. It's bad when an identity is granted unnecessary administrator privileges, it's worse when its password hasn't been updated for over a year, and the worst happens when its credentials are exposed - especially if they haven't been protected by a PAM solution.

    3. Attackers exploit gaps between identity and security systems

    The complexity of an organization's identities leads to the deployment of identity systems such as IAM, PAM and MFA in multi-phase projects, leaving identities exposed until these deployments are fully completed. These multi-year deployments are also faced with constantly changing identities, which must be rediscovered over time for these deployments to be successful.

    What's more, the process of discovering and auditing accounts against IT policies and other compliance requirements, such as password policies and PAM audits, is a tedious, manual and error-prone process, maintained in spreadsheets. Beyond the cost of these labor-intensive discoveries, they are almost immediately obsolete, leaving organizations in the dark about the extent of their vulnerable identities and unable to prioritize remediation efforts or optimize identity-related projects.

    On the other hand, the behavioral analysis approach increasingly used to detect cyberattacks fails when monitoring privileged accounts for malicious activity due to the difficulty of distinguishing between an administrator's acceptable use of a privileged account and the nefarious activities of attackers who have compromised the account. This leads to indicators of compromise (IOCs) of false positives and false negatives that leave security teams in the dark. As a result, account takeover attacks regularly fly under the radar until it's too late to prevent the attack.

    By targeting privileged identities, threat actors can also accelerate the stages of their attack. For example, in a well-known Lapsus$ ransomware attack, RDP access credentials enabled an ATO to establish persistence and escalate privileges simply by downloading a tool from Github.

    According to Gartner, "Conventional preventive security and identity and access management controls are insufficient to protect identity systems from attack. To strengthen preparedness for cyberattacks, security and risk managers need to add ITDR capabilities to their security infrastructure".

    4. A gram of prevention is worth a kilogram of cure

    Threat actors use automated attack tools, such as Mimikatz, to discover and exploit vulnerable identities. In fact, Mimikatz was precisely the attack tool Lapsus$ downloaded from GitHub to steal the cached credentials they needed to escalate their privileges.

    While these attacks may seem new, the reality is that Mimikatz is a well-known attack tool that has been documented by the MITRE ATT&CK framework since 2017. This Lapsus$ attack and many others like it serve as proof of how attacker tools enable threat actors to accelerate the stages of their attack.

    Consequently, it makes sense that if organizations want to demonstrably reduce risk, they should focus on eliminating the identity-related vulnerabilities that threat actors routinely exploit, enabling them to avoid detection and complete their attacks in just a few days. While this was virtually impossible in the past without automation, it can be achieved today thanks to the availability of ITDR solutions that continuously discover these vulnerabilities, prioritize their resolution according to the risks they present and, in some cases, automate their resolution.

    According to Gartner, "Prepare for ITDR with hygiene measures by mapping their existing prevention controls and auditing their IAM infrastructure for misconfigurations, vulnerabilities and exposures."

    5. ITDR is a top priority for cybersecurity

    According to Gartner, "Modern identity threats can bypass traditional preventative identity and access management (IAM) controls, such as multi-factor authentication (MFA). This makes identity threat detection and response (ITDR) a cybersecurity priority for 2022 and beyond."

    Cybercriminals have made the exploitation of identity infrastructures their primary attack objective. Their rationale for doing so has become clear thanks to proof of their ability to rapidly carry out privileged ATO attacks without being detected.

    Security and IT professionals have worked together over the years to secure networks, endpoints, applications and many other layers of their IT infrastructures. With attackers now focused on exploiting vulnerable identities, organizations must now work to make securing identities a top priority.

    In conclusion, identity security has become a top priority for organizations as cybercriminals increasingly exploit identity infrastructure vulnerabilities to carry out successful attacks. Automated attack tools, such as Mimikatz, are used to discover and exploit vulnerable identities, enabling attackers to bypass traditional preventative controls such as multi-factor authentication. Identity Threat Detection and Response (ITDR) solutions have therefore become essential for discovering and eliminating these vulnerabilities, which can be automated using modern tools. Ultimately, it's clear that organizations need to make identity security a top priority to reduce risk and prevent successful attacks.

    Source : Illusive

    Share on : 

    Share :