What Is Identity Protection?
Have you ever suspected that someone you are talking to online or within your organization is not who they actually claim to be? That scenario falls within the realm of identity protection, and unfortunately, it happens all the time. Identity Protection is a broad and vast area that is quickly becoming one of the most high-risk sectors in the entire security industry.
In its most basic definition, identity protection encompasses the safeguarding actions used to protect digital identities and corresponding personal data.
Any one would be familiar with these crucial points that fall under the identity protection umbrella:
Identity Access Management (IAM)- the systems that ensure only authorized users within an organization are able to access resources specific to their job function or department.
Active Directory (AD)- Microsoft service used to store and manage company resources in a hierarchical data structure within the network. Information is organized into specific directories that are controlled by employee access. Read more about Microsoft AD here.
Privileged Accounts- accounts that possess more permissions/privileges than the average user. A privileged account can access sensitive data that is not regularly accessible to other entities. There are several different types of privileged accounts:
Privileged Domains: domain admins, DHCPs
Application/Service Accounts: Database admins, SharePoint admins, etc. (other accounts that manage and configure application software
Local Administrators- root and administrator accounts
System Accounts- accounts that control and are tied to the Operating System
Business Accounts- accounts specifically associated with finance or corporate users
Social Media Accounts- accounts that manage an organization's social media platforms (Twitter, Instagram, Facebook, Tik Tok etc.)
Stealthy Admins- privileged accounts that exist outside of a well-known protected group and are often overlooked because they are not members of AD. Read more about stealthy admins here.
Domain Admins- think of domain admins as user accounts that hold the keys to the entire "kingdom" of a network. As super privileged members of the administrative group, domain admins pose the juiciest prize for adversaries to target, due to the fact that they can operate on all workstations, domain controllers, and servers (not to mention, they can also grant privileges to lesser user accounts). Read more about domain admins here.
The Numbers Speak For Themselves
While hunting for thorough and accurate statistics that reflect the scary importance of the identity threat landscape, data from the current year paints identity as adversaries' number one target. The following list of stats serve as this year's most interesting highlights:
"Data breaches involving stolen credentials take up to 250 days to identify." - CrowdStrike
"Phishing and stolen/compromised credentials were the two most common initial attack vectors and led to an average cost of $4.9 million." - IBM Cost of A Data Breach Report, 2023
"Breaches involving stolen or compromised credentials took the longest to resolve at nearly 11 months (328 days). The mean time to contain an average breach takes about 9 months (277 days)." - IBM Cost of A Data Breach Report, 2023
"86% of breaches involve the use of stolen credentials." - Verizon Data Breach Investigations Report, 2023
Identity protection is something that organizations are highly concerned with but oftentimes their investments run short of providing full coverage. Instead, organizations are more interested in investing in integrated applications that promote product effectiveness and end-user experience; not bad things by the way. We understand all the rage with ChatGPT and other AI platforms that have exploded in popularity from the tech market. However, these flashy new applications diminish the real priority: protecting privileged accounts and domains.
Attack Vectors Targeting Identity
Attackers are utilizing whatever methods they can in order to access personal data. As of 2023, some of the most common attack vectors targeting identity protection include the following:
Phishing- Phishing attacks continue to make up the majority of successful compromises and intrusions. While the most common understanding of phishing includes the act of sending a fraudulent email, there are multiple variations of this attack. Phishing can take the form of vishing (attack performed on telephone) smishing (sending texting messages with a bad link), whaling (targeting big names in an organization vs. lower level employees), etc.
Credential Stuffing- Credential stuffing involves attackers buying or acquiring a list of previously compromised credentials from a separate data breach and using those same credentials to log into other services that a victim customer may also possess. Username and password lists are often sold on the Black Market and are often successfully activated due to the likelihood that a victim has poor password hygiene.
Pass-The-Hash- A password hash is a one way mathematical function that converts a password into a string of non-reversible and incomprehensible text. In a PTH (pass-the-hash) attack, an attacker captures a password hash and creates a new user session to pass through authentication protocols. The adversary does not even need to decrypt the hash in order to perform lateral movement to other networked systems.
Man-In-The-Middle- A MITM (man-in-the-middle) attack occurs when an adversary successfully intercepts a conversation between two parties, managing to relay the messages so that both parties believe they are corresponding without interference.
Password Spraying- Password spraying belongs to the brute-force attack family, but it is one method that attackers use to bypass account lockout. An attacker uses a short list of password to try to access hundreds or even thousands of accounts.
Golden Ticket- A successful golden ticket attack allows an adversary virtually unlimited access to all resources in an organization's domain via Microsoft Active Directory. An adversary is able to bypass authentication protocols by exploiting weaknesses in Kerberos. Initial entry to the system is usually gained via a phishing attack and then by stealing the NTLM hash of the Active Directory Key Distribution Service Account (KRBTGT).
Insider Attacks- Disgruntled employees or recently terminated personnel often represent the threat of an insider attack for organizations. Cyber attacks from dissatisfied employees is something that all organizations need to look out for because they possess the power to do the most damage. According to the 2023 Verizon Data Breach Report, internal threat actors were responsible for 99% of privilege misuse within the past year, and out of 406 separate incidents, 288 confirmed successful data disclosure. That being said, definitely be careful with who you hand the keys to the kingdom.
Biggest Organizational Weaknesses
The cleverest way for organizations to increase their identity protection starts with identifying the greatest security weaknesses within the company. Many of these weaknesses not only affect identity protection but other areas in network security, application security, the cloud, endpoints, etc. By investing in solutions to mitigate these critical weak points, perhaps you may see more coverage over all security sectors.
Misconfigurations and Vulnerabilities
As one of the most common causes of identity attacks, security misconfigurations and vulnerabilities often provide an adversary with backdoor access into an organization's network. These errors surface whenever security settings are not correctly configured, such as poor network segmentation or database design. In addition to mandatory security hardening processes, ensure that all updates and patches are being installed regularly.
Weak/Compromised Credentials
Weak or compromised credentials attributed to 80% of cyber attacks in 2023, and that percentage is expected to get worse with the coming years. In a study conducted by Dashlane.com, the average individual has about 300 online accounts (many of them being synced). Since 300 accounts is more than enough to manage, it is understandable why so many people choose to reuse their passwords. Unfortunately, this also makes it easy for attackers to compromise your credentials. For a quick check of whether your password meets security standards, try following the "LUCK" technique:
LENGTH | The length of a strong password should be between 9-13 characters. |
UNIQUENESS | Your password should be different for every account that you own, but uniquely formatted so that you don't have to remember over 300 passwords! Try using a pneumatic device to limit the number of password repeats. |
COMPLEXITY | Your password should include a wide array of case-sensitive letters, numbers, and special characters that makes it difficult to guess. |
KNOWN-OF-VICTIM | Never use any details in your password that obviously reveal your personal identity. This includes birthdays, pet names, favorite colors or your favorite band, etc. |
Missing Encryption
The idea of encryption has been in use for centuries now, but many organizations are still in need of catching up. Encryption is one of the most important methods of increasing privacy and while it should be used on every surface, sometimes organizations are completely lacking, or still using the oldest possible version. To date, the Advanced Encryption Standard (AES) and SHA3 hash function are the most secure and current form of encryption that should be used.
Lack of MFA
Multi-factor authentication (MFA) is one of the greatest solutions to protect passwords from being compromised. By adding that extra one or two layers of protection, an adversary would not be able to access your account without first authenticating who they are. MFA solutions such as Okta and Microsoft Authenticator can help your organization improve identity management by prompting every user with a verification code before signing in to a secure platform.
Unmanaged Privileges
Stealthy accounts and too many domain admin accounts in your network can pose a major advantage to attackers. As stated before, stealthy accounts often go unnoticed in the network because they do not belong to a traditional AD group. The danger of having too many domain admin accounts is the same principle of sharing too much with too many people. By limiting the number of domain admins to only essential users with the necessary skill set of an administrator, you are decreasing the chance for an adversary to take control over the network. Therefore, because of these major risks, it is important to keep track of all privileged accounts in Active Directory environment using a certified SIEM (Security Information & Event Management) system, such as CrowdStrike or McAfee.
Conclusion
If organizations are interested in revamping their identity protection policies, the first step forward is to gather your personnel and answer some of the most important questions relating to identity-risk:
What are your most high-value targets and how would they be susceptible to an attack?
What are the financial and personal costs associated with a successful compromise?
How are we currently performing in identity protection? Is there simply "room for improvement" or do we need to make some drastic changes?
After discussing these topics, create an annual list of goals that helps reduce your organization's identity attack surface within one or two years. You may find that you need to reallocate organizational resources or spend some big bucks in order to meet the new list of demands, but believe us, it's worth it. Identity-based threats are never going away, and if anything, they will get worse. It is better now to start building your organization's progress and create an effective game plane to see some real and improved results.
Sources
Comments