The last few years have seen an increased acceptance that traditional perimeter-based defenses such as firewalls are not enough, and that attention needs to shift to identity security. This approach focuses on verifying the identity of users with a high degree of accuracy, working on the assumption that any account is vulnerable to misuse if compromised by a threat actor.
Even before the pandemic, it was an important strategy as enterprises pursued cloud migration, implemented more IoT devices, and expanded their use of remote working. However, identity-first security has been in the spotlight over the last year as the pandemic forced businesses to rapidly accelerate their digital transformation plans. Gartner has also identified it as one of the Top Security and Risk Management Trends for 2021.
An identity-first approach is undeniably important in a time when users are scattered across multiple locations, and it is easier than ever for threat actors to phish or brute force their way to taking control of an account. Once credentials are stolen, they will advance their attack as an imposter within the network, using this disguise to elevate their access and privileges.
Evading identity checks
Identity-first security goes beyond password policies and multi-factor authentication (MFA) to provide additional layers of identity verification. Single sign-on (SSO) is also helpful as it minimizes the number of credential sets within the organization and can dramatically simplify the adoption of MFA. Businesses should also use a zero-trust policy to tie these measures together for a risk-based approach to identity verification.
Faced with these defenses, attackers can no longer simply steal a set of login credentials and freely access the network. However, more advanced threat actors have discovered several ways around these defenses.
In one recent example, adversaries executed a multi-stage attack that entirely circumvented normal user authentication by chaining together several different vulnerabilities. As a result, the attackers could access the target’s Microsoft Exchange server, emails, and calendar, before falsely authenticating to connect to the server. From here, they could begin escalating to gain admin rights. Microsoft quickly patched this particular set of vulnerabilities upon discovery. Still, it serves to illustrate that organizations have no way of knowing when new exploits will emerge that render an MFA solution ineffective.
Exploiting the system
If security strategies solely rely on password policies and MFA, any attacker who gets through is likely to have a high degree of freedom to escalate and execute their attack. Passing this access verification layer imparts a certain level of trust in the user – a serious mistake if the user is actually a threat actor.
Supply chain attacks are one of the most prevalent instances of how attackers can exploit this trust, with the notorious SolarWinds breach being a leading example. Here, the attackers infiltrated SolarWinds’ network and tampered with the source code of its Orion software so that a Trojanised version was distributed at the next update, installing backdoor access to the networks of thousands of customers.
Again, the attackers rendered identity access management measures ineffective here as they entirely bypassed the need to log in and authenticate themselves. The SolarWinds breach also exemplified how attackers can exploit infrastructure such as SSO. The US Treasury reported that threat actors acquired the cryptographic keys to the Treasury’s SSO infrastructure in follow-up attacks after the initial breach and subsequently accessed multiple Microsoft-hosted email inboxes.
The most critical targets of identity attacks
Internal security should prioritize the most critical data sets and system assets that represent the greatest risk to the business. Active Directory should be one of the top priorities, as 90 percent of Global Fortune 1000 organizations use the system for managing permissions and controlling access to resources. Attackers that access AD will gain a huge advantage in privilege escalation and lateral movement.
However, many organizations prioritize management and accessibility over security for AD due to its critical business function. But as attackers will often head straight for AD once they get past identity access management, firms must balance accessibility with security. Businesses can start by conducting regular AD assessments to remediate exposures and monitor for identity-based attacks in real-time.
Defense-in-depth – and deception
Complex attacks such as SolarWinds involve a level of commitment and resources usually reserved for advanced persistent threat (APT) groups that have nation-state backing. However, as we have seen repeatedly, advanced attack techniques eventually become more accessible and affordable to common criminals. Accordingly, while such attacks are currently mainly the concern of high-risk targets like the public sector and financial industry, other organizations should prepare for similar tactics being used against them eventually or simply opportunistically.
Defeating attacks that bypass identity access management solutions require a defense-in-depth approach. Organizations should assume that their first line of defense will eventually be breached at some point and be ready with internal security measures to detect and block intruders within the network. Crucially, this necessitates real-time visibility of attempts to access sensitive assets, conduct unauthorized scans, or any other suspicious activity.
A more recent solution for implementing real-time identity detection and response (IDR) is the use of cloaking technology where real assets are hidden and access denied to unauthorized users. Additionally, the creation of deception environments, false copies designed to trick intruders into thinking they have breached a genuine network will mimic production assets with a high degree of realism, including interactive but worthless copies of all the assets a threat actor would expect to find.
The best deception environments serve as bait for automated scanning tools and also stand up to a degree of scrutiny by advanced human adversaries. The environment alerts the security team as soon as attackers touch it, and personnel can quickly shut down the attack while the intruders are wasting their time on the decoys. Using concealment and disinformation for high-risk assets such as AD efficiently steers attackers away from the genuine article, providing highly efficient defense and detection.
By having multiple layers of identity-based security measures, including identity detection and response technology, organizations can greatly increase their chances of catching intruders extremely early in the attack cycle and well before an adversary can cause significant damage.