Attivo Networks Blogs

Identity security may never be 100% under control, but with a focus on Active Directory, many risks can be mitigated

Security Solutions logo

By Carolyn Crandall, Chief Security Advocate, Attivo Networks

The concept of a security perimeter has, in many cases, disappeared altogether recently. Instead, security teams rely on identity to restrict access and ensure only authorised people can connect with centralised applications and data.

Indeed, a little less than a year ago, Gartner trumpeted the arrival of identity as the new security perimeter.

The timing of Gartner’s prediction coincided with a slow decline in the efficacy of existing perimeter protections like corporate firewalls.

Practitioners already knew that a determined attacker with enough time or resources could defeat almost any traditional security perimeter setup.

But it was the arrival of widespread remote work that pushed the traditional perimeter beyond its design limitations.

Employees are no longer ring-fenced inside one or a handful of central sites and instead have become their own little “branch office of one.” The focus has shifted to verifying that every attempt they make to access corporate resources remotely is genuine.

That inevitably leads to a broader discussion about identity and ways to protect it.

Many acknowledge this space as challenging. The challenges do not get any easier against the backdrop of increasingly sophisticated attacks that seek to target or abuse corporate identities.

Indeed, a recent study by Dimensional Research found that “confidence in the ability to secure employee identities dropped from 49% to 32% in the past year.” But the same study also found 93% of security professionals believe identity-related breaches they experienced to date were preventable.

Additionally, 97% intend to invest in identity-related security over the next two years – as both a preventative measure and a cure for the challenges of securing the workplace of 2022.

Tit-for-tat

Any account is vulnerable to misuse if compromised by a threat actor.

As circumstances scatter users across multiple locations, it is easier than ever for threat actors to phish or brute force their way to taking control of an account. Once they steal credentials, they can advance their attack as imposters within the network, using these disguises to elevate their access and privileges.

Multi-factor authentication (MFA) and single sign-on (SSO) have already succeeded in making the sign-in process more secure than traditional username and password combinations.

However, attackers have also found ways to bypass these protections, often by tricking users into handing over their passwords and one-time login codes.

Passing this access verification layer imparts a certain level of trust in the user. Anyone with the password and MFA code is likely to have a high degree of freedom to move around in the internal corporate network, a grave mistake if the “user” is actually a threat actor.

As organisations employ more defensive techniques, attackers, in turn, also use more advanced approaches to continue facilitating corporate credential theft. It’s a cat-and-mouse game familiar to all security practitioners.

In a recent example, adversaries executed a multi-stage attack that circumvented basic user authentication by chaining several different vulnerabilities together. As a result, the attackers could access the target’s Microsoft Exchange server, emails, and calendar, before falsely authenticating to connect to the server. From here, they could begin escalating to gain admin rights.

Microsoft quickly patched this particular set of vulnerabilities upon discovery. Still, it illustrates that organisations have no way of knowing when new exploits will emerge that challenge the layered protections they put in place.

Focusing on Active Directory pays off

Identity-first security goes beyond password policies and MFA to provide additional layers of protection.

As Gartner points out, organisations need stronger protections within the network itself to monitor the effectiveness of perimeter solutions by identifying when attackers may have circumvented them.

In reality, organisations will need to rely on a combination of perimeter security tools, identity-based, least-privilege access programs, and in-network defences capable of detecting attack escalation and lateral movement to reduce the risk of attackers breaching and abusing identities.

Protecting Active Directory (AD) should be on most organization’s list of top priorities, as 90 percent of Global Fortune 1000 organisations use the system for managing permissions and controlling access to resources.

Once they get past identity access management provisions, attackers will often head straight for AD. Those that successfully access AD will gain a considerable advantage in privilege escalation and lateral movement.

Businesses can minimise these threats by using automated tools to run AD assessments, remediate exposures, and monitor identity-based attacks in real-time.

Cloaking technology – which hides production assets such as credentials, AD objects, data and denies access to unauthorised users – can also be impactful in derailing attacks early. Additionally, creating a deception environment that mimics production systems with a higher degree of realism can also trick intruders into thinking they have breached a genuine network. These decoys include interactive but worthless copies of all the assets a threat actor would expect to find.

By having multiple layers of identity-based security measures, including identity threat detection and response technology, organisations can significantly increase their chances of detecting intruders exceptionally early in the attack cycle and before an adversary can cause significant damage.

At the same time, as IT departments invest in deploying solutions to emerge stronger from the pandemic, AD and the growing area of cloud entitlements are set to become and remain essential IT infrastructure components for many years to come. Taking time to ensure that identity security is as strong as possible now and part of one’s overall security posture will help mitigate the risk of any potential attacks in the future.

Read the original article on Security Solutions.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published.

five + two =

Ready to find out what’s lurking in your network?

Scroll to Top