Identity security may never be 100% under control, but with a focus on Active Directory, many risks can be mitigated

The concept of a security perimeter has, in many cases, disappeared altogether recently. Instead, security teams rely on identity to restrict access and ensure only authorised people can connect with centralised applications and data.

Indeed, a little less than a year ago, Gartner trumpeted the arrival of identity as the new security perimeter.

The timing of Gartner’s prediction coincided with a slow decline in the efficacy of existing perimeter protections like corporate firewalls.

Advertisement

Practitioners already knew that a determined attacker with enough time or resources could defeat almost any traditional security perimeter setup.

But it was the arrival of widespread remote work that pushed the traditional perimeter beyond its design limitations.

Employees are no longer ring-fenced inside one or a handful of central sites and instead have become their own little “branch office of one.” The focus has shifted to verifying that every attempt they make to access corporate resources remotely is genuine.

That inevitably leads to a broader discussion about identity and ways to protect it.

Many acknowledge this space as challenging. The challenges do not get any easier against the backdrop of increasingly sophisticated attacks that seek to target or abuse corporate identities.

Indeed, a recent study by Dimensional Research found that “confidence in the ability to secure employee identities dropped from 49% to 32% in the past year.” But the same study also found 93% of security professionals believe identity-related breaches they experienced to date were preventable.

Additionally, 97% intend to invest in identity-related security over the next two years – as both a preventative measure and a cure for the challenges of securing the workplace of 2022.

Tit-for-tat

Any account is vulnerable to misuse if compromised by a threat actor.

As circumstances scatter users across multiple locations, it is easier than ever for threat actors to phish or brute force their way to taking control of an account. Once they steal credentials, they can advance their attack as imposters within the network, using these disguises to elevate their access and privileges.

Multi-factor authentication (MFA) and single sign-on (SSO) have already succeeded in making the sign-in process more secure than traditional username and password combinations.

However, attackers have also found ways to bypass these protections, often by tricking users into handing over their passwords and one-time login codes.

Passing this access verification layer imparts a certain level of trust in the user. Anyone with the password and MFA code is likely to have a high degree of freedom to move around in the internal corporate network, a grave mistake if the “user” is actually a threat actor.

As organisations employ more defensive techniques, attackers, in turn, also use more advanced approaches to continue facilitating corporate credential theft. It’s a cat-and-mouse game familiar to all security practitioners.

In a recent example, adversaries executed a multi-stage attack that circumvented basic user authentication by chaining several different vulnerabilities together. As a result, the attackers could access the target’s Microsoft Exchange server, emails, and calendar, before falsely authenticating to connect to the server. From here, they could begin escalating to gain admin rights.

Microsoft quickly patched this particular set of vulnerabilities upon discovery. Still, it illustrates that organisations have no way of knowing when new exploits will emerge that challenge the layered protections they put in place.

Focusing on Active Directory pays off

Identity-first security goes beyond password policies and MFA to provide additional layers of protection.

As Gartner points out, organisations need stronger protections within the network itself to monitor the effectiveness of perimeter solutions by identifying when attackers may have circumvented them.

In reality, organisations will need to rely on a combination of perimeter security tools, identity-based, least-privilege access programs, and in-network defences capable of detecting attack escalation and lateral movement to reduce the risk of attackers breaching and abusing identities.

Protecting Active Directory (AD) should be on most organization’s list of top priorities, as 90 percent of Global Fortune 1000 organisations use the system for managing permissions and controlling access to resources.

Once they get past identity access management provisions, attackers will often head straight for AD. Those that successfully access AD will gain a considerable advantage in privilege escalation and lateral movement.

Businesses can minimise these threats by using automated tools to run AD assessments, remediate exposures, and monitor identity-based attacks in real-time.

Cloaking technology – which hides production assets such as credentials, AD objects, data and denies access to unauthorised users – can also be impactful in derailing attacks early. Additionally, creating a deception environment that mimics production systems with a higher degree of realism can also trick intruders into thinking they have breached a genuine network. These decoys include interactive but worthless copies of all the assets a threat actor would expect to find.

By having multiple layers of identity-based security measures, including identity threat detection and response technology, organisations can significantly increase their chances of detecting intruders exceptionally early in the attack cycle and before an adversary can cause significant damage.

At the same time, as IT departments invest in deploying solutions to emerge stronger from the pandemic, AD and the growing area of cloud entitlements are set to become and remain essential IT infrastructure components for many years to come. Taking time to ensure that identity security is as strong as possible now and part of one’s overall security posture will help mitigate the risk of any potential attacks in the future.

Carolyn holds the roles of Chief Security Advocate and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of effectively taking companies from pre-IPO through to multi-billion-dollar sales and has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. She is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operational, digitalization, and security challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift to an active security defense that prevents, detects, and derails cyberattacks. Carolyn is an active evangelist, blogger, byline contributor, and speaker on industry trends and security innovation. She has spoken at industry events around the world, has been a guest on Fox News, has been profiled by the San Jose Mercury News, and has received many industry recognitions including Top 25 Women in Cybersecurity 2020 & 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 10 years a Power Woman by Everything Channel (CRN). Additionally, Carolyn serves as an Advisory Board Member for the Santa Clara University Executive MBA program and co-authored the book Deception-based Threat Detection, Shifting Power to the Defenders.