Identity is now the central security battleground, writes Carolyn Crandall, Chief Security Advocate at identity detection and response product company Attivo.
The threat of attackers exploiting user identities has become increasingly prominent as organisations invest in cloud migration and remote working capabilities. Expanding IT estates have resulted in “permission sprawl,” and “policy drift” where users tend to accrue an excessive amount of access rights, significantly increasing the risk posed by a compromised account.
To mitigate this threat, organisations need to ensure that mainstay tools such as Endpoint Detection and Response (EDR) get augmented by new measures that focus on identity security. One of the most effective new trends in this area is Identity Detection and Response (IDR), which focuses on credential theft and privilege misuse.
How big is the identity threat?
Identity theft and misuse are major factors in most security incidents. More attackers are now specifically attempting to hijack legitimate credentials and use them to move through the system. The 2021 Verizon Data Breach Investigations Report estimates that 61 percent of all breaches involve credential data, while 36 percent of incidents involve phishing tactics.
Permission sprawl is a prominent but often overlooked factor in these breaches. It’s common to find organizations giving entire departments blanket permissions, particularly for cloud-based assets, and rarely review access levels as individuals change roles or leave the company. As a result, accounts can often access far more assets and a higher level of privilege than they need for their job roles. This situation means a single compromised identity can give an attacker a huge advantage for lateral movement and privilege escalation, particularly as management for these rights is usually fragmented at best.
Policy drift comes into play when policies are in place, but the lack of visibility has prevented organizations from seeing when their policies are not being complied with. This can have both risk and compliance implications.
Identities to manage
While we naturally tend to think of human users when considering identity security, this narrow view misses the increasing number of non-human identities regularly accessing the network. Every application and system that interacts with the network has its own identity and set of permissions. Attackers can hijack and exploit in the same manner as user accounts belonging to human personnel. Indeed, permission sprawl is usually an even more pronounced problem for non-human identities as organisations often misconfigure or leave default access permissions for applications they never review.
The risk created by permission sprawl and poor identity management will only increase. Gartner predicts that inadequate identity, access, and privilege management will contribute to 75 percent of security failures by 2023, up 50 percent in 2020.
So, how can organisations rein in permission sprawl and reduce their risk exposure?
Most enterprises have sought to get control of their growing roster of identities with tools such as Identity and Access Management (IAM), Privilege Access Management (PAM), and Identity Governance and Administration (IGA). These solutions have different capabilities but focus on authorisation, authentication, and ensuring that users can access the assets they need for their job roles.
However, while essential to managing modern IT infrastructure, these tools tend to leave a gap in detecting credential theft and privilege misuse. This is where Identity Detection and Response (IDR) comes in. This approach focuses specifically on protecting identities, entitlements, and the systems that manage them. IDR creates visibility of credential misuse, entitlement exposures, and privilege escalation activities, spanning both endpoints and multi-cloud environments, as well as critical elements like Active Directory.
IDR is also distinct from similarly acronymic solutions such as EDR and NDR. While these solutions concentrate on detecting attacks and gathering telemetry for analysis, IDR specifically looks for attacks targeting identities.
Further, if an IDR solution detects an identity attack, it can deploy several effective countermeasures, including isolating the compromised system and even adding false decoy data sets that will divert the attacker from real network assets. These deception tactics slow the attacker down and buy time for the security team to respond but will also provide useful data on the threat actor’s methods and possible motives and targets.
In addition to detecting an active attack, broader solutions will also add visibility tools, which pinpoint potential attack surfaces that identity tactics could exploit. For example, it could highlight accounts with a high level of permissions to cloud assets, credentials stored on endpoint devices, or Active Directory misconfigurations.
Growing threat to identity
The ability to detect and respond to identity-based threats is essential for securing IT infrastructure today and will only become more vital as enterprises continue to expand their IT estates and pursue further cloud migration.
Alongside approaches such as IAM for managing access and EDR for detecting malicious activity, organisations also need to look at ways of discovering and addressing attacks, specifically exploiting identities.
Identity Detection and Response solutions are emerging as one of the most effective ways to respond to this challenge, enabling organisations to gain visibility of vulnerabilities in their identity management strategy and actively detect and counter identity-based attacks in real-time.
