Page 211 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 211
Identity-Based Attacks Continue to Increase
Attackers recognize that using identity-based attack methods makes it easy to circumvent traditional
perimeter defenses and directly access corporate networks. And unfortunately, credential theft has
proven to be an easy way for attackers to compromise those identities. The most recent Verizon Data
Breach Investigations Report (DBIR) indicates that credential data is now present in a staggering 61% of
attacks, highlighting the ease with which attackers can access it. Too many organizations leave credential
data exposed on the endpoints, rendering them and the systems they have access to dangerously
vulnerable.
Unfortunately, even with EDR and Identity and Access Management (IAM) systems there remain gaps in
protecting credentials, privileges, and the systems that manage them. They simply aren’t designed to
detect credential-based attacks. What’s more, as the number of identities in use continues to rise, and
gaining sufficient visibility into those identities’ permissions isn’t always easy. Assigning the correct level
of access to identities can be challenging at scale, leading to overprovisioning or granting more access
than is needed to avoid workflow disruptions. On the one hand, this ensures that identities will rarely have
trouble accessing the data they need. On the other hand, an attacker who compromises an identity will
have access to much more data than they otherwise would.
Of course, attackers don’t stop at one compromised identity. Once inside the network, they will move
laterally and attempt to escalate their privileges, conduct reconnaissance, and perform other attack
activities. Most attackers will target Active Directory (AD) to achieve their goals. Since AD serves as the
primary identity service for roughly 90% of Global Fortune 1000 organizations, handling authentication
throughout the enterprise, attackers looking to escalate their attacks consider it a high-value target. If
adversaries can compromise AD, removing them from the network becomes extremely difficult.
Protecting endpoints—and, by extension, identities—is essential to prevent that from happening.
Rethinking Endpoint Security
The line between endpoints and identities has blurred with the advent of cloud services and the
proliferation of nonhuman identities removing any clear delineation. A virtual machine in the cloud might
be both an endpoint and an identity—after all, it has permissions and entitlements that allow it to access
specific data and areas of the network. This state presents a new opportunity for attackers and forces
defenders to think of endpoint security as they would think of identity security.
Keeping endpoints secure starts with visibility. Organizations need visibility into any exposed identity
assets on endpoints, including orphaned or duplicate credentials, privileged accounts, etc. Defenders
cannot protect identities when they cannot easily see or understand exposures related to user, device,
and domain controller misconfigurations and vulnerabilities. Identifying potential attack paths from the
endpoint to Active Directory and critical servers is also essential. Once they have a good sense of the
exposures and other vulnerabilities endangering the endpoint, the organization can begin the process of
remediation.
Defenders then need to prioritize credential protection. Preventing credential theft is essential in today’s
threat environment, and organizations can take steps like binding their credentials to applications to make
211