Why the success of modern cyber defence hinges on identity security

During the past few years, identity has become the most common attack vector for threat actors. This is because it is easier for a cybercriminal to login to a system, rather than to hack their way in.

Threat actors essentially only need two things to penetrate an organisation: an identity and a means of accessing it — and there are numerous ways they can get that access. Identity-based attacks are becoming both more sophisticated and more frequent. However, it’s privileged identities that pose the greatest risk exposure point with the widest blast radius.

Increasingly, threat actors are recognising the easiest way to infiltrate an organisation is to compromise an identity and impersonate a machine or human account. If the threat actor is stealthy, their malicious activity is undetectable compared to normal operations, and they can move laterally across accounts, assets, data and applications without being detected.

By hijacking the right identity, such as a highly privileged one, an attacker can even achieve their ends without the use of any malware — although sometimes the actual goal itself is to install ransomware after data is exfiltrated.

Identity security, and identity in general, is the foundation upon which an organisation controls access to systems and data. Not considering identity as part of the overall security posture risks a compromise by a threat actor or a malicious insider. In the past, identity security wasn’t as high on the agenda because organisations built walled-off corporate networks and controlled access through physical office locations.

However now, with cloud, SaaS and remote working, identities have increasingly become the perimeter itself. This means a single compromised identity could easily provide the keys to the kingdom if it isn’t properly secured, and especially if that identity has significant privileges.

Effectively securing identities

To achieve effective identity security there are a number of steps that organisations need to take.

1. Improve identity visibility

Knowing where all identities are being used tends to be one of the biggest Achilles heels for companies. Not only do identities touch many parts of an organisation, many are often unseen and unmanaged, which creates risk. Having the ability to see the full spread of identities across a landscape, and the levels of privilege that are attached to them, makes it possible to effectively monitor, detect and prioritise risks.

2. Ensure staff have a strong security mindset

It’s important to ensure all employees across the business understand the impact of their actions, as human error with one’s own identity is still a main driver of breaches. However, it’s important to approach this with the right mindset. That is, employees may be a source of risk, but they are also a powerful line of defence. Training people on how to be knowledgeable and approach problems with a security mindset is key.

3. Enforce the concept of least privilege

No one should ever use root, administrator or power-user accounts or privileges without proper change control and monitoring for appropriate behaviour. Therefore, the concept of least privilege needs to be followed at all times to limit paths to privilege.

4. Beware of ‘zombie’ user accounts

Dormant, orphan or ‘zombie’ accounts, unused privileges and shared accounts all represent a goldmine to attackers, as they are valid accounts that can achieve lateral movement and privilege escalation while flying under the radar. Aim to reduce the attack surface as much as possible by removing or restricting the accounts, access and privileges to only what is absolutely necessary.

5. Consider the infrastructure

Security teams often think about protecting identities and accounts when, in reality, the account itself doesn’t matter. The privileges and paths to privilege are what matters. When it comes to protecting privilege, it’s important to think about protecting the identity infrastructure as well as the accounts.

6. Co-ordinate across the organisation

An exploit on a single identity can have far-reaching effects over several different portions of an IT environment. This is known as an identity’s ‘blast radius’. It is important to ensure data is shared across different teams, and that security leaders know who the experts are in each domain. Don’t wait until there is a possible attack to make a plan.

Rapid evolution

The identity security space is evolving rapidly and changes to protective measures are regularly required. For this reason, it’s important to have the right team of experts backing you, and trust that your team will find the right solutions to effectively mitigate the attack surfaces in your environment.

The challenges posed by identity security are going to continue to grow. By taking the necessary steps now, organisations can be best placed to ward off attacks in the future.

Image credit: iStock.com/dem10