This article was original published by BeyondTrust. You can view the article here.
An interview with cybersecurity experts from BeyondTrust: Janine Seebeck, Chief Executive Officer; Morey J. Haber, Chief Security Advisor; James Maude, Director of Research; Brad Call, Information Security Engineer; and Angela Duggan, Vice President of User Experience.
Today is Identity Management Day (IMD), a day for raising awareness about the importance of securing digital identities.
Launched in 2021 by the National Cybersecurity Alliance (NCA) and the Identity Defined Security Alliance (IDSA), IMD is designed to disseminate information and tips to help everyone, from business leaders to IT decision-makers, understand the importance of identity management and gain access to the guidance, best practices, and readily available technologies that can help ensure all access points and digital identities are secured.
The likelihood and risk associated with an identity-based attack is significant. Workplaces are less tied to a physical building and identities are much more critical in defining the workplace security perimeter. At the same time, threat actors are increasingly targeting accounts, users, and their associated identities to penetrate into organizations and advance their malicious activities.
In response to the growing risk of identity-based attacks, The topics of identity and access security, identity management, and identity threat detection and response (ITDR) have been recognized by leading strategists and security practitioners as pivotal in building comprehensive cybersecurity. For example:
- NIST Cybersecurity Framework 2.0 – The recently updated framework recognizes that Identity and Access Management (IAM) and Privileged Access Management (PAM) are not just technical safeguards, but rather strategic imperatives that underpin the security posture of modern organizations and play a critical role in securing digital assets and infrastructures in the complex, nuanced, and ever-expanding digital threat landscape.
- The National Security Agency (NSA)’s new guidance on Zero Trust – The guide emphasizes the Zero Trust network and environment pillar, which leverages identity management techniques (network segmentation, access controls, granular policy restrictions, encryption, enterprise visibility, etc.) to prevent lateral movement by cyber attackers within an organization’s network.
To help articulate why identity security has become central to cybersecurity initiatives, I’ve asked a few of BeyondTrust’s cybersecurity leaders for their biggest tips and best pieces of advice for securing digital identities against the world of threats, vulnerabilities, and attack vectors. Let’s hear what they have to say.
Q1: Why is identity an important part of an organization’s security posture?
Janine Seebeck, Chief Executive Officer, BeyondTrust
Identity is now the most common attack vector for threat actors. Previously, that title was held by software vulnerabilities, but now it is becoming substantively more common (and easy) for threat actors to log into a system, rather than to hack their way in.
Threat actors essentially only need two things to penetrate your organization: an identity and a means of access to it—and there are numerous ways they can get that access. Identity-based attacks are becoming both more sophisticated and more frequent. However, it’s those privileged identities that pose the greatest risk exposure point for organizations.
Identity security should top the list of areas security teams focus on—which is why it factors so heavily in security frameworks like NIST 2.0 and Zero Trust. Identity security is critical in helping organizations defend against today’s complex, nuanced, and ever-expanding digital threats.
Learn what’s new and what you need to know about the NIST Cybersecurity Framework 2.0
Morey J Haber, Chief Security Advisor, BeyondTrust
As we have seen traditional perimeter-based security models evolve to support a work-from-anywhere world, security of the asset itself has become less of a risk compared to the risk from Identity Security deficiencies.
Threat actors recognize the easiest way to infiltrate an organization is to compromise an identity and impersonate the account (machine or human) performing trusted operations. It has become a matter of fact that it is easier to log in versus hack in. If the threat actor is stealthy, their malicious activity is undetectable compared to normal operations, and they can move laterally across accounts, assets, data, and applications without being detected. By hijacking the right identity—such as a highly privileged on—an attacks can even achieve their ends without the use of any malware.
The theft of an identity is often accomplished via social engineering or previous data leakage. Organizations absolutely must prioritize the protection of identities and secure their privileges to mitigate the risk of modern and legacy threats alike.
James Maude, Director of Research, BeyondTrust
Everything we do in our businesses is based on identities. You can’t have a robust security posture without having control of identities. Identity security is key to being able to control who (identity) can do what (software/data access) and where (devices/assets).
Imagine if a bank didn’t check ID and just allowed anyone to withdraw from any account and you will see why identity is such an important part of a security posture. Just like in the world of banking, the identity attacks are getting more sophisticated and complex, so we need to go beyond the basics and put identity security at the front and center of our security posture.
Brad Call, Information Security Engineer, BeyondTrust
Identity is the cornerstone of an organization’s security posture. It connects an individual (or team) to rights, privileges, and data across all the tools and services used by an organization. Since there are many mature (and effective) security solutions for assets, the most successful attacks are those that target the user or identity. Identity compromise that aligns with the right privileges has become less expensive for an attacker due to identity/permissions sprawl across cloud, on-prem, and third-party solutions that provide access to company secrets, personal identifiable information (PII), and more.
Angela Duggan, Vice President of User Experience
Identity is the new attack vector. If bad actors are focused on it, security professionals need to be focused on it. If you’re not protecting identities, then you’re not fully protected.
Q2: What would you worry the most about going wrong if identity security wasn’t included in your overall security posture?
Janine Seebeck
As a CEO, one of your biggest risks is a compromise of your systems (breach) which results in impacts to customers, employees, investors and ultimately trust – which is your brand and your most important asset. It’s not a question of if you will get breached, but one of timing and severity based on whether you’ve taken the measures necessary to help defend against an attack. Remember that a breach against you is a breach against your customers. They deserve to know that you’re doing everything you can to keep their data safe because they rely on your products and services.
Morey J. Haber
If identity security wasn’t included in an organization’s overall security posture, I would worry about:
- Who has access to sensitive information and what they are doing with it.
- An identity-based supply chain attack compromising business operations and/or the products you manufacture or consume.
- The threat to your clients based on the inability to measure identity-based risks, and the damage to your reputation for failing to have a persistent presence that contains no malware or traditional indicators of compromise.
Based on these, my biggest identity-based worry is a “game over” event. This would be a breach over an extended period of time that was undetected and included massive data loss, the potential insertion of malware, and wide-spread exposure. This scenario has happened to vendors like SolarWinds, LastPass, and FireEye, and it essentially changed their businesses (for the worse). As a Chief Security Advisor (CSA), this is my biggest worry.
Learn how Midnight Blizzard breached Microsoft and how you can mitigate similar attacks
James Maude
In short, you’d have to worry about everything going wrong. Identity security and identity in general is the foundation upon which we control access, grant privileges, and know who is doing what, where.
Without identity security as part of your posture, the risks of a total compromise by a threat actor or a malicious insider—or simply an unintended misconfiguration that exposes data publicly—are huge.
In the past, identity security wasn’t quite as high on the agenda because we built walled-off corporate networks and controlled access through physical office locations, but now, with cloud, SaaS, and remote work, identities are the perimeter, and a single compromised identity could easily provide the keys to the kingdom if it isn’t properly secured—especially if that identity has privileges.
Learn how hybrid cyberthreats are exploiting digital identities
Brad Call
From credential theft to account takeover attacks, the repercussions of not having identity security in place could be severe. Inadequate identity controls could ultimately impact the CIA triad (confidentiality, integrity, and availability) internal data and compromise the trust of our customers.
Without proper identity management, threat actors could gain access to systems, personal identifiable information (PII), or other company secrets that could fundamentally force an organization to shut its doors, if not addressed properly.
Angela Duggan
Without identity security, my biggest concern would be an attacker exploiting a weak identity, or possibly even a personal account that is linked to your environment. Compromising even an unprivileged account can lead to lateral movement inside the environment across all different portions—on-premises and in the cloud.
The scariest thing to me is the possibility of a bad actor using a compromised identity to eventually get the rights to create their own identity—and attach privileges to it. Then they can use that account to fly under the radar for months!
Learn the identity attack TTPs used by threat actors like ALPHV, Scattered Spider, LAPSUS$, and more
Q3: What are your top 3 tips for how to secure identities within your organization?
Janine Seebeck
- Empower your employees with threat awareness and a strong security mindset – It’s important to ensure employees across the business understand the impact of their actions. Human error with one’s own identity is still a main driver of breaches. But it’s important to approach this from the right mindset: your employees may be a source of risk, but they are also a powerful line of defense; you just have to activate them. Training people on how to be knowledgeable and approach problems with a security mindset is key to success.
- Give yourself visibility into all your identities, and a simplified approach to access management – Knowing what and where all your identities are is one of the biggest Achilles heels for companies. Not only do identities touch many parts of your organization, but many are often unseen and unmanaged, which opens you up to risk surfaces you cannot monitor. Giving yourself the ability to see the full spread of identities across your ecosystem, and the levels of privilege that are attached to them, makes it possible for you to monitor, detect, and prioritize the risks in your organization.
- There is No “One and Done”: Given the increasing sophistication of new and emerging threats, companies can’t afford to just check a box when it comes to their security – and especially not where identity is concerned. How often do you reevaluate your security posture? What are you doing today to be both vigilant and proactive? The best offense is a good defense.
What is Identity Threat Detection & Response (ITDR) and why is it important?
Morey J. Haber
As the Chief Security Advisor (CSA) who is responsible for the security of a cybersecurity vendor, my top three tips to protect identities within any organization include:
- Enforcing the concept of least privilege across all identities and their associated accounts. No one should ever use root, administrator, or power user accounts without proper change control and monitoring for appropriate behavior.
- Ensuring best practices for Identity and Access Management (IAM) and Identity Governance and Administration (IGA) are well enforced. This includes key concepts like Multi-Factor Authentication (MFA) and Joiner, Mover, and Leaver disciplines.
- Complete asset management for physical, virtual, and conceptual-based resources, including identities, their entitlements, and all associated accounts for humans and machines.
James Maude
I am going to assume that you have the basics right here, and, if not, there is plenty of guidance online. From my research into identity attacks, I see some common themes that tend to lead to exploitation:
- Mind the gap – Attackers love to exploit disparate identity systems and trust relationships, so ensure you have good visibility of all identities and are able to monitor for changes. Think about the ways an attacker might move between roles in Microsoft 365, Okta, and AWS to discover hidden attack paths that might be traversed unnoticed.
- Beware zombies – Dormant accounts, unused privileges, shared account and machine accounts all represent a goldmine to attackers as they are valid accounts that can achieve lateral movement and privilege escalation, while flying under the radar. Try to reduce your attack surface as much as possible by removing or restricting the accounts, access, and privileges to only what is absolutely necessary.
- Think about infrastructure – We often think about protecting identities and accounts when, in reality, the account itself doesn’t matter. The privileges and paths to privilege are what matters. When it comes to protecting privilege, we need to think about protecting the identity infrastructure as well as the accounts. For example, we could have secured access to all the existing domain admin accounts; however, if there is a misconfiguration in Active Directory that allows any account to be elevated to domain admin, then there is a path to privilege that can be exploited.
How to enable Identity Threat Detection and Response (ITDR) for in-progress attacks with PAM
Brad Call
My top three tips for securing identities within an organization are:
- Enforce a global strategy for identity lifecycle management. These should include (but are not limited to) addressing the “Three As” of cyber security: Authentication, Authorization, and Accountability.
- Review technical controls and policies for both production and non-production identities. Look for gaps that could allow these controls to be bypassed.
- Continuously monitor and audit identities. Validate their alignment to your security strategy, policy, and technical controls.
Learn how securing your identity store can help stop an identity-related breach
Angela Duggan
- Get visibility into the identities and their access in your environment. There are far more identities in your environment than you realize, both machine and human, across cloud and on-premises. Be on the lookout for personal accounts linked to an identity in your organization. Those are easier to exploit and often aren’t under any kind of management.
- You need to get all identities in your environment under proper management. Make sure they only have the privileges and access they need, for the brief during when they need it, and make sure you’re reassessing that privileged access at regular intervals.
- Coordinate across the security teams in your organization. An exploit on a single identity can have far reaching effects over several different portions of your environment. Make sure you are sharing data across the different teams, make sure you know who the experts are in each domain, and make sure you are clear and aligned on how to coordinate in the case of an attack. Don’t wait until there is a possible attack to make a plan.
Learn how BeyondTrust’s modern PAM stack is evolving to include identity
Q4: Is there an attack vector or type of identity threat out there that you think organizations should be particularly mindful of as they evolve their security strategies?
Janine Seebeck
Privileged identities (those identities with elevated access/entitlements) continue to represent the biggest threat to organizations. As the foundation of your cybersecurity strategy, it is critically important to manage the privileges connected to your identities by implementing core concepts, like the principle of least privilege (PoLP) and just-in-time (JIT) access.
For privilege management to be successful, you also need to have unified visibility into the identities in your network. You need to be aware of what identities have what level of access, and you need to be able to identify when an identity is overprivileged and what should be done to resolve that issue.
You also need the ability to continuously monitor the identities in your environment so you can detect anomalies, identify threats, and quickly remove privileges from a compromised account so you can contain the compromise. Beyond having holistic visibility and control over identity security posture, you need to be able to prioritize the various risks to your environment so the most critical issues can be addressed as quickly as possible.
All of this can be done by working with trusted tools and advisors that can help you cut through the noise to focus on the greatest risk areas in your business.
Learn how to gain comprehensive visibility of the identity security risks in your organization
Morey J. Haber
The latest identity attack vector all organizations should consider has no name yet, but has already been observed in the wild. During this type of attack, no indicators of compromise exist on-premise, no malware has been detected, and normal operations occur with no degradation in performance or workflow. The attack resides within cloud-based identity and access management solutions that have been compromised, allowing a threat actor to infiltrate the organization as shadow IT administration or a hijacked account.
The behavior and changes detected are the only tangible indicator of compromise, which reinforces my previous recommendation that the entire identity fabric should be monitored for appropriate behavior. This includes API integrations, the creation of shadow IT accounts, and the generation of output not typically associated with any normal behavior. For example, a command to dump all user accounts with details from a log or an identity service provider.
These types of supply chain attacks will become more prevalent, and all organizations need to treat identity security risks just like unpatched vulnerabilities in third party solutions that will need mitigation.
Learn how to secure your identities with Identity Security Insights
James Maude
Hidden paths to privilege are the biggest threat that I see today, especially with modern hybrid environments where a user has multiple accounts and systems that make it hard to evaluate where privilege and risk exists. As an example, you could have a user with an account in Entra ID that doesn’t seem to be directly assigned any particularly dangerous privileges. They are, the owner of an Azure application which, in turn, has a service principal with the highly privileged Global Admin role. This provides a hidden path to privilege that can be exploited to take over all the data and infrastructure hosted by the company in Azure if that one seemingly unprivileged user is compromised. These threats are not fiction; they are exactly what we have seen used against Microsoft and other by nation states and criminal groups alike.
Being able to map out all these hidden paths to privilege in modern environments is very difficult to do manually, which is why attackers are successful in repeatedly exploiting them. In order to uncover these, you need a modern identity security solution that not only understands privileges, but all the paths to privilege as well.
Here’s what Midnight Blizzard’s attack on Microsoft tells us about modern identity-based attacks
Brad Call
The most common and effective identity threats revolve around targeting the user directly. These include, but are not limited to, Phishing (and all its variants), Business Email Compromise, and Password Reuse. Having a good end-user security awareness program, implementing least privilege policies, and continuously monitoring and alerting on identity-based anomalies and attacks can go a long way toward protecting identities from compromise, or at least mitigating the damaging if any level of compromise does occur.
Learn how to protect against phishing attacks by overcoming bad user behavior
What can we learn from the Hong Kong Deepfake CFO Scam?
Angela Duggan
The Okta Support Unit breach really brought into focus how real the session hijacking threat is. The scariest thing in that situation to me is the number of security tools that were unable to quickly detect or block the attack, giving the attacker enough time to create their own identity in the target environment using the compromised admin session. Attackers are smart enough to know how to make an account look real so they can fly under the radar. That means they only need access to that compromised identity for a short period of time.
Learn how BeyondTrust discovered the breach of Okta’s support unit
Q5: What is the number one piece of advice you feel not enough people know about when it comes to identity security?
Janine Seebeck
More than anything, invest in securing the identities and access within your business – from products to personnel – and think about your privileged users as a high priority; more access means more risk. The identity security space is evolving rapidly. It’s okay not to know all the answers, to ask questions, and to continually make changes to support the ever-changing threat landscape. Just make sure you have the right team of experts backing you, and trust that your team will find the right solutions to effectively mitigate the attack surfaces in your environment.
Morey J Haber
If I could provide one piece of advice for protecting any organization from identity-related security threats, I would focus on privileges. This includes the management of privileges throughout an organization and ensuring the concepts of least privilege are applied to every identity and their associated accounts. These best practices help mitigate the risk from malware, ransomware, and account-based lateral movement, and increase the difficulty for a threat actor to obtain a persistent presence.
Learn how to advance your zero trust posture with Privileged Access Management (PAM)
James Maude
Cyberattacks are not magic. When faced with a barrage of cyber threats, it can often feel like compromise is an inevitability. In reality, a compromised identity is usually only as dangerous as the privileges assigned to it or the paths to privilege available to it. Many attacks only succeed because they were able to compromise a highly privileged user that allowed them to gain widespread access and control of systems. Don’t lose sight of the identity attack surface by chasing down advanced detection and response capabilities when you could be proactively reducing the risk though the principle of least privilege.
Brad Call
One critical piece of advice often overlooked is the significance of regularly monitoring and analyzing behavior for anomalies. This applies not only to users, but also to non-human identities, like service accounts and applications. By looking for out-of-scope or unusual actions, organizations can detect suspicious activities indicative of account compromise before they escalate into full-blown security incidents.
Angela Duggan
One important piece of advice is, while the principles and controls behind privileged access management are still highly important in securing against modern identity-based threats, you should be aware that traditional PAM alone (i.e. vaulting), and especially point solutions, might not be giving you complete visibility when it comes to identities in your environment. Modern PAM stacks should be evolving to include an identity awareness component that can add an important extra layer of visibility and protection.
Attackers are smart, and they will continue to innovate. The work-from-anywhere and bring-you-own-device (BYOD) world that COVID-19 has amplified continues to have a profound impact on the way people work, authenticate, and access your environment. It’s adding many new access points and possible links to accounts you have no management over. You must stay on top of it and continue to innovate—and look for PAM tools that have continued to evolve to address these potential gaps in your environment.
Q6: What final words of wisdom do you want to leave our readers with this Identity Management Day?
Janine Seebeck
Below are some core truths about identity security that inform the way we think about cybersecurity at BeyondTrust, and how we strategize and innovate solutions that will help our customers solve their biggest challenges:
- Identities are not all the same: privileged identities offer the keys to the kingdom.
- Today’s hackers don’t “hack in”—they “log In.”
- Threat actors don’t sleep—neither should your privileged identity solutions.
- Identity protection is a living system: it’s continuous, dynamic, and situational.
Morey J Haber
On identity management day, please consider a newer concept called the identity fabric when designing identity security for your organization. The identity fabric refers to the concept of identity security when it is applied across all workflows, requirements, stakeholders, and solutions within an IAM deployment. It is the integration of technology, people, and policy that provides efficiency to identity management within an organization. If not properly designed and secure in itself, your identity fabric can lead to gaps in your security infrastructure that either result in a poor user experience or lead to exploitation and compromise.
Learn how to build a PAM strategy to mature your identity fabric
James Maude
“Your identity is your most valuable possession. Protect it.” – Elastigirl, The Incredibles.
Brad Call
Password reuse is a big issue that does not get enough attention. As threat actors gain access to data breaches (often containing a username or email address combined with a password), they will take this information and attack those identities across other services that were not included in that specific breach.
Angela Duggan
Saying that people are the weakest link is a cop-out. Humans make mistakes, can be misled, and don’t always have all the information they need to make the best decision in the moment. Blaming them for being the initial access point of an attack isn’t fair and isn’t going to keep your environment secure. Security professionals need to meet their end users where they are and explain why certain practices are in place. This will avoid workarounds and increase compliance.
No one wants to follow rules they don’t understand, especially when those rules make their day-to-day life difficult. Security teams need to work with end users to understand their pain points, and work together to remove friction. Security teams must strive to remain open and be perceived as accessible, understanding, and judgment-free so that end-users feel comfortable asking questions and coming forward when they think they may have made a mistake.
Ease is the single best indicator of behavior. If you make something easy, people are more likely to do it. Attackers already know this; security professionals need to understand it, too.
Learn how to improve your security posture by incorporating User Experience (UX) at the foundation
How can you participate in Identity Management Day this year?
The best way to promote and embrace Identity Management Day is by making sure your identity, and all the identities tied to your organization, are as secure as possible. Run a free assessment on your environment today to gain visibility into the identities in your organization, access intelligent identity security recommendations, and continue to monitor your identity fabric for the next 90 days. Click here to learn more about how BeyondTrust solutions can help you build towards a robust and identity-centric security posture.
Make sure you also head over to Identity Management Day 2024 to join this year’s event, access identity security resources, and become an identity champion.