Milad Aslaner, Senior Director Global Field CISO at SentinelOne, explains how embracing new approaches helps ensure that organisations are protected against identity-based attacks.
Across industries and sectors, digital identities have become an essential part of doing business. More than just a way to log in to IT, they have become a way to record access, build trust and manage relationships. But the massive adoption of remote working has meant that the number of digital identities has exploded, and opportunistic cyber attackers are launching new and improved cyberattacks based on identity.
Traditional identity management tools such as Identity Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) are no longer sufficient security controls alone to defend against today’s cyberattacks on both human and machine identities (Machine identities are keys, certificates or other identifiers that enable servers, applications, and other network resources to perform certain actions).
As a result, security leaders have made identity protection and management a top priority, and are looking at new strategies to better detect and respond to identity-based threats, like ITDR (Identity Threat Detection and Response) – a discipline of identity cybersecurity.
Background of identity-based attacks
Over the past few years, the frequency of ransomware attacks has doubled, and the ‘human element’ is the primary means of initial access in 82% of breaches per the 2022 Verizon Data Breach Investigation Report. Social engineering and stolen credentials have emerged as key threat actor techniques, with attackers attempting to access valid credentials and move stealthily through enterprise networks without being detected.
Threat actors are after sensitive data and the volume of attacks on identity has grown significantly. PayPal reported a data breach after threat actors utilised bots to ‘stuff’ their way into login portals by using massive lists of leaked usernames and passwords – known as credential stuffing. The breach impacted nearly 35,000 account holders, with threat actors having accessed their full names, birthdays, mailing addresses, social security numbers, and tax identification numbers.
Also, authentication services provider Okta fell victim to a supply chain attack where a laptop belonging to a third-party engineer was compromised. This led to five days of unauthorised access by threat actors. During that time, the attackers were able to gain entry into Okta’s customer support panel and internal Slack server. Because the compromised account had ‘super admin’ access, attackers were able to initiate password resets for Okta’s end customers.
Identity-based attacks were a major source of reported security incidents in 2022. Unfortunately, attackers are still exploiting this attack surface, posing a direct risk to enterprises.
Growing identity attack surface
There are several challenges businesses face when it comes to securing digital identities.
Limited investment in identity modernisation: While many organisations are adopting cloud-based identity architectures, small to medium-sized businesses are often still resistant to doing so due to budgetary constraints, concerns about onboarding delays, lack of change management processes, and more.
Fragmented approach to identity management and security: In many organisations, responsibility for identity management and security is often split between senior leadership and multiple teams.
Changing data privacy regulations and controls: Because identity and data privacy overlap, business leaders need to ensure that the handling of data around digital identities complies with local mandates, such as the European Union’s GDPR, and if they are trading abroad, also with other area-specific regulations such as the NIST Privacy Framework, ISO/IEC 27701:2019, Personal Information Protection and Electronic Documents Act (PIPEDA). Ever-evolving regulations are adding another layer of complexity to digital identity management.
What’s more, password-based authentication systems are inherently risky due to hacking techniques like brute force (trying every possible combination of characters until the correct password is discovered), password spraying (attempting a small number of commonly used passwords against many accounts), and credential stuffing attacks on systems to steal passwords. Organisations must enforce strict password hygiene and multi-factor authentication protocols to protect against identity-based attacks. Organisations are also vulnerable to user-generated threats, such as people recycling the same passwords across multiple accounts, forgetting passwords, or storing passwords in unsafe places.
Limitations of legacy identity management tools
Existing identity security solutions like Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) focus on limiting access to only what users need. These tools perform continuous verification, with authorisation and authentication as their main functions.
Traditional identity solutions, like IAM, still leave room for attacks. IAM, which focuses on provisioning, connecting, and controlling identity access, is just the starting point for identity security. It does not extend beyond the initial authentication and access control to other identity aspects such as credential misuse, privilege escalation activities from the endpoint into cloud and Active Directory (AD) environments privileges.
Active Directory is a prime target for attackers, as it contains crucial elements of identity. And as organisations migrate to the cloud at a rapid pace, additional security challenges arise as IT teams struggle to quickly provision access across their environments. Considering the vulnerabilities of Active Directory, alongside the tendency of cloud environments to be misconfigured, it is clear that simply provisioning and managing access to resources is not enough to ensure security, and an additional layer of protection is needed.
Securing identities from attacks is not just about managing user access, policing governance, or locking down exclusive privileges. Assessing security gaps from an identity standpoint has become essential for organisations. This includes proactively looking at root causes and thwarting identity-based threats before they become full-scale security events.
Since identity is one of the most popular elements of digital infrastructure for an attack, organisations are increasingly moving towards a proactive defence of the entire infrastructure, armed with innovative solutions that can be geared specifically to identify identity-related indicators of compromise. These tools are able to stop threat actors before they can gain unauthorised access or raise their privileges in a victim’s network.
How and why new ITDR tools can help to close cybersecurity gaps
ITDR has emerged as a new security discipline protecting the infrastructure where identities are managed and used. ITDR complements other advanced security solutions like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), which help organisations detect and respond to endpoint threats (EDR) and threats across their entire digital estate (XDR).
ITDR is focused on safeguarding credentials, privileges, cloud entitlements, and the systems that manage them, which are often targeted by cybercriminals. This approach helps to fill a gap in the identity threat landscape and strengthens the overall security of an organisation.
Proactively detect and prevent identity-based threats: ITDR actively monitors for attacks targeting identity vectors, detecting credential theft, signs of privilege misuse, and malicious actions on the active directory (AD). Adding another layer of detection for phishing attacks that target victims’ identity information further enhances an organisation’s cyber defences and enables them to proactively detect and prevent identity-based threats.
Thwart attack progression: ITDR solutions are levelling up protection by redirecting attackers to pre-set decoys, automatically isolating affected systems, and stopping them from moving laterally into other networks. Having a security solution in place that detects advanced attack techniques such as lateral movement inside an organisation’s network, data centre, cloud environment, remote site, or branch offices bolsters security.
Build long-term cyber resilience: ITDR also aids forensic data collection, as it gathers key telemetry on processes used in attacks. This type of intelligence can be analysed and used by technical teams to strengthen weak policies and processes.
Extend protection to cloud environments: Cloud environments can lead to permissions sprawl, where teams are granted access to more applications, data, or systems than they actually need to perform their roles. This can result in an abundance of unnecessary permissions, which increases security risks and overwhelms the IT teams that manage them. ITDR solutions extend to cloud environments by delivering visibility into risky entitlements that may open up opportunities to attackers.
As identity-based threats continue to increase across all industries, it is crucial for business leaders to prioritise cybersecurity strategies and solutions that place identity protection front and centre. Embracing new approaches like ITDR helps ensure that organisations are equipped to protect themselves against mounting identity-based attacks, manage machine and user identities at scale, meet regulatory compliance requirements, and strengthen client trust.
Digital identities are critical to the functioning of organisations. Investing in robust identity management is essential in preventing cyberattacks, and could mean the difference between fending off an attack or giving adversaries the keys to the kingdom.
Senior Director Global Field CISO