Understanding and Managing Identity Risk

By Wade Lance, Field CTO at Illusive

Nation-state sponsored advanced persistent threats (APTs) and financially motivated ransomware gangs might have different agendas, but there is one common denominator that characterises these news headline grabbing cyberattacks in recent years: the exploitation of identity risk. Despite this, organisations still lag when it comes to managing this crucial piece of the security puzzle.

One of the reasons why identity risk is so hard to manage is that it is continuously and accidentally created by day-to-day IT operations. It is a natural byproduct of the processes that need to happen for an enterprise to run, but it is also the number one attack vector for threat actors, so much so that as many as 79% of organisations have experienced an identity breach in 2021. Unmanaged, misconfigured and exposed identity risk are incredibly ubiquitous, and can be found in as many as one in six corporate endpoints, even when there is an IAM (Identity Access Management) solution in place.

These vulnerable endpoints are exactly what attackers know to look for to gain a foothold into the corporate network and then proceed to escalate privileges to reach the assets they are after. Even the world’s largest financial service providers, retailers, and healthcare providers, who have mature cybersecurity and risk management programs and dispose of advanced tools, remain vulnerable to identity risk. It is a visibility issue – much like how organizations need vulnerability scanning to discover vulnerable applications and devices, yet enterprises are unable to control such a dynamic entity as identity.

Unmanaged Identity Risk

Local admins may be unknown to identity management systems, local admin passwords may be outdated (or, in some cases, never set in the first place), and temp or test admin accounts are all examples of unmanaged identity risk.

Each of these could allow an attacker to elevate their privileges to gain control of a domain, often without triggering any sort of alert. After all, if the malicious account used to move through the network is legitimate, then why should threat detection systems flag its behaviour as suspicious?

What’s most worrying is that, according to a recent report, as many as 87% of local admins are not enrolled in a privileged account management (PAM) solution, despite having access to high level systems and processes. The disregard for basic identity security practices is also reflected by the fact that nearly 1 in 5 local admins are using passwords that are older than five years.

Basic cybersecurity hygiene dictates that admin passwords should be changed every 90 days, but if an admin account isn’t enrolled in a PAM solution, there is no way for IT and security teams to know that these privileged accounts exist, let alone that their password hasn’t been changed. Attackers know of this visibility issue. APT38, a division of the North Korean Lazarus Group, is an example: knowing that organisations still struggle with password security, they initiate their financially motivated campaigns with brute force attacks that rely on poor password hygiene to work.

Shadow Admins: What is Misconfigured Identity Risk?

On top of unmanaged identity risk, enterprises also need to account for what we call “shadow admins.” Just like shadow IT systems are deployed beyond the visibility of the central IT department, shadow admins are those identities that are provisioned or granted higher privileges outside the visibility of IT teams. This happens unintentionally, usually for the sake of speeding up operations.

One such example could be an employee that is promoted or transferred out of the IT department, but has created privileged users with their account – they would still have control over these privileged users, despite no longer serving as an admin. This happens more often than IT teams would like to believe and could result in a destructive breach. Should an attacker get access to this sort of account, they could easily escalate privileges and reach domain admin.

In as many as 40% of the cases, these shadow admins could be exploited in one step, meaning that an attacker is literally one password reset away (or any other number of other simple admin actions) from reaching domain admin. In 10% of the cases, shadow admins already have Domain Admin privileges, making them a low hanging fruit for attackers who can just run automated discovery tools to identify and exploit them.

Best practice guidelines exist, and all admin accounts should be created by being added directly to a privileged group. The reason why this doesn’t happen is that often IT teams lack the visibility they need, both in awareness of user privileges and their activity. It’s also true that the entropy of an Active Directory increases with use, as employees will always find the path of least resistance to complete their day to day tasks.

Passwords on a sticky note: Exposed Identity Risks

Employees will save cached credentials, store them in-app, in OS password stores, and in disconnected or “hanging” remote desktop protocol (RDP) sessions, leaving them exposed and vulnerable to exploitation. These practices are common and are difficult to track for IT teams. They are the equivalent of keeping track of passwords by writing them on a sticky note and leaving it on the office desk, but they are much worse in that – unlike a sticky note – these can be accessed and compromised remotely.

Exposed identities aren’t just those of regular users – privileged account passwords are left exposed on 13% of endpoints. Each of these exposed credentials can cause a full-fledged ransomware attack, as an attacker could easily reach sensitive servers and gain access to an organisation’s crown jewels. Attackers even go as far as to steal these credentials and then sell them for a profit: RDP and VPN credentials are the most common and valuable access listing available on darknet and ransomware forums.

Despite the pervasiveness of exposed credentials, remediating the risk they pose is very straightforward – it is just a matter of removing the credentials from the endpoint. The problem is always one of visibility: organisations don’t know that these privileged credentials have been improperly stored, therefore they don’t take the necessary steps for cleaning up their endpoints.

The answer: automated, continuous discovery and mitigation

It’s one of the mantras in security that organisations “can’t protect what they don’t know exists,” and this is especially true when it comes to identity risk. Unmanaged, misconfigured and exposed identities often overlap and intersect, with misconfigured admin credentials being left exposed and actively exploitable.

The challenge for security teams is precisely one of visibility: they need to be aware of the identity risk in their environment in order to be able to mitigate it. Some organisations chose to do annual audits and red team exercises, which are useful to a certain extent, but won’t certainly cover today’s dynamically changing attack surface.

For this reason, the same approach should be taken to managing identity risk as many organisations take to managing vulnerabilities, which is to continuously scan the entire surface. Much like in vulnerability management the scans are run automatically, and alerts are raised to indicate that an issue has been found, security teams need the help of automation to maintain ongoing visibility over the number one attack vector: identities.