Thinking Ahead of Attackers

A CISO Perspective on Identity Threats 

Share with your network!

Compromised credentials and commandeered accounts can act as skeleton keys for your networks and corporate systems. With such a potentially lucrative reward on offer, cyber criminals are increasingly focusing their attacks on your identities to unleash data exfiltration, take over IT environments and launch ransomware attacks.  

To gain a deeper understanding of how industry leaders are tackling this shift in the threat landscape, I recently participated in a webinar led by Proofpoint executives Tim Choi, group vice president of product marketing, and Ofer Israeli, group vice president and general manager, Identity Threat Defense. 

We discussed why identity attacks are a growing problem, the challenges of identifying vulnerable users, and how to protect people and data from attacks that use compromised accounts.  

The ease that compromised identities offer 

Our industry uses the term “people-centric” a lot. We know that attackers target people so they can launch ransomware campaigns or exfiltrate data. But for today’s cyber criminals, that is no longer the end of the matter.  

Threat actors now target people to compromise identities. They use those identities to further elevate their access and privileges. And they, they make lateral moves within organizations to gain intel, launch further attacks and steal more data.  

Thanks to tools like Mimikatz and Bloodhound that can identify hidden relationships, user permissions and attack paths, the whole process of targeting identities, stealing credentials and escalating privileges is now very simple.  

Understanding high-risk identities  

Malicious actors need to know two things to increase the chances of a successful attack: where the data is that they want, and which identity will give them access to it.  

Most of the time, the answer to the latter is a service account. These accounts are not always protected in a privileged access management solution. They often have access to many different files and systems with static passwords that can do nothing.  

Regular users who are shadow administrators are also very high-risk identities. They’re not usually marked as privileged but have often inherited all kinds of access through complicated Active Directory group memberships, which are very hard to follow.  

Where are organizations most vulnerable to identity attacks? 

Most organizations have struggled with identity and access management (IAM) for many years. Access has a way of becoming a living, breathing organism, so security teams need to make sure they understand what’s going on with it. There are three main areas of concern: 

  • Shared credentials 
  • Stored credentials 
  • Shared secrets  

Most users will have tens, if not hundreds, of usernames and passwords across various accounts. And they are likely reusing credentials across at least some of them. All it takes is for just one site to suffer an attack, and those credentials can be sprayed across many more accounts and systems.  

When it comes to password storage, businesses must be extremely careful. Get them out of the environment they are used in as a starting point.  

Unfortunately, many identity attacks originate from drive-by hacking, where cyber criminals get credentials from password dumps or data breaches and try their luck, password spraying across corporate accounts.  

Protecting your identities 

Cybersecurity is like an asynchronous war. And by the time we’ve built a new control or defense mechanism, the bad guys have figured out a new way to circumvent it. That is what’s happening right now.  

There are plenty of statistics to confirm that even in the largest breaches, threat actors get in right through the front door. How? Because they gain access to a shared credential and identity that has more access than anyone at the target organization was aware it had.  

Fundamentally, it is a hygiene issue. We’re all guilty of getting caught up in new, fancy rocket-science security capabilities. But we’re missing some of the basics. That’s simple cybersecurity hygiene and greater visibility and understanding of your environment.  

How Proofpoint Spotlight and Proofpoint Shadow can help 

The Spotlight and Shadow solutions from Proofpoint tackle both sides of the identity attack issue: 

  • Spotlight handles the hygiene aspect, discovering and cleaning up vulnerable identities within your environment.  
     
  • Meanwhile, Shadow creates a hostile environment for attackers by laying traps to deceive them into lateral movement, which will alert security teams to their presence.  

So, you get greater visibility to understand and remediate risky identities while taking steps to detect and deter privilege escalation and further harm to your data, systems and networks.  

Identities are a company’s crown jewels  

Attackers have begun to focus on compromised identities to enable data exfiltration, take over IT environments and launch ransomware attacks. Watch the full webinar, “Identity Is the New Attack Surface” to learn more. 

Get your free copy of New Perimeters 

Find more articles and learn to break the attack chain with Identity Threat Defense in New Perimeters – Identity is the New Attack Surface