If the history of cyber threats has taught us anything, it’s that the game is always changing. The bad actors show us a move. We counter the move. Then, the bad actors show us a new one.
Today, that “new move” is the vulnerable state of identities. Attackers realize that even if the network and every endpoint and device are secured, they can still compromise an enterprise’s resources by gaining access to one privileged account.
There is a lot of opportunity to do that, too. Within companies, one in six endpoints has an exploitable identity risk, as research for the Analyzing Identity Risks (AIR) Research Report from Proofpoint found.
“Well, that escalated quickly.”
The latest Data Breach Investigations Report from Verizon highlights the risks of complex attacks that involve system intrusion. It also underscores the need to disrupt the attacker once they are inside your environment. Once they have that access, they will look for ways to escalate privileges and maintain persistence. And they will search for paths that will allow them to move across the business so that they can achieve their goals, whatever they may be.hey may be.
This problem is getting worse because managing enterprise identities and the systems to secure them is complex. Another complication is the constant changes to accounts and their configurations.
Attackers are becoming more focused on privileged identity account takeover (ATO) attacks, which allow them to compromise businesses with ease and speed. At least, as compared with the time, effort and cost that may be required to exploit a software vulnerability (a common vulnerability and exposure or CVE).
We should expect this trend to continue, given that ATOs have reduced attacker dwell times from months to days. And there is little risk that attackers will be detected before they are able to complete their crimes.
How can IT and security leaders and their teams respond? A “back to the basics” approach can help.
Shifting the focus to identity protection
Security teams work to protect their networks, systems and endpoints in their infrastructure, and they have continued moving up the stack to secure applications. Now, we need to focus more on ways to improve how we protect identities. That is why an identity threat detection and response (ITDR) strategy is so essential today.
We tend to think of security in battle terms; as such, identity is the next “hill” we need to defend. As we have done with the network, endpoint and application hills in the past, we should apply basic cyber hygiene and security posture practices to help prevent identity risk.
There is value in using preventative and detective controls in this effort, but the former type of control is preferred. (It can cost less to deploy, too.) In other words, as we take this next hill to secure identity threats, we should keep in mind that an ounce of prevention is worth a pound of cure.
Identity as a vulnerability management asset type
Businesses should consider managing remediation of the identity vulnerabilities that are most often attacked in the same or a similar way to how they manage the millions of other vulnerabilities across their other asset types (network, host, application, etc.).
We need to treat identity risk as an asset type. Its vulnerability management should be included in the process for prioritizing vulnerabilities that need remediation. A requirement for doing this is the ability to scan the environment on a continuous basis to discover identities that are vulnerable now—and learn why are at risk.
Proofpoint SpotlightTM provides a solution. It enables:
- The continuous discovery of identity threats and vulnerability management
- Their automated prioritization based on the risk they pose
- Visibility into the context of each vulnerability
And Spotlight enables fully automated remediation of vulnerabilities where the remediation creates no risk of business interruption.
Prioritizing remediation efforts across asset types
Most enterprises have millions of vulnerabilities across their different asset types. So, it is critical to prioritize threat and vulnerability management efforts. Most vulnerabilities pose little risk. The key factors for determining prioritization should include the:
- Vulnerable asset’s importance to the business
- Threat likelihood of the vulnerability being exploited
- Strength and effectiveness of any compensating controls that mitigate the risk associated with the vulnerability
Once you consider these factors, identity risks and vulnerabilities associated with privileged identities often bubble up fairly high on the prioritization list.
Attackers can use privileged accounts to do harm to the most important systems of a business. The threat likelihood of these accounts being exploited has increased because they are a top focus for many bad actors. And since most ATOs go undetected, it is clear that sufficient compensating controls do not mitigate the risk of these vulnerabilities.
The good news is that many identity risk vulnerabilities discovered around privileged identities can be easy to remediate. Cleaning unsecured credentials off endpoints is one approach. Compare that to the effort associated with remediating software vulnerabilities (CVEs), where remediation may include costly code changes and full regression testing.
Identity threat and vulnerability management is a compensating control for many un-remediated CVEs since malicious actors often use software vulnerabilities to enable early tactics of an attack. Once that happens, attackers must still work to escalate privileges.
As such, the remediation of identity vulnerabilities offers a compensating control for many un-remediated CVEs that, when left vulnerable, can stop the attacker from escalating privileges and progressing further.
Webinar: Identity Is the New Attack Surface
Get your free copy of New Perimeters
Find out how insight into your vulnerable and risky identities can help to break the attack chain in New Perimeters–Identity Is the New Attack Surface.
Subscribe to the Proofpoint Blog