Zeki Turedi, CTO, EMEA at CrowdStrike has penned a thought leadership article which outlines how ‘identity’ holds the key to winning the cybersecurity battle.
Identity-based attacks — abusing genuine account credentials to gain access to organisations’ networks — have quickly become the leading issue in cybersecurity.
The 2023 CrowdStrike Global Threat Report found that some TTPs (tactics, techniques and procedures) are falling to the wayside for hackers.
Adversaries are doubling down on stolen credentials, with a 112% year-over-year increase in advertisements for access-broker services identified in the criminal underground. and 71% of breaches not using any malware during their attack. This trend shows no sign of relenting in 2023.
The attraction to identity-based techniques is simple common sense for adversaries. Malware quickly becomes detectable in the face of modern cybersecurity tools.
Keyboard-based hacking is skilled, difficult work, and is also vulnerable to fairly well-established counter-measures. If the opportunity to simply log on to target systems using genuine credentials presents itself, whether obtained through previous attacks, social engineering or other means, then that will clearly be the preferred approach.
Once a targeted system has been compromised, even as a lowly, counterfeit user, flaws and weaknesses in the operating systems employed by most corporations allow the attacker to move laterally, escalating privileges as they go.
Problems with Active Directory — used by 90% of Fortune 1000 companies — continue to manifest themselves regularly. More, often-critical issues are uncovered at a depressingly steady monthly rate, even as this software enters the third decade since its initial release. These issues each risk handing adversaries the ‘keys to the castle’ for businesses.
Four factors to guide ID security
In this light, identity protection has become a key area of attention and investment for security teams. But not all investments here will have equal value. Here are four considerations that will help guide smarter decision-making.
The right Identity Protection
The first of these is that identity and access management (IAM) is quite different from identity security, and they deserve separate solutions.
IAM is a part of the network infrastructure that provisions, manages and stores identities that are part of the organisation, and potentially manages features like single sign-on and multifactor authentication (MFA) processes.
IAM providers might boast security features, but there are issues to be aware of here. Most notably, the IAM system itself is a key part of the infrastructure to be protected.
Allowing applications to protect themselves against flaws they might themselves contain is a strategy to be avoided, containing an element of clear moral jeopardy for vendors as well as an element of self-blindness.
Third parties are likely to apply a more neutral and stringent approach to closing down vulnerabilities.
A dedicated ID protection product has one sole focus, one responsibility — and that’s a notable advantage.
A holistic approach
Second, a worthy identity protection solution will only shine when it’s plugged into an organisation’s holistic security platform. Potential attacks can be detected and circumvented in different ways.
Threat intelligence from global, real-time threat graphs, assisted and trained by expert human agents may provide indications. Other indications might come from services geared towards EDR, XDR and cloud-based fields. Weak signals from different systems need to be correlated from disparate sources to understand the full picture.
Comprehending the difference between unusual and threatening behaviour requires orchestration between many different signals. Consolidation towards a unified security platform strengthens both detection and response, while avoiding the confusion that comes as a result of multiple discrete tools.
Effective Identity Management
This security specialisation and orchestration leads to the third key consideration for an effective choice in identity protection. The way in which alerts and MFA events are generated for both security personnel and regular employees needs to be both smart and frictionless.
Both users and security teams find endless alerts fatiguing, reducing their impact, reducing their ability to respond to such alerts and, for users, increasing susceptibility to social engineering attacks intended to harvest even more identity information.
Identity protection should not mean more friction for any legitimate user.
There’s a big difference between the familiar scenario of people who lock themselves out of their own systems, having forgotten their passwords, and a genuine adversary attempting to log in. And so the response from security systems, for both users and sysadmins, should be different, too.
Similarly, an employee using another’s login details for a particular tool might be problematic for all sorts of reasons, and needs to be addressed, but it is not a direct security risk. Usable, and thus effective, identity protection seeks to allow legitimate users to carry on with their work unhindered, but comes down hard on genuine risks, blocking all access immediately.
Finally, identity-based attacks are very often the result of policy failures, either in their creation or implementation. Users who have left the organisation often retain active credentials; service accounts for applications and services that have long been retired remain on the system.
Users don’t update their passwords, per the policy in writing, or remain able to recycle passwords or choose ‘qwerty123’ as their new one. It’s not uncommon for large corporations to have 1000s of inactive accounts.
A worthy identity protection solution will not only advise of policy breaches, but fix the problem, closing down stale accounts, detecting the abuse of existing accounts and advising the right people, whether that’s an individual user or the security team, where policy breaches have occurred.
Your choice of identity security solution is a crucial one, likely to be one of the most important lines of defence in 2023 and beyond. But this doesn’t necessarily mean further complication, another wave of alerts to contend with, and extra work for already thinly spread teams.
A solution that is integrated with existing security tools, processes and procedures will result in both a stronger defence and a much more manageable workload for teams.