Analyzing Identity Risks: Why is Every Organization Vulnerable to Cyberattack?
From ransomware to advanced persistent threats, when I speak to CISOs, they understand that identity is the top vector for attack. It is a paradox that organizations could invest so much into so many identity management and governance solutions, yet remain unaware of their own identity risks.
Unmanaged, misconfigured, and exposed identity risks are the residue that remains from day-to-day IT operations, and they are so common that they exist in every organization – in fact, Illusive discovers these sorts of vulnerable identities at a rate of 1 in 6 endpoints (even in the presence of identity management solutions). And unfortunately, when an attacker lands on one of these vulnerable endpoints, they can easily escalate their privileges to do just about anything they want.
Illusive recently published Analyzing Identity Risks (AIR) 2022, the first research report to ever examine these identity risks under a microscope. Throughout 2021, Illusive assessed the identity risks of more than 25 organizations, including some of the world’s largest financial service providers, retailers, and healthcare providers. And let me tell you from my first-hand experience that these organizations have very mature information security management systems and identity tools and practices. These are all organizations that have SOC or ISO certifications, but they still lack visibility into these unmanaged, misconfigured, and exposed identity risks.
Get a Grip on Unmanaged Identity Risks
Unmanaged identity risks include local admins that are not enrolled in a Privileged Account Management system, the use of outdated local admin passwords (or never setting a password in the first place), and the use of temp or test admin accounts.
Illusive research reveals that 87% of local admins are not enrolled in a privileged account management (PAM) solution, such as Microsoft’s Local Admin Password System (LAPS). Furthermore, a staggering number of admin accounts have passwords that have not been changed in more than a year. In fact, nearly 1 in 5 local admins have not changed their passwords in more than five years!
This situation is made worse by the prevalence of shared passwords for local admin accounts used for break-fix processes. Compromising the password of a single local admin account frequently provides access to many other machines where the local admin also uses the same password. Making processes easy for the help desk team also makes life easy for attackers.
These sorts of risks are related and easily exploited. For example, APT 38, a financially-motivated division of the North Korean Lazarus Group, is well known for the sort of brute force attacks that prey upon poor password security. It should be basic cybersecurity hygiene to change admin passwords every 90 days, but the challenge is that many organizations lack visibility into local admins that have not been enrolled in a PAM solution. “You can’t protect what you don’t know exists,” as they say.
Reconfigure Misconfigured Identity Risks
Misconfigured identity risks are what we refer to as “shadow admins,” which I’ve previously discussed in-depth. Just as shadow IT systems are those that are deployed beyond the visibility and control of the central IT department, shadow admins are those misconfigured identities that have been unintentionally granted privileges that are not readily apparent to the IT team.
For example, Illusive discovered a help desk employee tasked with resetting passwords who also had the ability to add domain admins. If an attacker compromised this help desk account, they could escalate their privileges to domain admin. And frankly, we see these risks in every organization.
Most significantly, 40% of shadow admin risks can be exploited in one step, such as resetting the password of a domain admin or granting an account domain admin privileges like in our example above. Even more concerning, more than 1 in 10 shadow admins already have domain admin privileges – these are the kings of the kingdom. This is low-hanging fruit for attackers – it is easy to find and easy to exploit.
As I’ve said before, in a perfect world, all admin accounts would be created by following the best practice of being added directly to a privileged group, but again, IT teams lack the visibility they need, both in awareness of user privileges and their activity.
Cover Exposed Identity Risks
Exposed identity risks include cached credentials, in-app password stores, OS password stores and disconnected or “abandoned” remote desktop protocol (RDP) sessions. You could say that this is the equivalent of leaving your user name and password written on a sticky note, but it is actually much worse since a cyberattack can’t compromise your sticky note.
These exposed identity risks are EVERYWHERE; Illusive research has shown that privileged account passwords are left exposed on 13% of endpoints. Unfortunately, once you understand these are some of the most pervasive identity risks, it should come as no surprise that ransomware has been running rampant during the past few years. Case in point, RDP and VPN access credentials are the most common and valuable access listing available on darknet ransomware forums.
Although exposed identities are one of the most ubiquitous risks we discover, they are also one of the easiest to remediate: the offending credentials just need to be removed from the endpoint. Again, the issue is that many organizations simply don’t know that these privileged credentials have been littered across their enterprise.
Automatically and Continuously Discover and Mitigate Your Identity Risks
The fact is that identity risks often overlap and intersect, like some sort of nightmarish Venn diagram. It is bad enough that shadow admins escape detection from existing identity management solutions, but finding them exposed means that they are actively in use. Organizations truly “don’t know what they don’t know” when it comes to these risks.
Even the most well-intentioned security teams can’t mitigate identity risks unless they’re aware of them. While some organizations have attempted to manage this risk by getting visibility through red team exercises, annual audits, scripts and spreadsheets, these have been vastly incomplete and therefore ineffective. Similar to how security teams manage vulnerabilities through the use of regular vulnerability scanners, these same teams need the ability to automatically and continuously scan for vulnerabilities in the identities used to run their business.