Illusive Blog November 18, 2021

How to Secure the #1 Source of Cyber Attacks – Privileged Identities Are Easy to Exploit

By Wade Lance
Attack Surface Management, Identity Access Management, Identity Risks, Privileged Identities

Identity has become the number one attack vector. One hundred percent of our audits discover privileged access credentials that have been left exposed on endpoints – typically at a rate of one-in-five endpoints.

Privileged access credentials that are left vulnerable on endpoints are a rich target for attackers. Once compromised, it becomes trivial to leverage this initial access with lateral attacks that can take control of the entire network. Organizations must discover, mitigate and protect themselves from identity risks.

Identity: A Vulnerable Attack Surface

Identity risks surface in a variety of ways. For example, through the rise of remote work, organizations have been relying on VPN and RDP to enable remote workers to access the corporate network. If those credentials are left exposed an attacker could leverage them to gain unauthorized access, and if that session is based on a privileged user, such as an IT admin, there are serious security implications.

RDP and VPN access credentials have become the most common listings on dark net hacker forums because of how frequently they have become exposed in the shift to remote work, and they have become the most valuable of these listings because of the access and control they enable. If an attacker is able to gain access to these kinds of credentials, there are plenty of opportunities to leverage that data for further attacks or to monetize those objects by selling them to interested third parties.

Once an attacker obtains this initial access there are dozens of tools, such as AD Find, Bloodhound, Cobalt Strike, and Mimikatz that make it easy to move across the network. This is because the traditional network perimeter is focused on protecting inbound and outbound traffic, so-called “North-South” traffic, while lateral attack movement is “East-West.” This lateral attack movement is very difficult for the security team to differentiate from normal user behavior because the attacker is using legitimate credentials to move in a way that in many cases has historical precedent. No anomalies means no anomaly detections by behavior security controls.

According to IDC, Defeating Ransomware Requires a Deterministic Cybersecurity Game Plan by Chris Kissel, “Once the network considers an end user to be authentic, the network is designed to maximize the efficiency of the user experience. The adversary sees the east-west mappings and can then begin to access sensitive data/servers. If server information is not directly accessible, the information necessary to make the next lateral move becomes apparent.”

Identity Risks Are Pervasive

Privileged identities are more exploitable than enterprises might realize. They are the residue that remains as the byproduct of normal IT operations. These risks include unmanaged identities, misconfigured identities, and exposed identities.

Unmanaged identities include local admins, legacy applications and shadow cloud services, and accounts that have not been enrolled in multi-factor authentication (MFA) or privileged access management (PAM). You cannot protect what you don’t know exists.

Misconfigured identities include shadow admins, service accounts vulnerable to Kerberoasting, and the re-use of passwords and identities. These sorts of common human errors can leave an organization exposed to attack.
Exposed identities include cached credentials, stored cloud tokens, credentials stored in applications. These are often the result of an oversight but are particularly dangerous because they represent the keys to the kingdom.

Discover, Mitigate & Protect

Organizations are increasingly turning toward Zero Trust security since the network perimeter has been obliterated. According to Microsoft, “Identities – whether they represent people, services, or IoT devices – define the Zero Trust control plane.” This is why we say that identities are the new perimeter. And it is why Illusive won the Microsoft 20/20 Security – Identity Trailblazer award.

But there is still a long way to go. According to a recent Microsoft survey, although 90 percent of IT decision-makers are now familiar with Zero Trust, and 76 percent are in the process of implementation, only 38 percent have fully implemented identity controls.

For organizations concerned with their identity risks, Illusive provides a comprehensive solution to eliminate exploitable credentials across endpoints, servers, and cloud environments:

  • Discover – 360-degree visibility and actionable insight around existing privileged identity risks.
  • Mitigate – Automated and continuous cleanup of identity risks.
  • Protect – Compensating controls detect attacks for identity risks that can’t be mitigated.

Download our whitepaper to learn more about privileged identity risks and how Illusive can help. Or Contact Illusive today for a complimentary audit of your privileged identity risks.