Not All Vulnerabilities are Created Equal: Identity is the New Vulnerability

If the history of cyber threats has taught us anything, it’s that the game constantly changes: The bad guys show us a move. We counter the move. Then the bad guys show us a new one.

Today, that “new move” is the vulnerable state of identities. Attackers realize that even if the network and every endpoint and device are secured, they can compromise an enterprise’s resources once they gain access to just one privileged account. Within organizations, one in six endpoints has an exploitable identity risk, as noted in the AIR Research Report that we published earlier this year.

To dig into these issues and potential responses further, I recently took part in the Illusive-hosted “Identity is the New Vulnerability” webinar featuring Forrester senior analyst, Erik Nost.

The problem has escalated because the management of enterprise identities, and the systems used to secure them, is quite complex. This complexity is further complicated by the constant changes made to accounts and their configurations.

Attackers are increasingly focused on privileged identity account takeover attacks (ATOs) because they can compromise organizations much more easily and quickly this way, as compared to the time, effort and cost to exploit a software vulnerability (CVE). And we should not expect this trend to stop anytime soon, given that these ATOs have reduced attacker dwell times from months to merely days, with very little risk to attackers that they’ll be detected before completing their crime.

So, what should IT and security leaders and their teams do about this? Erik and I offered up the following best practices recommendations during our webinar:

Take a “back to the basics” approach

Security teams work to protect their networks, systems and endpoints in their infrastructure, and have continued moving up the stack to secure applications. As identities have become the predominant attack vector, we now need to move to better protect identities. This makes for the foundational building blocks of a successful identity threat detection and response (ITDR) strategy, which is essential today.

If we think of security in battle terms (as we often tend to do), identity is simply the next hill we need to defend. As we’ve done with the network, endpoint and application hills in the past, we should begin by applying good old-fashioned, basic cyber hygiene/security posture practices to prevent as much risk as possible. While there is value in both preventative and detective controls, preventative controls are preferred and are often less costly to deploy. In other words, as we take this next hill to secure identities, we should not forget that an ounce of prevention is worth a pound of cure.

Identity as a vulnerability management asset type

Organizations should consider managing the remediation of identity vulnerabilities (those most commonly exploited in today’s attacks) in the same or similar way to how they manage the millions of other vulnerabilities across their other asset types, including their network, host and application vulnerabilities. In other words, identity must be treated as an asset type and its vulnerabilities should be included in the process for prioritizing vulnerabilities that need remediation. A requirement for doing this is the ability to continuously scan the environment to discover those identities that are vulnerable at the moment and why.

Illusive Spotlight^TM provides this solution, enabling the continuous discovery of identity vulnerabilities, their automated prioritization based on the risk they pose, and visibility into the context of each vulnerability. Illusive Spotlight even enables fully automated remediation of vulnerabilities where the remediation creates no risk of interruption to the business.

Prioritizing remediation efforts across asset types, including identity vulnerabilities, is required

Since most organizations likely have millions of vulnerabilities across their different asset types, it is critical for vulnerability management efforts to be prioritized. Most vulnerabilities pose little risk for any number of reasons. The key factors for determining prioritization should include:

• the vulnerable asset’s importance to the business
• the threat likelihood of the vulnerability being exploited
• the strength and effectiveness of any compensating controls that mitigates the risk associated with the vulnerability

Once these factors are considered, identity vulnerabilities associated with privileged identities often bubble up fairly high on the prioritization list. Privileged accounts can be used to create harm to the most important systems of a business. The threat likelihood of these accounts being exploited has increased as they’ve become the top focus of attackers. Additionally, since most ATOs go undetected, the risk of these vulnerabilities is clearly not mitigated by sufficient compensating controls.

Fortunately, many of the vulnerabilities discovered around these privileged identities are relatively easy to remediate, such as cleaning unsecured credentials off endpoints. Compare this to the effort associated with remediating software vulnerabilities (CVEs), for which remediation often requires costly potential code changes and the completion of full regression testing.

Identity vulnerability management is a compensating control for many un-remediated CVEs since many software vulnerabilities (CVEs) are leveraged to enable early tactics of an attack (e.g., the “execute” tactic of the MITRE ATT&CK framework for gaining “persistence”). Once attackers exploit these, they must still work to escalate privileges. As such, the remediation of identity vulnerabilities offers a compensating control for the many un-remediated CVE’s that when left vulnerable can be de-risked by taking away the attacker’s ability to further progress their attack by escalating privilege.

If you missed the live webinar, I invite you to watch the full replay. Afterward, we would be happy to discuss how ITDR can help your organization get ahead of identity vulnerabilities – defending that hill before the malicious actors even have a chance to attack it – instead of falling behind.