Illusive Blog April 19, 2022

Why are organizations still vulnerable to identity risk despite investment in IAM, PAM, and MFA solutions?

By Mark Jaffe
Identity Risk Management

Recent research from Enterprise Strategy Group (ESG) explored how organizations are prioritizing Identity and Access Management (IAM), Privileged Account Management (PAM), and Multi Factor Authentication (MFA) initiatives and the various products, platforms and technologies being deployed. And most importantly, how well they are working.

There is no question, Identity Access Management is complex. Identities for employees, contractors, workloads (i.e., non-human service accounts, legacy applications, etc.) and customers all have to be provisioned, managed, secured, deprovisioned and audited. The responsibility for this is distributed across IT, Security and HR. And this is no minor task; more than half of organizations have at least 10 employees managing identities.

Furthermore, organizations have spent great time and money on solutions such as Identity Governance and Administration (IGA) Privileged Account Management, and Multi Factor Authentication (MFA). The research showed that PAM is a strategic security control with 90% of respondents ranking it among their top 5 controls. However, only 4% indicated that PAM was most effective. The fact remains that despite these investments in IAM solutions organizations still remain vulnerable to identity risk and attack.

Despite the investments in IAM tools, Illusive has found as well that 1 in 6 endpoints has exploitable identity vulnerabilities.

What are the common attack vectors?

The ESG research showed that theft of credentials from system memory is the most common attack. Attackers are exploiting cached Remote Desktop Protocol (RDP) and VPN credentials to obtain direct and privileged access into the network. Access is often gained through phishing or even in the case of the Lapsus$ ransomware family, they are paying incentives to buy credentials.

Once on a user’s endpoint, attackers regularly use tools such as Mimikatz to exploit privileged credentials that have been saved on endpoints. We’ve all done it, saved username and password to make access easier. Other times, we may not even know that account credentials for a specific application have been cached on our device. Yet when privileged credentials are stored, either on disk, in registry, or in memory, attackers can easily access and leverage them to establish persistence and elevate their privileges. This has become so easy to do, that cyber adversaries worldwide have made this their top attack vector of choice.

Cached credentials are everywhere and their spread has only been heightened by the move to remote work. VPN and RDP access credentials have become two of the most primary entry points for hackers. Our own research, based on an analysis of endpoints and servers in mostly large enterprises, shows that privileged account passwords are left exposed on 13% of endpoints and 55% of exposed privileged identities are stored in browsers.

The ESG research showed that 16% of those surveyed had suffered a breach due to cached credentials being dumped and exploited by attackers – the number one source of breach.

Assessing risk across human and non-human identities must remain a priority

When the many legacy applications that run critical business processes today were built, developers weren’t designing these applications to be secure against modern day attacks. One of the results of this is that the service accounts these legacy applications depend upon cannot be easily secured. As non-human accounts, they cannot be enrolled in a Multi-Factor Authentication or Privileged Access Management solution without the significant cost and effort to be modernized to support modern identity controls. This leaves most organizations with significant identity-related risk, and few options for risk mitigation.

11% of those surveyed suffered a breach because of service accounts that have unnecessarily high, static, or standing permissions or authorization levels.

There is a solution.

Illusive Spotlight can continuously discover and monitor for exploitable identity vulnerabilities and mitigate by performing automated cleanup of risks that are identified – such as cached credentials. Illusive makes it easy to find these previously unknown vulnerable identities sprawled across an organization’s endpoints and services, and then eliminate them or deploy proven identity compromise detection techniques to stop attackers.

Learn More about ESG’s Identity Risk Research During a Free Webinar on May 10 – Register Now

Read the Enterprise Strategy Group eBook, “Securing the Identity Perimeter with Defense in Depth” – Download Now