BUILDING A DEFENSE AGAINST IDENTITY-BASED CYBER ATTACKS
Those who don’t learn from history are often doomed to repeat the failures of the past. Rarely has this been more apparent than in the area of Identity and Access Management (IAM). Going back as far as 2009, a consistent theme in many breaches has been the mismanagement of identity attributes, such as passwords and default credentials. While ransomware continues to be the most highly leveraged type of attack against businesses, credential and identity-based attacks are not far behind. Attackers take their expected level of effort very seriously, but we certainly shouldn’t be making it easier for them. There is no need for cyber criminals to craft sophisticated campaigns using complicated software solutions with advanced payloads if they have a set of good credentials to the network. In this article, we’ll explore some steps organizations can take to improve their defenses against these types of attacks.
Check Default Credentials
Criminal enterprises run their operations like a business. All attacks, whether targeted or indiscriminate, are weighed against the level of effort required to complete the task. Most of the attention today is paid to bad actors that leverage zero-day attacks or complicated attack sequences, but novel attacks are expensive as well. Researchers have seen threat actors claiming to be able to sell zero-day attacks for up to $10 million, but for most non-state-sponsored threat actors, those tactics are out of reach. They instead turn to the many databases containing default credentials for the hundreds of types of infrastructure assets that exist in the marketplace. Websites like CIRT.net (https://cirt.net/passwords) maintain lists of default credentials that allow organizations to check their devices. However, like any source of information, it can be misused. As a follow-up to building an asset management program, security organizations should regularly audit devices for default passwords—particularly those devices that live on the edge of the network. It’s also important not to ignore internal assets such as medical devices, building management technology, and commodity-level devices (printers, etc.). These are frequently overlooked, but can be leveraged more often than you think to either start or continue an attack.
Manage Privileged Identities
If default credentials are the first step to initiating an attack, privileged identities can act as the proverbial keys to the kingdom. Privileged credentials have the ability to do far more than standard users are able to—up to and including adding and removing software while eliminating any traces of intrusion or system changes. Managing them can be tricky, particularly when there are many administrators spread across the enterprise. Making things even more challenging is the often-distributed directory structure that separates accounts into different realms. For example, some administrator accounts may exist within a Cloud Service Provider (CSP), others within Active Directory, and others within a SaaS platform, such as Salesforce. The key to managing privileged identities is to consolidate them as much as possible and ensure that each account is tied to a ‘heartbeat’ owner. This way, when an employee leaves or changes roles, the organization knows which accounts need to be terminated. Further, enterprises may want to consider a privileged account management (PAM) platform that can assist with consolidation, account certification, password rotation, and other tasks that constitute a strong privileged identity program.
Monitor Third-party Access
Third parties often require access to organizational networks to manage their devices, or even to process data on behalf of the company. Typically, this is accomplished using VPN accounts or, in some cases, direct access to the devices in question through a vendor-specific gateway appliance. The bottom line is this: access you cannot control greatly increases your risk of a security incident. Breaches involving supply chain and third parties surged by almost 300% in 2022, implying that criminals are keenly aware of the availability of access through these channels. Digital identities belonging to third parties—especially those with access to sensitive information—need to be treated with as much care as a privileged identity. An internal owner should be able to attest to the need for the account, and auditing capabilities must be in place to show exactly what was done and who performed the action.
Final Thoughts
Identities have been described as the new enterprise perimeter—and with good cause. Our new ubiquitously connected networks allow connectivity to the most sensitive data and assets from anywhere in the world. Thus, modern identity management programs need to work within this reality by creating processes that allow for easier management and monitoring of these key assets.
To learn more, get in touch with AHEAD’s security team today.