With the growing support for a hybrid work environment and continued migration to cloud applications, Gartner is predicting an increased trend in identity-based attacks and credential abuse. Today’s cybercriminals are looking for ways to steal credentials, escalate privileges, and move laterally across an organization’s infrastructure. Given that identity compromises are present in most ransomware and supply chain attacks, identity-based attacks have become one of the top cybersecurity threats facing organizations today. That is why Gartner has declared “identity is the new perimeter” and recommends organizations invest in protecting against identity attacks or specifically Identity Threat Detection and Response solutions.
The Password Paradigm Shift
For many years, organizations could get by setting up strict password requirements for their users. Password best practices included using long, complex passwords and different passwords for different accounts.
Today, there are billions of hacked login credentials are available on the dark web and cybercriminals can easily buy credentials – $150 for 400M username and password pairs. Research on password etiquette shows that 59% of people used the same password for multiple accounts and 47% of people used the same passwords at work as they do at home. With all this password duplication, it greatly increases the risk of attackers gaining access to corporate systems using a combination of corporate email and stolen passwords.
Adding to the challenge of protecting against identity threats is the growth in SaaS applications used by businesses; this requires the number of account credentials to grow significantly and as result, employees are more likely to use passwords that can be easily guessed if they’re not just reusing the same passwords across multiple accounts. With hackers using brute force attacks and automated password cracking tools to guess combinations of usernames and passwords, password management for internal IT teams is an uphill battle.
Finding Better Protections
To better protect user accounts from identity attacks, organizations are implementing Multifactor Authentication (MFA). MFA requires multiple steps to verify users’ identities before accounts can be accessed. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Two-factor authentication for smartphones, one of the more common applications of MFA, typically involves something you know and something you have. For example, a user PIN followed by proof of possession of the device registered with the user account. Each MFA method has strengths and weaknesses, and the choice of implementation is often a trade-off between security and usability.
A Google research study found the success rate of MFA using an SMS code sent to a phone number helped block 100% of automated attempts by hackers to gain access, along with 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
MFA enables easier ways to access accounts, such as Single Sign-On. For example, if a user logs into Microsoft 365 using MFA, they will be able to log in to all other accounts using those credentials, as their identity will have already been verified. Alongside streamlining the login process for users, MFA also saves time for IT admins and helps address compliance mandates that require strong authentication processes before employees can gain access to data.
MFA is an Improvement, Not a Panacea
While strong identity authentication protections, like MFA, are effective, not all organizations use these tools to protect against identity attacks. For example, a recent survey by Microsoft showed that 78% of their customers using Azure AD only use passwords without protections like MFA. Reasons why organizations do not implement authentication protections include cost, user experience, scalability, and availability of solutions for legacy applications.
Cybercriminals are targeting larger organizations, using more sophisticated penetration techniques, and demanding bigger ransoms from successful ransomware attacks. The theft and abuse of credentials plays an important role in ransomware attacks where Microsoft’s Remote Desktop Protocol (RDP) is an attack vector, giving organizations more reasons to better protect their user accounts.
However, even for organizations using MFA, hackers have shown they have multiple techniques that can be used to bypass this such as disabling MFA policies, attacking legacy applications that do not support MFA, using stolen private keys to sign certificates, installing a malicious app that authenticates while still controlled by the attacker, and more.
Enter Identity Threat Detection and Response
Identity Threat Detection and Response (ITDR), as coined by Gartner, is used to describe the collection of tools and best practices to successfully defend identity systems from endemic levels of attacks.
A new approach is needed as other tools like, User and Entity Behavior Analytics (UEBA), have fallen short of expectations due to challenges with false positives and the lack of automated response capabilities.
Gartner has underscored the importance of preventing compromises to protect against identity attacks. While MFA prevention tools exist, they can and will be bypassed. Organizations need to deploy more advanced threat detection tools. Threat detection is critical but not sufficient. Rapid and effective response actions are mandatory.
Traditional approaches to security monitoring with manual incident response are often too slow to react to attacks and compromises. In addition, it can take hours to create a ticket requesting suspension of a user account increasing the risk of a data breach in the meantime. The appropriate response may vary depending on the type of account. For example, an investigation is often needed before suspending an executive user account.
The implementation of an ITDR tools is also an important consideration as some require sensors or agents which are complicated to integrate and maintain.
Proficio’s ProSOC Identity Threat Detection and Response service detects threats to Identity and Access Management (IAM) platforms to enable a faster response to contain attacks and compromises. It is designed to work with multiple IAM platforms and leverages advanced technology combined with human-led investigations to detect threats to an organization’s IAM infrastructure. Alerts are prioritized using use case analytics, correlation rules, machine learning, and threat intelligence data.
For better protection against identity attacks, Proficio’s automated response solution, Active Defense, can take immediate action when a high-fidelity threat is detected, quickly suspending a user account for one or more applications. While many organizations can only investigate and respond during business hours, Active Defense allows you to quickly contain identity threats providing incident responders time to further investigate before there is a serious breach. Our security advisors work with our clients to baseline event thresholds and determine how to orchestrate response actions most effectively. When an Active Defense use case is triggered, our solution can initiate an immediate account suspension or enable an incident responder to do this with a single click in alignment with your business requirements and the type of user account that is being targeted. Active Defense supports both automated and semi-automated functions, allowing incident responders to perform a double validation of a threat before initiating an account suspension through a single click in our ServiceNow portal.
To find out more about Proficio’s solution view our webinar