Over 80% of organizations have experienced an identity-related breach that involved compromised credentials. Compromised credentials are one of the most sought-after weaknesses for attackers to facilitate identity breaches, such as lateral movement and ransomware spread.
To determine and resolve their identity weaknesses and exposures, organizations need to conduct an identity risk assessment.
In this article, we will examine the key components of an effective identity risk assessment, and discuss how to gain full visibility and insights into your identity security posture with Silverfort.
Identity Risks Start with Identity Weaknesses
Organizations are struggling with identity threats such as account takeovers, lateral movement and ransomware. According to a recent report by Silverfort and Osterman Research, over 80% of organizations have experienced an identity-related breach that involved compromised credentials, with more than half of these breaches in the past year alone.
The continuous success of these attacks implies that there are weak links or security gaps attackers target to compromise credentials, escalate privileges and move laterally. The purpose of an identity risk assessment is to uncover these gaps. For example, a recent report entitled “The Identity Underground” disclosed the most critical and prevalent of these weak links and unveiled some alarming findings, including:
- Insecure on-prem password sync is a contributing factor to the compromise of SaaS apps in 67% of organizations.
- 37% of admins use NTLM to authenticate, and a further 7% use NTLMv1.
- 31% of all users in an organization are service accounts.
- 7% of regular users have admin-level access privileges without belonging to any admin groups.
The above data is only a small sample that illustrates the magnitude of identity threat exposure challenges.
Key Elements of Identity Risk Assessment
Organizations undertake security risk assessments to gain insights into their weaknesses and exposures. The process of conducting a risk assessment involves the collection and analysis of data. Specifically, this article focuses on identity-related data, such as accounts, authentications, and access privileges. An identity risk assessment typically includes the following components:
Identity-Related Data
User Account Inventory
Full visibility into all user accounts, service accounts, and admin accounts. A detailed inventory will typically include information such as names, descriptions, group memberships, and applications associated with each item.
Configurations
A comprehensive overview of both on-prem and cloud-based configurations of users and directories.
Access Patterns
Full visibility into all authentications and access patterns of active users and resources, both on-prem and in the cloud, including service accounts and authentication logs.
Risk Analysis
Credential Access
The MITRE ATT&CK framework defines credential access as the techniques attackers use to steal credentials such as account names and passwords. Credential access techniques include keylogging, credential dumping, and brute force, among others.
Newer authentication protocols are designed to prevent such attacks, but older protocols like NTLMv1 have weak encryption, which can be easily brute forced. The identity risk assessment aims to discover these weaknesses that enable attackers to use credential access techniques.
Privilege Escalation
As outlined in MITRE ATT&CK, privilege escalation consists of techniques attackers use to gain higher-level permissions on a system or network. Even after they have gained initial access to the organization’s environment, attackers may still need higher privileges in order to carry out their attack. For this reason, privileged accounts are frequently targeted.
Attackers will commonly attempt to take advantage of system weaknesses and misconfigurations; for example, shadow admins, who are regular users that were unknowingly given admin privileges or configuration/reset privileges over admin accounts. Shadow admins can reset passwords of actual admins, but they are regular users in all other aspects. Their anonymity also means they are not subject to the same security controls.
Lateral Movement
Lateral movement, as defined in the MITRE framework, is the techniques used by attackers to enter and control remote systems. This way, attackers can enter the environment and move undetected from one point to the next until they reach their target. For this reason, attackers are very interested in accounts that lack visibility and protection from existing security solutions.
Service accounts, for instance, are difficult to keep track of, are often highly privileged, and cannot be protected by password rotation, which means they can be exploited for lateral movement.
Security Coverage Gaps
There are accounts and resources that security controls cannot cover, and certain weaknesses that cannot be eliminated.
For example, many organizations still use legacy systems which do not natively support MFA. Even attempting to manually implement identity security solutions on each legacy application or server is difficult since tampering with them can result in malfunctions or even process terminations.
Next Steps: Following Up on a Risk Assessment
Prioritization
Different risks pose different threats. To resolve the identified risks effectively, organizations should prioritize them based on their potential impact and probability in order to allocate resources most efficiently. For example, an organization may start with highly privileged accounts, critical applications, and any other factors that it deems necessary.
Mitigation
Risks can be addressed based on their root cause: misconfigurations, malpractices, and security coverage gaps. Mitigation steps can be taken accordingly in order to reduce these risks and improve the organization’s identity security posture; for example:
- Misconfigurations: Misconfigurations occur when incorrect or unsuitable configurations are applied during user creation, which can result in security weaknesses. Misconfigurations are inevitable, and even more so in larger environments. Shadow admins, for example, are a common misconfiguration. Misconfigurations can be resolved by restoring the proper configurations, for example by removing the excessive privileges granted to a shadow admin.
- Malpractices: The term malpractice refers to actions taken unintentionally or improperly that can result in substantial weaknesses, such as hybrid service accounts or excessive NTLM authentications. Hybrid service accounts happen when an admin uses a service account for interactive login, or a personal account to automate tasks. In order to resolve such malpractices, it is necessary to ensure that IT and admins adhere to security best practices.
- Security Coverage Gaps: Accounts and resources not covered by security controls make huge security gaps. These gaps lead to identity risks that are very difficult to resolve. For example, MFA for legacy apps and password rotation for service accounts. Organizations must search for a solution to overcome these risks, or alternatively ensure that the security team closely monitors such users and resources.
Identity Risk Assessment with Silverfort
Silverfort provides a unified identity security platform that prevents identity threats in real time. This enables organizations to have full visibility into all access attempts, and deny access to resources, regardless of authentication protocol, for all on-prem, cloud, and hybrid identity environments.
Through Silverfort’s unified identity security platform, organizations can perform a comprehensive identity risk assessment to reveal and mitigate all the security gaps, misconfigurations and malpractices attackers can exploit for credential access, privilege escalation and lateral movement.
Identity Security Posture Management (ISPM)
Comprehensive visibility into identity threat exposures such as service accounts, shadow admins, and legacy protocols like NTLMv1, among others. This includes monitoring and analyzing authentications, access patterns, and behaviors to gather insights into the organization’s identity security posture and provide recommendations on how to remove the risks, such as implementing monitoring solutions and removing excessive permissions of privileged accounts.
Authentication Firewall
Authentication firewall is a method of controlling user access to resources by enforcing strict access and authentication controls. Silverfort’s authentication firewall enables organizations to enforce risk-based policies and identity segmentation to block unauthorized access attempts and ensure users only access the resources they need. No changes to the underlying infrastructure are needed, and the authentication firewall’s policies can be implemented quickly and seamlessly.
MFA for All
Silverfort integrates with Active Directory to forward all access requests to Silverfort, allowing it to enforce MFA verification across all systems in the organization’s identity infrastructure, including legacy systems.
Service Account Protection
Automatic discovery and management of service accounts. Silverfort can detect service accounts by analyzing their behavioral patterns and automatically configure access policies in the event that a compromised service account is detected.
To discuss how Silverfort can assist your organization in assessing its identity risk, fill out this form and schedule a meeting with a Silverfort identity security expert.