The concept of a security perimeter has, in many cases, disappeared altogether recently. Instead, security teams rely on identity to restrict access and ensure only authorised people can connect with centralised applications and data.
Indeed, a little less than a year ago, Gartner trumpeted the arrival of identity as the new security perimeter.
The timing of Gartner’s prediction coincided with a slow decline in the efficacy of existing perimeter protections like corporate firewalls.
Practitioners already knew that a determined attacker with enough time or resources could defeat almost any traditional security perimeter setup.
But it was the arrival of widespread remote work that pushed the traditional perimeter beyond its design limitations.
Employees are no longer ring-fenced inside one or a handful of central sites and instead have become their own little “branch office of one.” The focus has shifted to verifying that every attempt they make to access corporate resources remotely is genuine.
That inevitably leads to a broader discussion about identity and ways to protect it.
Many acknowledge this space as challenging. The challenges do not get any easier against the backdrop of increasingly sophisticated attacks that seek to target or abuse corporate identities.
Indeed, a recent study by Dimensional Research found that “confidence in the ability to secure employee identities dropped from 49% to 32% in the past year.” But the same study also found 93% of security professionals believe identity-related breaches they experienced to date were preventable.
Additionally, 97% intend to invest in identity-related security over the next two years – as both a preventative measure and a cure for the challenges of securing the workplace of 2022.
Tit-for-tat
Any account is vulnerable to misuse if compromised by a threat actor.
As circumstances scatter users across multiple locations, it is easier than ever for threat actors to phish or brute force their way to taking control of an account. Once they steal credentials, they can advance their attack as imposters within the network, using these disguises to elevate their access and privileges.
Multi-factor authentication (MFA) and single sign-on (SSO) have already succeeded in making the sign-in process more secure than traditional username and password combinations.
However, attackers have also found ways to bypass these protections, often by tricking users into handing over their passwords and one-time login codes.
Passing this access verification layer imparts a certain level of trust in the user. Anyone with the password and MFA code is likely to have a high degree of freedom to move around in the internal corporate network, a grave mistake if the “user” is actually a threat actor.
As organisations employ more defensive techniques, attackers, in turn, also use more advanced approaches to continue facilitating corporate credential theft. It’s a cat-and-mouse game familiar to all security practitioners.
In a recent example, adversaries executed a multi-stage attack that circumvented basic user authentication by chaining several different vulnerabilities together. As a result, the attackers could access the target’s Microsoft Exchange server, emails, and calendar, before falsely authenticating to connect to the server. From here, they could begin escalating to gain admin rights.
Microsoft quickly patched this particular set of vulnerabilities upon discovery. Still, it illustrates that organisations have no way of knowing when new exploits will emerge that challenge the layered protections they put in place.
Focusing on Active Directory pays off
Identity-first security goes beyond password policies and MFA to provide additional layers of protection.
As Gartner points out, organisations need stronger protections within the network itself to monitor the effectiveness of perimeter solutions by identifying when attackers may have circumvented them.
In reality, organisations will need to rely on a combination of perimeter security tools, identity-based, least-privilege access programs, and in-network defences capable of detecting attack escalation and lateral movement to reduce the risk of attackers breaching and abusing identities.
Protecting Active Directory (AD) should be on most organization’s list of top priorities, as 90 percent of Global Fortune 1000 organisations use the system for managing permissions and controlling access to resources.
Once they get past identity access management provisions, attackers will often head straight for AD. Those that successfully access AD will gain a considerable advantage in privilege escalation and lateral movement.
Businesses can minimise these threats by using automated tools to run AD assessments, remediate exposures, and monitor identity-based attacks in real-time.
Cloaking technology – which hides production assets such as credentials, AD objects, data and denies access to unauthorised users – can also be impactful in derailing attacks early. Additionally, creating a deception environment that mimics production systems with a higher degree of realism can also trick intruders into thinking they have breached a genuine network. These decoys include interactive but worthless copies of all the assets a threat actor would expect to find.
By having multiple layers of identity-based security measures, including identity threat detection and response technology, organisations can significantly increase their chances of detecting intruders exceptionally early in the attack cycle and before an adversary can cause significant damage.
At the same time, as IT departments invest in deploying solutions to emerge stronger from the pandemic, AD and the growing area of cloud entitlements are set to become and remain essential IT infrastructure components for many years to come. Taking time to ensure that identity security is as strong as possible now and part of one’s overall security posture will help mitigate the risk of any potential attacks in the future.
