Identity-based attacks that utilize compromised credentials to access enterprise resources are a blind spot for organizations’ security stacks. As a result, identity-based attacks are rising as the leading cause in data breaches. While real-time protection exists against various attack types – malware, data access and data exfiltration to name a few – it is absent against a scenario in which attackers authenticate with valid (yet compromised) credentials. To efficiently confront the rise of these attacks there is a need for a paradigm change – to treat user identities as a distinct attack surface with its own traits and features. In this blog we’ll learn why existing security stacks fail against identity-based attacks and get to know how Silverfort implements this paradigm change with its Unified Identity Protection platform, delivering real time protection to this new attack surface.
Table Of Contents
Identity-Based Attacks = Utilizing Compromised Credentials to Access Targeted Resources
We define identity-based attacks as any malicious activity that utilizes compromised credentials to access targeted resources. In the common MITRE terminology, these attacks take place in either the Initial Access, Persistence or Lateral Movement stages. They can be a standalone act, for example when brute forcing a SaaS app, or the post-compromise stage of a wider operation as would be the case in on-prem lateral movement. The following diagram summarizes the common identity-based attacks organizations typically encounter.
Rapidly Rising Attack Vector
According to security firm Digital Shadows’ 2020 ‘From Exposure to Takeover’ report, there are over 15B credentials circulating for sale in the dark web. This figure can give us some orientation on the scope of the problem organizations worldwide deal with.
IBM’s Cost of a Data Breach Report 2021 states that ‘The most common initial attack vector in 2021was compromised credentials, responsible for 20% of breaches’, maintaining their lead from last year. In addition, the report states that ‘Breaches caused by stolen/compromised credentials took the longest number of days to identify (250) and contain (91) on average, for an average total of 341 days’. It also should be noted that the business email compromise, which according to the report is the most costly of attack vectors, is essentially a specific case of compromised credentials.
Current State: Dispersed Protections and Inherent Blind Spots
Identity-based attacks are a weak link in today’s security stack. Firstly, identity protection is dispersed across various products and team – CASB to protect against initial access to SaaS applications, Endpoint Protection Platform (EPP) against on-prem lateral movement, NGFW against malicious remote connections and so on.
Secondly, all of these security measures are inherently incapable of delivering real time protection against malicious authentication that employs compromised credentials. The reason is simple – this is not what these products were designed to do.
Let’s dig in a bit deeper to understand why this is.
Cyberattack Protection: Real Time is King
The core flow of any cyber protection is founded on the following capabilities:
- Monitoring a given activity within the IT environment
- Detecting malicious behavior of this activity
- Terminating the activity upon its detection as malicious.
It is easily seen that the leading strain in this flow is the ability to protect in real time – and hence to block the malicious activity immediately upon its detection.
Let’s illustrate this concept with EPP (Endpoint Protection Platform). An EPP agent is installed on a workstation or server and can monitor all the running processes, detect that a certain process features malicious behavior and if needed terminate the process altogether. This is what it was built to do and indeed EPP does a great job against exploits, malware, scripts, malicious macros and every threat that is manifested in anomalous process behavior.
The key value of the EPP is its placement where it can terminate the malicious activity in real time. And this holds true for other security products as well, each in its own domain – firewalls for network traffic, DLP for data file access etc.
So What is Real Time Protection in the Context of Identity-Based Attacks?
Now we can truly appreciate the problem. Identity-based attacks utilize compromised credentials to perform a seemingly legitimate authentication. Hence, to deliver real time protection against this type of threat one must be able not only to reliably flag an authentication attempt as malicious but also proactively prevent it from taking place. This task is beyond the scope of any security product since none of them is designed to take part in the authentication process.
Let’s take a common example of lateral movement attack that utilizes PsExec to expand from the patient-zero machine to other machines. The EPP agent can indeed see that a PsExec process is running. However, it plays no part in the complete authentication cycle where the attacker on the patient-zero machine provides compromised credentials to Active Directory to log in to another machine. As a result, even if the EPP agent would have known that a certain authentication is in fact malicious (which is not trivial at all), it still wouldn’t have been able to do anything about it.
The Journey Towards Real-Time Identity Protection Must Start with the Identity Providers…
In fact, the only components in today’s environment that can enforce these type of protections are the identity providers themselves, since they are at the core of all authentication activity – so if we want to start the journey towards real-time identity protection, this is where we should start.. And this holds true for any type of resource –to prevent account takeover of SaaS applications we should harness the cloud IDP in place. To prevent automated propagation of ransomware we should leverage the on-prem directory (in most cases it would be Active Directory).
…But it Also has to Go Beyond Them
The problem is that for the most part, Identity Providers don’t go beyond validating the received password. Continuing our earlier example, when the attacker on patient zero attempts to access another machine with compromised credentials, Active Directory does not have a way to know that the valid credentials provided are in fact compromised and hence would allow the attacker to access the machine. So while it’s clear that the identity providers are a key component in delivering real-time protection against identity-based attacks, it is equally clear that they cannot fully deliver this protection as they are. This is the gap Silverfort Unified Identity Protection addresses.
Enter Silverfort Unified Identity Protection
The Silverfort platform natively integrates with all the identity providers in place to add both risk analysis and proactive prevention capabilities on top of the IDP initial credential check. Whenever an IDP – remote network access, on-prem or cloud – gets an access request it forwards it to Silverfort. Getting this data from all the IDPs provides Silverfort with the full authentication activity of every user across all the organization’s resources.
This complete data enables Silverfort to analyze the risk of each authentication attempt. Per the analysis’ results, Silverfort’s risk engine determines whether to allow the user to access the requested resource, deny access or challenge the user with MFA verification. The IDP grants or denies access from the user based on Silverfort’s verdict.
Changing the Paradigm: Identities are a Differentiated Attack Surface
This unified approach enables Silverfort to centralize the protection against any type of identity-based attack. It doesn’t matter if it is an account takeover of IaaS workloads, on-prem lateral movement, or connecting to a legacy application – if the access entails authentication, protection is applied. The key change lies in understanding that the use of credentials to access a resource is much more important than what type of resource it is.
In plainer words: the blind spot in today’s defense stems from a mindset that views lateral movement as an endpoint problem, SaaS account takeover as a SaaS access problem and malicious remote network access as a network problem.
Silverfort changes this mindset by pointing out a simple truth: in essence all these examples (and many more) are different manifestations of a compromised credentials problem. A critical problem that can be solved only by placing security controls where the authentications and access attempts actually take place.
Learn more about Silverfort Unified Identity Protection here.