The Identity Underground Report: Deep insight into the most critical identity security gaps  

We’re proud to unveil the first report based on Silverfort’s proprietary data: The Identity Underground Report. This data, gathered and analyzed from hundreds of production environments, discloses the key security gaps – or Identity Threat Exposures (ITEs) – that adversaries exploit to launch identity threats such as credential access, privilege escalation and lateral movement.  

This is the first ever comprehensive analysis of these weaknesses. In fact, some of these ITEs have never been disclosed at all – until now.  

The results are alarming: no environment is free from the gaps that give attackers easy opportunities to access credentials, escalate privileges, and move laterally with little to no resistance.  

Are you a CISO? Then you’ll want to ask your team if the common gaps in the report apply to your environment as well. These are the culprits behind the attacks that keep you awake at night. Knowing them should become a factor in your decision making. 

Are you a security architect or a SOC manager? You already know that identity is the most abused attack surface in account takeover, lateral movement, and ransomware spread. Now you can gain full insight into what you need to protect. 

And finally, are you accountable for the identity security in your organization? Then you’ll find all the challenges you’re already confronting daily: shadow admins, NTLMv1, unconstrained delegation, service accounts, password sync and many more.  

These gaps enable threat actors to win the war against identity threat 

Identity threats are at large. Lateral movment, preceeded by credential theft and privilege escalation, is now a key part of almost every ransomware campaign.  

Yet a thorough understanding of the scope and nature of the gaps that make these attacks possible is not part of organizations’ cybersecurity playbooks. In fact, they don’t even have a name. They are not software vulnerabilities with an assigned CVE, nor are they malware. Rather, they are an inevitable result of misconfigurations, malpractices, legacy infrastructure, and insecure built-in feautures. They share a common denominator: each of them exposes its environment to an identity-related TTP, such as credential access, privilege escalation, or lateral movement. This is why we call them Identity Threat Exposures (ITE). 

The Identity Underground Report is the first report to shed light on the dark corners of the identity infrastructure, unveiling the ITEs that are most prevalent, impactful and exploitable. Put simply, at least some of them reside in your environment.  

Report highlights: Active Directory ITE endangers the SaaS environment 

Key insight #1: Active Directory (AD) is critially exposed to identity threats 

Around 90% of organizations employ a hybrid identity infrastructure. This means Active Directory (AD) still plays a key role alongside cloud directories or federation servers.  

However, AD is infested with misconfigurations, legacy infrastructure, and built-in insecure features. These, together with common malpractices, turn it into an extremely low-resilience attack surface. In simple terms, attackers can easily use the AD environment  to slip through to the target environment for either ransomware, data theft, or any other purpose. This report discloses the most prominent ones. 

Key insight #2: AD’s exposure to identity threats also endangers the SaaS environment 

The common practice of syncing AD passwords to the organization’s cloud Identity Provider (IdP) has significant productivity benefits. It can also create a critical threat exposure.  

Consider this: when passwords are synced, attackers can use the passwords they’ve compromised in the AD environment for malicious access to the SaaS environment. As the report shows, ITEs that expose user passwords in the AD environment are extremely prevalent, enabling attackers to use leverage on-prem settings to breach the cloud.  

Knowledge matters: what is my environment’s identity threat exposure? 

The report’s main role is to empower you to take action. How does your environment measure up against the average numbers? Do you have shadow admins, shared users, or heavy load NTLM authentication traffic? Are there service accounts that were inadvertently synced to your cloud IdP? And so on and so forth. 

The Identity Underground Report won’t give you these answers – but it will point you to the right questions to ask to discover your true identity resilience.