Glossary

Term of the week

Air-Gapped Network

An air-gapped network is an internal computer network that is completely isolated from the outer Internet with no inbound or outbound traffic at all. Typically, the reasons are either physical security or high data confidentiality requirements. Some prominent examples of air-gapped networks include various national security actors such as defense, governments, and military bodies, as well as critical infrastructure entities that provide energy, water utilities, and other enabling services.   Organizations of these types strive to segregate their most sensitive network segments entirely, so they are cut off from any internet connections. The notion behind air-gapping a network is to reduce its attack surface to the bare minimum and ensure that no malicious traffic makes its way inside. It should be noted, however, that due to the increased connectivity today, there are very few networks that are truly 100% gapped with no interaction at all. The more common reality is of a ‘mostly air-gapped’ network that maintains highly controlled external connections for software updates, 3rd party contractor access, etc. While the air-gapped network’s attacks are indeed reduced, that doesn’t make it immune to cyberattacks. Moreover, while the air gapping makes an attacker’s initial access much harder, it has no effect on the network’s resilience to post-compromise actions such as lateral movement and following malware execution.  In fact, its segregation from external sources such as threat intelligence servers, or centralized threat analysis cloud makes an air-gapped network more vulnerable than a regular one to such attacks. The most pressing security issue within an air-gapped network is malicious access to its computers and servers. Such access can be carried out directly by a malicious insider or through lateral movement. That or the other, to defend against such a scenario there is a need to harden the authentication requirements to more than merely username and password. But how can you employ an MFA solution if there is no outbound connectivity? The common practice for air-gapped networks to overcome this barrier is to use physical hardware security tokens in place of the standard mobile devices that require internet connectivity.  This consideration adds another requirement, with FIDO2 as the preferred standard for hard tokens, and is being resilient to both advanced and traditional phishing attacks. However, FIDO2 doesn’t natively fit into many networks that weren’t designed to work with the specific protocols it supports, leaving them out of the scope of this protection. Learn how Silverfort solves this problem.

A

Active Directory

Active Directory (AD) is a directory service developed by Microsoft to manage the authentication and authorization in on-prem domain networks. The server that runs AD service is called Domain Controller.  Prominent uses of AD are the creation of user accounts’ names and passwords, organizing them in groups, and assigning their access privileges to various organizational resources.  However, its most important functionality is managing the authentication process of users that attempt to access servers, workstations, on-prem applications, or any other resource within the domain network. Whenever a user provides their username and credentials, Active Directory would check the input and validate that the username and credentials indeed match. AD works mainly with two authentication protocols: NTLM and Kerberos. Active Directory operates as the authentication infrastructure in practically almost every organizational network today. In the pre-cloud era, all the organizational resources resided exclusively on-prem, making AD effectively the sole identity provider.  However, even at a time when organizations seek to transit workloads and applications to the cloud, AD is still present in more than 95% of organizational networks. This is mainly due to core resources being hard or impossible to migrate to the cloud. Identity threats are cyber attacks or distinct components within a larger-scale cyber operation that utilize compromised credentials for malicious resource access. These attacks typically: Occur in the post-compromise lateral movement stage where attackers attempt to expand from an initial foothold to other machines in the targeted environment.  Use either cleartext passwords or password hashes to perform an Active Directory authentication. Get the credentials either by purchasing them in the dark web or by obtaining them throughout the attack from compromised machines (there are various open tools to accomplish that)   Transform a local event of a single compromised machine into an organization-level incident that can put business operations at risk. So whenever an attacker has managed to get hold of these and provides them to AD, AD considers them as legitimate authentication and allows access. In that manner, threat actors can use AD authentication infrastructure for malicious access without the need to employ malware, making this access hard to detect.  When attackers cannot get hold of the plaintext password, they can still perform a full AD authentication utilizing the password hash. The actual implementation depends on the used protocol: NTLM: NTLM uses hashes as a password equivalent, enabling attackers to launch a ‘Pass the Hash’ attack with a compromised hash. Kerberos: Kerberos generates authentication tickets using the hash. Attackers can use the compromised hash to forge Kerberos ticket to perform a Kerberos authentication.  Since AD can be regarded as the nerve center of the domain environment, it enables a logged-in admin user to perform any desired action – create users, elevate privileges and access any resource.  This status is known as ‘domain dominance’ and it’s the main objective the attacker’s lateral movement strives to achieve. For example, once domain dominance is gained, an attacker can plant ransomware payload in multiple workstations and servers, or if the purpose of the attack. AD cannot provide protection against these attacks since its protection capabilities are limited to checking the match between username and credentials.  Since identity threats, by definition, are founded on compromising valid usernames and credentials they can easily bypass AD and impersonate their malicious authentication as a legitimate one. This creates a severe blind spot in organizations’ security architecture that gives rise to numerous variations of lateral movement attacks. AD itself doesn’t have a way to discern between legitimate authentication and malicious one (as long as valid usernames and credentials were provided). This security gap could theoretically be addressed by adding Multi-Factor Authentication (MFA) to the authentication process. Unfortunately, the authentication protocols AD uses – NTLM and Kerberos – don’t natively support MFA step-up.  The result is that the vast majority of access methods in an AD environment cannot have real-time protection against an attack that employs compromised credentials. For example, frequently used  CMD and PowerShell remote access tools like PsExec or Enter-PSSession cannot be protected with MFA, enabling attackers to abuse them for malicious access.

A

Adaptive Authentication

Adaptive authentication is a term that describes the ability to conduct a risk analysis for an attempted authentication and determine based on the analysis result whether to allow access or require additional verification from the requesting user. For example, adaptive authentication enables to replacement of constant MFA push notifications that can be disruptive to user experience and require MFA only when there is a suspected risk.  The parameters adaptive authentication takes into account vary, depending on the nature of authentication and the environment where it takes place, but would typically search for any anomalies – location, device, user behavior, and others. The adaptive authentication risk engine is either a native part of the identity provider’s authentication mechanism or plugged into this mechanism by an external provider. That way or the other, the standard authentication flow is altered in the following manner: The user requests access to a certain resource. The identity provider checks that username and password are valid. The identity provider passes the authentication data to the adaptive authentication risk engine  The adaptive authentication risk engine analyzes authentication and determines its risk level. Based on the analysis result, the user is either granted access, blocked, or required to further prove his identity with an additional authentication factor. Adaptive authentication is, in theory, the ultimate line of defense against identity threats that utilize compromised credentials to access target resources and should detect the various anomalies such malicious authentications entail.  Within a SaaS environment, adaptive authentication can detect when an authentication attempt takes place from impossible locations or when simultaneous logins occur – clear indications that the authenticating user is not the legitimate one and that the user’s credentials were compromised. However, the AD environment doesn’t support any type of adaptive authentication. There is no way to add a risk analysis part to NTLM and Kerberos authentication flows. This creates both a detection and prevention gap since any attacker that has compromised the valid credentials of legitimate users can authenticate with them to access workstations, servers, and on-prem applications at will. This gap enables lateral movement and ransomware spread attacks to thrive without disruption. Learn how Silverfort solves this problem.

A

Air-Gapped Network

An air-gapped network is an internal computer network that is completely isolated from the outer Internet with no inbound or outbound traffic at all. Typically, the reasons are either physical security or high data confidentiality requirements. Some prominent examples of air-gapped networks include various national security actors such as defense, governments, and military bodies, as well as critical infrastructure entities that provide energy, water utilities, and other enabling services.   Organizations of these types strive to segregate their most sensitive network segments entirely, so they are cut off from any internet connections. The notion behind air-gapping a network is to reduce its attack surface to the bare minimum and ensure that no malicious traffic makes its way inside. It should be noted, however, that due to the increased connectivity today, there are very few networks that are truly 100% gapped with no interaction at all. The more common reality is of a ‘mostly air-gapped’ network that maintains highly controlled external connections for software updates, 3rd party contractor access, etc. While the air-gapped network’s attacks are indeed reduced, that doesn’t make it immune to cyberattacks. Moreover, while the air gapping makes an attacker’s initial access much harder, it has no effect on the network’s resilience to post-compromise actions such as lateral movement and following malware execution.  In fact, its segregation from external sources such as threat intelligence servers, or centralized threat analysis cloud makes an air-gapped network more vulnerable than a regular one to such attacks. The most pressing security issue within an air-gapped network is malicious access to its computers and servers. Such access can be carried out directly by a malicious insider or through lateral movement. That or the other, to defend against such a scenario there is a need to harden the authentication requirements to more than merely username and password. But how can you employ an MFA solution if there is no outbound connectivity? The common practice for air-gapped networks to overcome this barrier is to use physical hardware security tokens in place of the standard mobile devices that require internet connectivity.  This consideration adds another requirement, with FIDO2 as the preferred standard for hard tokens, and is being resilient to both advanced and traditional phishing attacks. However, FIDO2 doesn’t natively fit into many networks that weren’t designed to work with the specific protocols it supports, leaving them out of the scope of this protection. Learn how Silverfort solves this problem.

I

Identity and Access Management (IAM)

Identity and Access Management (IAM) product is a platform for managing the authentication and authorization of user accounts in an organizational environment. it is used to create new user accounts and organizational groups, privilege assignments, and access policy configurations.  An IAM also provides the required backend infrastructure for Single Sign On (SSO), enabling the organizations’ users to log in to any resource with a single username and password. While historically organizations had only an on-prem environment, managed by a single IAM, the gradual shift to the cloud and increase in SaaS usage has created a more complex environment in which several IAM are used simultaneously to manage different types of resources. Most organizations today employ at least two separate IAM solutions to manage access to all their resources in the hybrid environment: On-prem – in most organizations, the IAM for the on-prem environment would be Microsoft’s Active Directory, to manage access to workstations, servers, on-prem apps, IT and networking infrastructure, etc. SaaS – there are two main alternatives used today: Federation server – as the name implies, this server federates the user accounts from the on-prem directory to registered SaaS applications, enables the use of a single account for both on-prem and SaaS resources Cloud Identity Provider – this is a cloud-native SaaS app that manages all access to SaaS and web apps independently of the on-prem server. There are various methods to align one to the other, and the common practice is to use the same username and password for both to provide a consistent SSO experience. The main security gap IAM introduce is that each of them operates within its own silo without any mutual data sharing. In practice it means that none of them can see the full context of each authentication, ultimately resulting in reduced capabilities to detect potential risks within it. Moreover, Active Directory – one of the most prominent IAM – doesn’t support any type of risk analysis or real-time MFA prevention, beyond merely checking if usernames and credentials match. These together mean that IAM by themselves cannot act as the protection layer against identity threats. Learn how Silverfort solves this problem.

I

Identity Protection

Identity protection is the overall term that describes the set of capabilities that are required to protect against attacks that target the identity attack surface by using compromised credentials to access targeted resources.  Identity protection applies to all corporate resources: SaaS apps, remote VPN connections, on-prem workstations and servers, and others. The rise of identity threats and their role as a leading attack vector has brought security stakeholders to regard identity protection as an independent category rather than a subset of endpoint, network, and cloud security. Identity protection applies to the following attacks: Account takeover – threat actor attempts to access a SaaS application or a cloud workload with compromised credentials.  Malicious remote connection – threat actor accesses a corporate internal network remotely through compromised VPN or ZTNA credentials.  Lateral movement - threat actor follows up on an initial endpoint compromise by accessing additional workstations and servers with compromised domain credentials. Another flavor lateral movement is to extract from the compromised endpoints credentials for SaaS apps or cloud workloads and pivot from the initial on-prem foothold to the cloud environment. There are two main ways for attackers to get hold of user credentials to gain malicious access: Purchase beforehand - there are more than 24B credentials circulating in the Dark Web forums for purchase. In fact, there are threat actors that breach organizations with the sole purpose of extracting domain credentials and rapidly getting out to sell them. Compromise as you go – once an attacker has gained a foothold on a targeted machine he can execute code and employ a wide range of open-source tools to extract credentials from the machine’s memory. That way or the other, the current threat landscape shows that obtaining compromised credentials is more trivial than challenging. Identity protection is built on the notion that while there is little to be done to prevent the compromise of credentials, there is still much to be done in eliminating attackers’ ability to use them for malicious access. Identity protection incorporates two key aspects regarding identity threats: Detection – the ability to discern with high precision between the legitimate authentication of a user, and malicious one carried out by an attacker that has compromised this user’s credentials. Real-Time Prevention – the ability to intercept and block a detected malicious authentication as it is attempted, never letting it complete into actual resource access. Moreover, in order to be effective, these detection and prevention capabilities should apply equally to all environments, on-prem and in the cloud.  Learn how Silverfort solves this problem.

I

Identity Zero Trust

Identity-Based Zero Trust is the idea of evaluating the trust of users and enforcing secure access controls whenever a user attempts to access an enterprise resource. Identity Zero Trust is based on the approach of continuous monitoring of every user access request including all resources on-prem and in the cloud.  Implementing Identity Zero Trust can help organizations prevent malicious access to enterprise resources from within their environment. When a user requests access, that specific user needs to be authenticated to gain access to the required resource. In an environment that does not have the proper security controls implemented, if a user account is compromised and can simply use the user’s compromised credentials to gain access to any resource and move laterally across an organization's environment.  However, if an organization has deployed an Identity-based Zero Trust approach with granular security controls it will make it more difficult for an attacker to take advantage of the compromised credentials.  By implementing network segmentation rules and risk-based authentication policies within an organization’s identity Zero Trust model, organizational identity protection can deliver higher granularity and risk detection capabilities with their user authentication requests. Hybrid environments are using different types of resources such as servers, SaaS apps, cloud workloads, file shares, on-prem applications, and many others and they all need to be protected. To help start the process of protecting resources, enterprises should investigate adopting a more identity-based Zero Trust security model. However, identity-based Zero Trust means that the following criteria need to be met to achieve Identity Zero Trust:  All user accounts should be presumed to be compromised and not trusted until authenticated and proven.  A user account will only be considered to be trusted after it is authenticated and validated to gain access to single resource access. After a user’s access requests are authenticated and that same user attempts another resource they must be validated again.  To ensure improved identity protection, the Identity Zero-Trust evaluation process requires the following actions to be taken:  Continuous Monitoring: All access requests for all cloud and on-prem resources must be monitored and provide an advanced audit trial.  Risk Analysis: Each user access request must be determined if that specific user credential is compromised which will be based on a risk analysis of the user behavior and their authentication activity.  Enforce Access Policies: Assign identity access policy for each user which is based on a calculated risk that will either allow, block or trigger authentication with MFA. Adopting an identity-based Zero Trust Identity approach of identity protection comes with different security and business benefits: Quick Deployment: No infrastructure changes and serious downtime is required as the only minor changes relate to user access policies and authentication methods. Increased granularity:  By focusing on the user, organizations can ensure proper risk analysis for every resource access.  Detect anomalies and threats: Monitor and run daily security checks for every resource access to help detect any malicious activity or irregular access request. By monitoring, analyzing, and enforcing access policies on every access attempt will allow organizations to implement an identity-based Zero Trust approach across their environments.To learn more about how Silverfort helps organizations implement Identity Zero Trust, click here.

L

Lateral Movement

Lateral movement is the term that describes the post-compromise stage in cyberattacks in which the attacker expands his footprint in the targeted environment from the initial patient-zero machines to other workstations and servers.  Lateral movement is paramount for achieving the attack’s objective, be it data theft, mass encryption of machines, or any other. The means by which lateral movement takes place are compromised user credentials. These credentials are other purchased in advance or obtained from compromised endpoints during the attack. Typically, lateral movement takes place in the on-prem Active Directory environment, taking advantage of its lack of real-time detection and prevention of malicious authentications. Lateral movement is powered by compromised credentials. In an enterprise environment, the only way to access workstations and servers is by providing valid user credentials. While there are various means to do that – ranging from simply inserting a cleartext username and password, to forging a Kerberos ticket from a compromised hash – the essence is still the same. In other words, lateral movement is the purpose while malicious authentication is the mean. Lateral movement is executed through any of the standard remote access methods in a domain network. These tools that were built to enable helpdesk personnel to troubleshoot remote machines provide seamlessly seamless access to threat actors that do the same for malicious purposes.   Most prominent of which are: Remote Desktop Protocol (RDP) – This tool opens a window of the destination machine’s UI, providing easy access to files, folders, and installed software.  CMD – there are various CMD tools for remote access, with PsExec the most prevalent of them, opening a command line window to the destination machine. PowerShell – similar to CMD, PowerShell also provides various remote access utilities, with Enter-PSSession as the most commonly used one. There are two main challenges security products encounter in the attempt to protect against lateral movement attacks: Detection: because lateral movement employs valid credentials and legitimate remote access tools it’s extremely hard for security products to differentiate between a legitimate authentication and a malicious one, resulting in a large volume of false positives. Prevention: Active Directory (AD), the standard identity provider in the on-prem environment cannot incorporate risk analysis and detection in its authentication flow, so there is no way to block malicious authentication from taking place. While in the past, the lateral movement was employed only in high-end APT campaigns, today it is an integral part of more than 80% of ransomware attacks. Threat actors have realized that lateral movement can enable them to encrypt a mass volume of machines at once by gaining domain dominance and executing the ransomware payload in a shared network folder. This is far more cost-effective than sending weaponized emails to each machine in the organization separately and encrypting them one by one. This, practically, makes every organization a potential target. Learn how Silverfort solves this problem.

M

MFA Prompt Bombing

MFA prompt bombing is the concept of a low-complexity cyber-attack where the lone goal is to gain access to a system or application that is protected by MFA. The attackers will rely on human error to trick a user into accepting a multi-factor authentication (MFA) request.  The most important factor of MFA prompt bombing for attackers is push-based authentication due to the simplicity that a user is one click away from approving an authentication request. In a typical MFA prompt bombing attack, cybercriminals will send many MFA approval requests to a user over a short period hoping that the user will be annoyed by the numerous amounts of MFA requests and will give in and accept the authentication request and provide the attacker access. No matter the annoyance created by MFA prompt bombing, a successful attack will provide the attacker access to accounts or the opportunity to run malicious code on a target system. In most MFA prompt bombing attacks, the attacker will obtain the credential of their targeted user from common methods such as brute force attacks, getting them online or other common methods to compromise the credentials. Once the attacker has the compromised credentials, they will use one of the following to initiate an MFA prompt bombing attack. Send several MFA prompts to annoy the target to accept one of the MFA requests  Casually send an MFA request daily to avoid creating malicious activity or arousing suspicion from the target and detection by monitoring tools. If the attacker is not using compromised credentials, they can run social engineering attacks. For example, sending an SMS or an email requesting the user credentials while pretending to be a colleague of the user. Despite MFA prompt bombing being around for several years, attackers are only now deploying these methods of attacks at a more frequent pace. A recent example of a successful MFA prompt bombing was the Uber breach. The prompt bombing attack on Uber utilized MFA push notifications through a Duo authenticator app and issued multiple push notifications until the request was accepted. While attackers will continue to deploy MFA prompt bombing techniques, organizations will struggle to fight off MFA prompt attacks as it bypasses standard MFA protection. This creates a major security gap for most organizations due to limited visibility into user activity and authentication requests they receive with standard MFA solutions.   To learn more about how Silverfort helps organizations fight off MFA Prompt attacks, click here

P

PsExec

PsExec command line tool is part of the SysInternal Windows administration package that is widely used by IT administrators in Windows environments. PsExec enables admins to execute code on remote machines. The classic use case would be an employee that encounters an issue with his workstation and needs helpdesk assistance.  Using PsExec the helpdesk person can connect to the employee’s machine and open a command line prompt as if he was working on the remote machine itself. In order to establish the connection, the remote user should have access privileges to the target machine and provide the name of the target machine, as well as his username and password in the following format: PsExec -s \\MACHINE-NAME -u USERNAME -p PASSWORD COMMAND (the process to be executed following establishing the connection). The seamless remote access PsExec enables from a source machine to a target machine is intensively abused by threat actors in the course of the lateral movement stage in cyberattacks. This would typically occur after the initial compromise of a patient-zero machine.  From that point onward, attackers seek to expand their presence within the environment and reach either domain dominance or specific data they are after. PsExec provides them with a seamless and reliable way to achieve that for the following reasons.  PsExec has been successfully used by threat actors for the past 15. However, several years ago it was mostly found in high-end cybercrime groups or elite APT units and was used in attacks that were focused on data theft.  However, within the last five years, lateral the skill barrier has dropped significantly and lateral movement with PsExec is incorporated in more than 80% of ransomware attacks, making protection against malicious authentication via PsExec a necessity for every organization. PsExec is essentially a legitimate process, that can’t be blacklisted from the environment. This makes the distinction between the legitimate use of PsExec by admins and malicious one by threat actors an extremely difficult task for endpoint protection and SIEM products.  There is practically no tool in the security stack that can provide efficient, real-time detection and prevention of malicious PsExec authentication. Learn how Silverfort solves this problem.

S

Service Account

Service accounts are dedicated non-human accounts used by systems, applications, and services to interact with other systems. They perform important scheduled actions automatically and repeatedly – such as updating machines, scanning an environment, or running health checks – typically operating in the background of an IT stack.  Today, the number of non-human accounts used by organizations (and the number of applications that rely on these accounts) is increasing exponentially, driven by the use of AI to configure software “robots” to critical perform business tasks, known as Robotic Process Automation (RPA). Since service accounts are spread across an organization and used not by human users but by business applications, they are often neglected or forgotten about entirely. This means their activity is completely unmonitored, with no processes in place to alert administrators if they ever deviate from normal behavior.  As well, domain-level service accounts typically require elevated privileges in order to accomplish their tasks, which makes them a valuable target for cyber attackers. With hundreds or even thousands of these unsupervised, highly-privileged accounts running, they can become a tool that enables threats to propagate throughout a network undetected. A best practice for any account is ensuring that passwords are changed regularly. However, when it comes to service accounts, this is not easy to do. For example, domain service accounts require that passwords be changed at both the domain and the application level.  As well, in some cases, passwords are hardcoded into applications or scripts, with any changes potentially breaking dependencies that would then disrupt critical business processes. The use of password vaults can be an option, but this requires knowing exactly which service accounts need to be managed this way as well as modifying how applications use certain service accounts. Discover: It’s essential to be able to see all authentication activity – both human and non-human accounts – across an entire network in order to understand behavior. Because service accounts follow predictable patterns, there are ways to automatically discover and categorize them. Monitor: Once accounts have been identified, it’s critical to keep monitoring and auditing their use by assessing every authentication attempt so security teams can immediately spot any anomalous behavior that could indicate account compromise. Enforce Policies: Keeping service accounts safe means applying Zero Trust policies based on actual behavior patterns, including the ability to automatically determine whether to allow or deny access. Protect: It’s critical to have the ability to actively enforce policies across all service accounts without making any changes to applications, changing passwords, or requiring proxies. To learn more about how Silverfort helps organizations protect service accounts, click here.