Identity Threat Exposures (ITEs) are security weaknesses that expose an environment to identity threats: credential theft, privilege escalation, or lateral movement. An ITE can result from a misconfiguration, legacy identity infrastructure, or even built-in features.
Attackers use these ITEs as co-conspirators to perform credential theft, privilege escalation and lateral movement. What’s more, due to the common practice of syncing AD user accounts to the cloud IdP, this underground exposure could also provide attackers with direct access to your SaaS environment.
Why are Identity Threat Exposures dangerous?
The vast majority of organizations today employ a hybrid identity infrastructure, with Active Directory (AD) for on-prem resources and a cloud IdP for SaaS.
The common practice is for AD to sync users’ hashes to the cloud IdP, so users can access SaaS apps with the same credentials as on-prem resources. This significantly increases the SaaS environment’s potential attack surface, as any attack that results in the adversary gaining cleartext passwords paves the way to cloud assets.
ITEs that expose weakly decrypted password hashes (NTLM, NTLMv1, admins with SPN) or enable attackers to reset user passwords (shadow admins) are already extensively exploited by adversaries.
What Identity Threat Exposures types are there?
We classify ITEs into four groups, based on the malicious actions they enable attackers to achieve:
- Password Exposers: ITEs that allow adversaries to access a user account’s cleartext password.
- Privilege Escalators: ITEs that enable adversaries to escalate any access privileges they already possess.
- Lateral Movers: ITEs that enable adversaries to use compromised accounts to perform undetected lateral movement.
- Protection Dodgers: ITEs that make security controls less effective at monitoring and protecting user accounts.
Examples of Identity Threat Exposures
Category | Related MITRE ATT&CK | Examples |
Password Exposers | Credential access | NTLM authenticationNTLMv1 authenticationAdmins with SPN |
Privilege Escalators | Privilege escalation | Shadow adminsUnconstrained delegation |
Lateral Movers | Lateral movement | Service accounts Prolific users |
Protection Dodgers | There isn’t an exact MITRE ATT&CK technique that maps to this category. It allows attackers to go undetected for long periods of time. | New user accountsShared accountsStale users |
How to protect against Identity Threat Exposures?
- Know where you’re exposed
Make sure you have visibility into all the different types of ITEs in your environment. If you’re syncing AD users to your cloud IdP, ensure it follows Microsoft’s best practices and does not create a mass of idle users. - Eliminate risk where you can
Make sure you have visibility into all the different types of ITEs in your environment. If you’re syncing AD users to your cloud IdP, ensure it follows Microsoft’s best practices and does not create a mass of idle users. - Contain and monitor existing risks
For ITEs that cannot be eliminated, such as service accounts or the use of NTLM, ensure the SecOps team has a process in place to monitor these accounts closely for any sign of compromise. - Take preventative measures
Apply identity segmentation rules or apply MFA policies to prevent user accounts from falling victim to featured ITEs where possible. Implement access policies on your service accounts that would block them from accessing any destination beyond their pre-designated resources. - Connect the identity and security teams
The responsibility for identity protection is distributed between the identity and the security teams, where the latter’s knowledge enables them to prioritize which ITEs to resolve, while the former can put these fixes into effect, in effect creating an integrated identity security posture.