What is Identity Threat Exposure ?

Identity Threat Exposures (ITEs) are security weaknesses that expose an environment to identity threats: credential theft, privilege escalation, or lateral movement. An ITE can result from a misconfiguration, malpractice, legacy identity infrastructure, or even built-in features.

Attackers use these ITEs as co-conspirators to perform credential theft, privilege escalation and lateral movement. What’s more, due to the common practice of syncing AD user accounts to the cloud IdP, this underground exposure could also provide attackers with direct access to your SaaS  environment.

Why are Identity Threat Exposures dangerous?

The vast majority of organizations today employ a hybrid identity infrastructure, with Active Directory (AD) for on-prem resources and a cloud IdP for SaaS.

The common practice is for AD to sync users’ hashes to the cloud IdP, so users can access SaaS apps with the same credentials as on-prem resources. This significantly increases the SaaS environment’s potential attack surface, as any attack that results in the adversary gaining cleartext passwords paves the way to cloud assets.

This means that any ITEs that enable attackers to get users’ cleartext passwords provide adversaries with direct access to the SaaS environment. ITEs that expose weakly decrypted password hashes (NTLM, NTLMv1, admins with SPN) or enable attackers to reset user passwords (shadow admins) are already extensively exploited by adversaries.

What Identity Threat Exposures types are there?

We classify ITEs into four groups, based on the malicious actions they enable attackers to achieve:

  • Password Exposers:  ITEs that allow adversaries to access a user account’s cleartext password.
  • Privilege Escalators: ITEs that enable adversaries to escalate any access privileges they already possess.
  • Lateral Movers: ITEs that enable adversaries to use compromised accounts to perform undetected lateral movement.
  • Protection Dodgers: ITEs that make security controls less effective at monitoring and protecting user accounts.

Examples of Identity Threat Exposures

CategoryRelated MITRE ATT&CKExamples
Password ExposersCredential accessNTLM authenticationNTLMv1 authenticationAdmins with SPN
Privilege EscalatorsPrivilege escalationShadow adminsUnconstrained delegation
Lateral MoversLateral movementService accounts Prolific users
Protection DodgersThere isn’t an exact MITRE ATT&CK technique that maps to this category. It allows attackers to go undetected for long periods of time.New user accountsShared accountsStale users

How to protect against Identity Threat Exposures?

  1. Know where you’re exposed
    Make sure you have visibility into the ITEs in your environment. If you’re syncing AD users to your cloud IdP, ensure it follows Microsoft’s best practices and does not create a mass of idle users.
  2. Eliminate risk where you can
    Work closely with the identity team to weed out the ITEs that result from malpractices or misconfigurations and establish a process to address them as soon as – or before – they appear.
  3. Contain and monitor existing risks
    For ITEs that cannot be eliminated, such as service accounts or the use of NTLM, ensure the SecOps team has a process in place to monitor these accounts closely for any sign of compromise.
  4. Take preventative measures
    Apply identity segmentation rules or MFA policies to prevent user accounts from falling victim to featured ITEs where possible. Enforce access policies on your service accounts that would block them from accessing any destination beyond their pre-designated resources.
  5. Connect the identity and security teams
    The responsibility for identity protection is distributed between the identity and the security teams, where the latter’s knowledge enables them to prioritize which ITEs to resolve, while the former can put these fixes into effect, in effect creating an integrated identity security posture.