The Identity Underground Report


Your defenses are sky high, but underground you’re exposed. 

When it comes to identity protection, the user accounts and configurations we’re aware of lie in full view above the ground. We can, therefore, defend them effectively against identity threats.

Unfortunately, this aboveground knowledge is painfully limited. Beneath the known identity attack surface exists an underground world of misconfigurations, forgotten user accounts, legacy settings, malpractices, and insecure built-in features. In this report we refer to these as Identity Threat Exposures (ITEs).

Attackers use these ITEs as co-conspirators to perform credential theft, privilege escalation and lateral movement. What’s more, due to the common practice of syncing AD user accounts to the cloud IdP, this underground exposure could also provide attackers with direct access to your SaaS environment.

We took a deep dive into the prevalence and severity of ITEs in hundreds of live production environments – and this is what we discovered:

  • 67% of organizations exposed their SaaS apps to compromise with insecure on-prem password sync.
  • 37% of admins authenticate in NTLM, enabling attackers to access cleartext passwords.
  • 109 new shadow admins are, on average, introduced by a single AD misconfiguration, enabling attackers to reset a true admin’s password.
  • 31% of all users are service accounts with high access privileges and low visibility.