By Carolyn Crandall, Chief Security Advocate, Attivo Networks
Sometimes, organizations change from within, while other times change is thrust upon them—and fast. The COVID-19 pandemic is an excellent example of one of those “other times.” It would be difficult to imagine a situation where change was thrust upon organizations more quickly and unexpectedly than over the past two years, especially true for their IT infrastructures. The massive shift to remote work helped save countless enterprises from business disruption, but it came at a cost. Even the most forward-thinking organizations did not consider widespread remote access when implementing security models.
The massive proliferation of poorly secured endpoint devices—including personal computers and phones, unsecured modems and routers, and other devices—has put the need for greater endpoint security in the spotlight. Typically, that has meant turning to endpoint detection and response (EDR) solutions, but traditional approaches to EDR are no longer enough. Today’s attackers are breaking out from the endpoint using identity-based attacks, requiring organizations to rethink their approach to endpoint security. Organizations must complement or upgrade their EDR solutions with identity threat detection and response (ITDR) tools capable of providing the protection needed to combat today’s identity-based threats.
Identity-Based Attacks Continue to Increase
Attackers recognize that using identity-based attack methods makes it easy to circumvent traditional perimeter defenses and directly access corporate networks. And unfortunately, credential theft has proven to be an easy way for attackers to compromise those identities. The most recent Verizon Data Breach Investigations Report (DBIR) indicates that credential data is now present in a staggering 61% of attacks, highlighting the ease with which attackers can access it. Too many organizations leave credential data exposed on the endpoints, rendering them and the systems they have access to dangerously vulnerable.
Unfortunately, even with EDR and Identity and Access Management (IAM) systems there remain gaps in protecting credentials, privileges, and the systems that manage them. They simply aren’t designed to detect credential-based attacks. What’s more, as the number of identities in use continues to rise, and gaining sufficient visibility into those identities’ permissions isn’t always easy. Assigning the correct level of access to identities can be challenging at scale, leading to overprovisioning or granting more access than is needed to avoid workflow disruptions. On the one hand, this ensures that identities will rarely have trouble accessing the data they need. On the other hand, an attacker who compromises an identity will have access to much more data than they otherwise would.
Of course, attackers don’t stop at one compromised identity. Once inside the network, they will move laterally and attempt to escalate their privileges, conduct reconnaissance, and perform other attack activities. Most attackers will target Active Directory (AD) to achieve their goals. Since AD serves as the primary identity service for roughly 90% of Global Fortune 1000 organizations, handling authentication throughout the enterprise, attackers looking to escalate their attacks consider it a high-value target. If adversaries can compromise AD, removing them from the network becomes extremely difficult. Protecting endpoints—and, by extension, identities—is essential to prevent that from happening.
Rethinking Endpoint Security
The line between endpoints and identities has blurred with the advent of cloud services and the proliferation of nonhuman identities removing any clear delineation. A virtual machine in the cloud might be both an endpoint and an identity—after all, it has permissions and entitlements that allow it to access specific data and areas of the network. This state presents a new opportunity for attackers and forces defenders to think of endpoint security as they would think of identity security.
Keeping endpoints secure starts with visibility. Organizations need visibility into any exposed identity assets on endpoints, including orphaned or duplicate credentials, privileged accounts, etc. Defenders cannot protect identities when they cannot easily see or understand exposures related to user, device, and domain controller misconfigurations and vulnerabilities. Identifying potential attack paths from the endpoint to Active Directory and critical servers is also essential. Once they have a good sense of the exposures and other vulnerabilities endangering the endpoint, the organization can begin the process of remediation.
Defenders then need to prioritize credential protection. Preventing credential theft is essential in today’s threat environment, and organizations can take steps like binding their credentials to applications to make it harder for attackers to steal and use them. Defenders can also be proactive, placing false credentials on network endpoints to trick attackers into stealing them. When an attacker attempts to use a set of deceptive credentials, the system can flag it as attacker activity and notify defenders in real time. In addition to seeding decoy credentials, organizations can also take steps to hide their real credentials, making them invisible to attackers. Much like defenders cannot protect what they cannot see, attackers cannot steal what they cannot see. And if they can’t compromise a valid identity, they will find it that much harder to break out from the endpoint and escalate their attacks.
Bringing Endpoint and Identity Security Together
Organizations are increasingly implementing ITDR solutions to complement EDR tools and provide the ability to address credential theft, credential misuse, privilege escalation, and other attack activities that traditional endpoint security solutions are not designed to manage. Together, these solutions can help defenders identify potential vulnerabilities on the endpoint while adding real-time detection capabilities to identify suspicious activities like mass account or password changes, brute force attacks, use of disabled accounts, and more. The ability to conceal valid credentials while seeding fake ones designed to attract adversaries adds a new layer of defense designed to make it harder for attackers to break out from the endpoint and reach Active Directory. By rethinking their approach to endpoint security and integrating it with identity-based solutions, today’s organizations can shore up their defenses against some of today’s most prevalent—and evasive—attacks.
About the Author
Carolyn Crandall is the strategic advisor for SentinelOne, an autonomous cybersecurity platform company. Prior to SentinelOne, Carolyn served as the Chief Security Advocate and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of taking companies from pre-IPO through to multibillion-dollar sales and held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.