Page 142 - Cyber Defense eMagazine September 2025
P. 142

The exact number of days to count for dormancy may vary by industry, but the underlying idea is the
            same. If an account or its privileges has not been touched in two or three full business cycles, it is
            dormant. At that point, it turns dangerous to overlook those accounts.



            Why Dormancy Matters

            Most breaches that you hear start with a phishing link or a zero‑day. The one you rarely hear is the
            attacker who simply logs in with an account that no one has touched. Dormant accounts and entitlements
            (memberships, roles and keys) that sit untouched yet fully empowered, are the quietest and easiest way
            into any environment. They stick around through reorgs, mergers, cloud moves and even outlast multiple
            CISOs. If no one notices an account is idle, no one notices when it suddenly springs back to life, except
            the attacker who stole it.



            Common Hiding Spots

            Here are some examples of various places where dormant accounts and entitlements can be found:

               •  Active Directory: stale domain accounts without any last login timestamp or sometimes disabled
                   but still has the delegation rules that grant Kerberos tickets.
               •  Unix and Linux: orphaned service IDs never aged out by PAM.
               •  SaaS platforms: admin accounts left behind by contractors who moved on months ago.
               •  IAM policy sprawl: nested roles in AWS IAM or Azure AD groups that belong to a project which
                   was sunset.

            What this really means is that dormancy is not a single problem, it is a combination of thousands of
            accounts, entitlements and policies that are scattered across multiple systems and platforms. Bringing
            all this information into a centralized platform, such as a modern IGA solution, connects these scattered
            insights and makes it easier to take timely action.




            How to Detect Dormant Access
            Finding dormant accounts doesn’t have to be complicated, your existing tools and logs usually have all
            the necessary data. Here are some of the ways you can quickly identify unused access without extra
            overhead:

               •  Windows Accounts: Use your logging platform (like Splunk) to quickly surface accounts that have
                   not logged in for a few months. Look for users with no activity for 90 days or more. This will be
                   enough to clearly separate inactive accounts from active ones.
               •  Active Directory (AD): Run built-in AD reports or use powershell scripts to list users who have not
                   logged in recently. This can be done using the in-built AD attributes (last login timestamp/ last
                   logon). A typical window is about four months, accounts inactive that long are almost certainly






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          142
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   137   138   139   140   141   142   143   144   145   146   147