The Risk of Identity Attack Paths: 10 Stats Everyone Must Know

The threat of identity-based attack paths – the chains of abusable privileges and user behaviors that create connections between computers and users – has persisted for decades. Most organizations are at risk, whether they know it or not.

The threat applies to all organizations using identity and access management platforms, in particular Microsoft Active Directory (AD) and Microsoft Entra ID (formerly Azure Active Directory). These are favorite targets among attackers and can deliver unmatched payoff. These platforms are widely used among enterprises, with approximately 95% relying on AD. Gaining control of them means attackers can obtain full control of all users, systems, and data in that organization.

Complicating matters, attack paths are often unseen and unmanaged problems. IT environments undergo constant change in both size and complexity. This constant change, combined with the variable of user behavior, creates more attack paths daily. An enterprise can easily have thousands of users and tens of thousands of networked devices. At this scale, it’s easy for attack paths to escape notice, especially because AD makes it difficult to analyze user permissions. Finding an attack path is virtually guaranteed for those who seek it.

To defend against this threat, organizations and end users must arm themselves with as much knowledge as possible about the threat they face. Below, we walk through 10 stats everyone needs to know about identity attack paths.

1. 100% of environments have an attack path to Tier Zero and complete environment takeover. Tier Zero refers to an organization’s most privileged assets and accounts in its IT environment. If a threat actor compromises a Tier Zero account, they can gain control of enterprise identities and their security dependencies. They can then do extensive damage to the organization’s operations and reputation. Security teams must take preventive measures to secure their Tier Zero assets from attack paths.
2. 90% of breaches that cybersecurity firm Mandiant investigated recently involved AD (where attack paths live) in some form. AD presents a vast attack surface for adversaries with numerous moving parts, giving threat actors much room to perform malicious activities. Cyber defenders must be aware of this security challenge and adopt a proactive approach in their threat hunting instead of merely reacting to threats that emerge.
3. On average, over 70% of users in an AD domain have at least one attack path to Tier Zero and control over the enterprise. Many organizations take steps to enact the principle of least privilege, or the concept that limits access to only those required to perform a task. But unfortunately, least privilege is often out of reach for a variety of reasons. Organizations often struggle to find the balance between security and usability. As a result, privileges that are given for otherwise practical reasons can create attack paths linking every user and computer in the organization’s environment to the most highly sensitive systems and highly privileged principals.
4. On average, AD Certificate Services misconfigurations allow over 50% of users to take over the enterprise in one attack. The security ramifications of misconfigured certificate service instances are extensive and serious. Certificate abuse can enable an attacker to conduct user credential theft and maintain continuous access to the AD environment across password changes, restarts, and changed credentials, giving them an alarming level of access.
5. Analysis of 2 billion abusable relationships showed that most attacks can be mitigated by fixing the 0.02% of misconfigurations that connect attackers to Tier Zero. Attack paths often funnel through a few “choke points,” or locations where multiple attack paths converge on sensitive data, that lead to Tier Zero. There are a few common misconfigurations that create them. A relatively small amount of work to fix these misconfigurations can eliminate a significant number of critical attack paths, reducing the risk your organization faces considerably.
6. On average, cutting one attack path choke point severs 17,000 attack paths. Large organizations will have too many attack paths to remove all of them, but focusing strategically on choke points to assess and remediate can reduce risk significantly without requiring an insurmountable workload. You can eliminate the threat of thousands of downstream misconfigurations and take away an adversary’s attempt to control your organization.
7. Mapping an AD or Azure tenant is about as complex as mapping all the roads and cities in the United States. Attack paths are everywhere in part because AD and Azure environments are so large and complicated. For instance, the U.S. includes 20,000 cities connected by nearly 5 million roads. Comparatively, an average AD domain or Azure tenant contains 130,000 identities (users and computers) and resources (servers, storage volumes, printers) connected by 3.5 million abusable relationships.
8. A random sampling by cybersecurity company SpecterOps found synced privileged roles in 100% of AD environments. Microsoft specifically recommends not syncing privileged users between on-prem and Azure AD because doing so allows adversaries to bypass identity safeguards and enhanced security controls like multifactor authentication (MFA) and conditional access. However, many organizations are not adhering to this guidance, likely due to the challenge of balancing security with usability effectively.
9. 70% of IT environments randomly sampled synced regular on-premise user accounts to Tier Zero roles like Global Administrator. In doing so, these organizations significantly increase the risks they face, eliminating a layer of protection and making it easier for adversaries to gain the keys to their kingdom.
10. Organizations employing an attack path management solution can experience an average 35% reduction of risk. An attack path management solution can help unite and empower an organization’s IT and security teams to proactively sever attack paths without disrupting operations. These solutions can enable continuous attack path mapping, quantify identity attack path choke points in AD environments, and provide precise remediation guidance, resulting in improving an organization’s security posture.

The threat of identity attack paths will persist as long as organizations rely on AD. To combat this threat effectively, organizations must know the risk they face. They can employ an attack path management methodology, which enables continuous discovery, mapping, and risk assessment of AD attack path choke points. Taking these steps will help organizations eliminate, mitigate, and manage the attack paths they face and keep their keys to the kingdom in the right hands.

About the Author

Jared Atkinson is the Chief Strategist at SpecterOps. He is a security researcher who specializes in Digital Forensics and Incident Response. Recently, he has been building and leading private sector Hunt Operations capabilities. In his previous life, Jared led incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open-source community, Jared is the lead developer of PowerForensics, Uproot, and maintains a DFIR focused blog at www.invoke-ir.com. You can follow Jared on X @jaredcatkinson and via the SpecterOps company website at https://specterops.io/.