Enabling Identity Threat Detection and Response (ITDR) for In-Progress Attacks, with PAM

The Number of Identities is Surging

Today’s enterprises focus on cloud-first and rapid development initiatives to speed the deployment of new applications. While these activities often do deliver on speed, in the process, they generate many more identities across the organization. More human identities are needed to manage accounts on new systems, and machine identities are provisioned to enable automation to manage inter-system communication and operation. All of these identities must be identified, onboarded, secured, and managed,

Yet, the reality is that this surge in the number of identities is frequently coupled with a lack of visibility into the depth and breadth of permissions given to these accounts. It is much easier to over-entitle an identity and their accounts during account creation time. This naturally leads to more entitlements than are required for the work, and this is a threat vector for malicious actors.

It’s clear that tracking cloud-access entitlements is difficult. Many of the cloud providers’ native tools still are opaque and lack cross-platform visibility, making it difficult to assess the true effect of the combination of entitlements.

In the face of this complexity, many companies simply hope they are doing the right thing. This represents a largely unidentified, yet powerful threat. The analysts agree. Gartner predicts that by the end of 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.

How Can Today's Organizations Get Ahead of the Threats?

Until recently, the technology required for organizations to build out the Identity Threat Detection and Response strategy necessary to mitigate this identity threat has not been available. However, recent innovations are now allowing traditional PAM to combine with an Identity-Centric security model. Read on to learn more about how PAM, IAM, and ITDR are enabling enterprises to significantly improve their security postures.

Why Traditional IAM And PAM Alone Are No Longer Enough

Identity Access Management (IAM) and Privileged Access Management (PAM) excel in their depth of control over who should have access to what systems, and knowledge of the identities, privileges, and access across an organization. But how do you reveal the aspects of an identity that might lead to a security compromise—before it happens? You can’t alert or respond to what you can’t see.

IAM tools track entitlements yet don’t flag excessive permissions, nor do they reveal outliers who are dissimilar from their peers, unless specialized AI/ML products are inserted into the mix. Often, these detections and recommendations are aimed at on-premises systems and not at internet-facing systems.

IAM and PAM misconfigurations can lead to over-entitled identities, poor credential and secrets management practices, and accidental public exposure of access or data through weak and/or leaked passwords.

Common examples of poor password hygiene include:

• Commonly used passwords
• Stale passwords (because they are not rotated regularly)
• Reused passwords (even though they otherwise fit password policy rules), and which may be repeated across multiple applications and services
• Secrets that are embedded or stored insecurely via other methods

Inadequate password management practices can result in account hijacking, privileged access, and lateral movement, which could lead to data leaks, deployment of ransomware, or other nefarious acts. Excessive privileged access leads to similarly undesirable outcomes.

Organizations are looking for measures that go beyond prevention. They want to know when something has been compromised, and they want to be alerted of suspicious activity while it is in-progress, so they have time to do something about it before it causes damage. They want rapid identity threat detection and response.

Building an Identity Threat Detection and Response Strategy

Identity threat detection and response (ITDR) refers to the combination of security tools and processes required to adequately defend identity-based systems. However, despite what some security vendors will tell you, ITDR is a discipline, not a product. The benefits that come from rapid detection and response begin with instrumenting the security platform as a whole. These techniques can separate the 10% of alerts that require immediate action from the 90% that do not. This helps security teams avoid alert fatigue and fix the truly critical security issues before attackers can exploit them. Combining traditional PAM with an Identity-Centric security model enables enterprises to build out an ITDR strategy. Until recently, this technology has not been available.

What Are the Best Practices for Organizations Who Are Building Towards ITDR?

1) Centralize Data Around Identity

By centralizing data around the concept of an identity, enterprises benefit from having a single place to model roles, policies, privileges, and risk. A foundation built on identity provides a unified approach to manage privileges, entitlements, and access across the organization.

Thinking in terms of individual detections and recommendations does not bring the high value information enterprises require. That's like asking about the value of individual antivirus signatures. What is needed is a way to surface many signals related to identity and privileged access, bringing a focus to broader security concerns through specific and actionable recommendations. Let’s review a sample of how this can work in practice.

2) Ensure Identity Provider (IdP) Accounts Are Managed by a Privileged Credential Solution

A privileged credential management solution is central to controlling access by privileged identities, and it works with identity providers such as Azure AD and Okta. But it won’t be effective if you haven't set it up correctly, or if you aren't managing all your privileged accounts with it.

Leaving unmanaged privileged accounts in your environments equates to bad password hygiene, which then leads to incorrect configurations and potential security blind spots.

Security teams want to know when privileged Azure AD accounts are not managed by the privileged credential solution. This is a critical security flaw because a threat actor could gain access to privileged assets using stolen passwords and other methods without worrying about password rotation or session monitoring. Having this knowledge would allow Security Operations Center (or SOC) teams to quickly get more information about the account and systems in question.

Similarly, knowing when an API account is configured with admin access to your privileged credential solution is a crucial signal. Clearly this is a dangerous security hole because if someone steals the credentials, they will have access to privileged passwords.

What if a privileged account which is managed by the privileged credential solution is being used outside of the tool? Again, this indicates a user has bypassed the privileged credential solution and just entered the password from memory, or worse, a threat actor has stolen the password and has gained access. SOC teams would find this information valuable, yet it is difficult to obtain through standard methods.

3) Analyze IAM And PAM Signals

Today's security teams charged with identity security go beyond managing joiner / mover / leaver scenarios, a staple of the IAM world. They want to ensure that the user’s access is correct, and whose access is fully terminated when they leave. This means keeping on the lookout for:

Partially Disabled Identities and Orphaned Accounts

A typical scenario happens when a company offboards an employee, but forgets to disable one (or more) of their accounts. The identity is “partially disabled.” This is a cause for concern because if a threat actor were able to gain access to these orphaned accounts, they could fly under the radar. SOC teams obviously would like to review this partially revoked identity, but it’s not a simple task.

Entitlement Creep

The fundamental security principle of least privilege states that users should have absolute minimal level of access rights needed for their current role. Unfortunately, over time, provisioning of systems and entitlements may change or expand in some areas, but will not contract or snap back in others where access is no longer needed. If accounts and permissions are granted directly to users, then those accounts and permissions often remain active long after the user no longer uses them, or has moved on to another role in the company.

This problem is sometimes referred to as “entitlement creep.” It can occur when an employee slowly accrues additional permissions by virtue of getting promoted, or through the projects with which they become associated.

Security teams would like to investigate if a user has too much privilege or unusual privileges. Good IAM hygiene practices indicate a regular and recurring review of permissions should highlight these for removal. Unfortunately, managers can develop “certification fatigue,” where their fastest alternative is to simply bulk-approve their access reviews, so they can get back to their regular job. This is particularly true for leadership and seniority roles. Bulk-approvals can result in over-entitled identities.

Another privileged access management environmental signal is whether a privileged account was recently re-enabled. This could happen when an account that had elevated privileges is disabled, and then later is re-enabled. By itself, this doesn't mean it's bad. However, this is a signal that should not be ignored. The information is valuable to SOC teams because privileged accounts carry key access to important systems and, if their status changes unexpectedly, this should be investigated quickly.

Dormant accounts

Identities with accounts that are active, but never accessed, are bad enough. However, if a dormant accounts suddenly becomes active, that is an important signal to identify. Identities with dormant accounts offer a threat actor an opportunity to move laterally to access accounts that see little or no regular activity.

Security teams know the danger with dormant accounts is that they go ‘unnoticed’ due to inactivity. While SIEM and EDR solutions are good at monitoring activity, are they effective for highlighting lack of activity? Network-related dormant accounts, like VPNs, are of particular importance to SOC teams, who wish to prevent a hacker gaining entry to a company’s network using a VPN account that is no longer in active use. Likewise, any dormant or ungoverned accounts, including service accounts, inactive accounts, orphaned accounts, and overly provisioned accounts, together create a larger and more vulnerable attack surface.

4) Reveal Vulnerabilities Where SSO Isn't Being Used, or Where There Is Inadequate MFA

Multi-Factor Authentication (MFA) is one of today’s most effective security hygiene practices. However, MFA is not without its challenges, which include lack of employee compliance, misconfigurations, and weak MFA, to name a few.

While security teams are getting better at detecting an unusual number of MFA failures in quick succession, this could be because MFA is not enabled. Security teams would benefit from an indication of whether MFA is mis-configured or is disabled. This information could prompt them to examine the MFA configuration for an identity or account, and could cause them to detect an identity threat.

5) Detect Mismatches in Identity Security

With the challenge of shadow IT—those systems accessed by users which are not under control of company IT—SOC teams are constantly monitoring how to protect company assets. Sometimes users will quickly create SaaS accounts without waiting for IT approval. Security teams should seek to prevent the creation of an employee account associated with a personal email address. If a personal email address becomes compromised and the employee locked out, company assets or information could be at risk. Unfortunately, this scenario is difficult to detect.

Sometimes a user reports suspicious activity for their IdP account, typically Azure AD or Okta. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. Unfortunately, SOC teams may struggle to get more information about the user’s self-reported suspicious activity in a timely manner.

Finally, organizations must be aware of the nature of remote logins to corporate systems. This area is important to understand, yet, is made more challenging by today’s remote work environment. While security teams don’t crave more alerts, they do want to know if a user (or a machine) is logging in from a suspicious or known bad site, such as a login via Tor, so it can quickly be blocked. Blocking Tor network traffic will prevent adversaries from using the Tor network to easily conduct anonymous reconnaissance and exploitation of systems. Other sites can similarly be blocked. This will have minimal, if any, impact on legitimate users.

Combining IAM, PAM, and Identity Threat Detection and Response

IAM and PAM solutions can help organizations manage and control their identity landscape and provide critical preventative controls. But as organizations’ identity landscape grows - especially into the cloud - they need new tools that can intelligently correlate the multitude of signals gathered and make sense of them. They need smarter analytics tools that are well integrated with their security tech stack to enable identity threat detection and response—in other words, to identify potential misconfigurations and raise the flag when potential compromise is detected. The modern organization needs an equally modern solution that advances identity threat detections to protect their environments.

How Identity Security Insights Will Help You Raise Your Security Posture

Identity Security Insights, a new offering from BeyondTrust coming in the fall of 2023, will provide intelligent, actionable analytics your organization can leverage to immediately improve your security posture. It will correlate data from BeyondTrust solutions and third-party tools, such as Okta and Azure Active Directory, to make proactive recommendations, as well as detect potentially in-progress attacks.

Identity Security Insights, sitting at the heart of the BeyondTrust's Privileged Access Management platform, will give organizations powerful synergies for prevention and detection of identity and access threats. Click here to learn more.