Safeguarding your identity store is both a key component of cybersecurity and a growing concern in today's digital landscape. Cybercriminals are becoming more sophisticated and persistent in their efforts to exploit vulnerabilities within organizations' systems, and any account or identity—from an IT administrator to a third-party vendor, or even a customer—can provide a digital attack path.
The threat of an identity attack is amplified by the rising number of identities. In the IDSA’s latest report, 98% of security professionals stated the number of identities in their organizations were increasing, primarily driven by cloud adoption, the rise of remote working, increased mobile device usage, and third-party relationships. Gartner Peer Insights and Radiant Logic’s report indicated more than two-thirds (67%) of organizations have identity sprawl, but don’t know how to address it, with 60% of organizations indicating they have over 21 disparate identities per user.
According to the IDSA, 90% of organizations experienced at least one identity-related breach in the past year, and 68% of those organizations suffered a direct business impact as a result.
This is why it’s important for organizations to protect the identities of their users and the systems that manage them. Let’s discuss how one important active directory security best practice, securing your identity store, can help you actively reduce the risk of an identity-related breach.
What is an Identity Store?
An identity store is a persistent repository of user data. It serves as a database or directory (store) that contains identity information about a collection of users, including information that can allow it to validate a user’s credentials. Most organizations are using Active Directory, Microsoft Entra ID (formerly Azure AD), or a combination of both as their identity store. This makes these platforms a huge target for bad actors.
What is the most important way to secure your identity store?
It is essential that identity store platforms are properly configured. Misconfigurations can leave organizations vulnerable to security incidents and more susceptible to breaches because an attacker could exploit a misconfiguration to compromise a critical host or high-value resource.
How do you prevent misconfigurations from putting your identity stores at risk?
The best way for organizations to secure their identity stores is to leverage a solution that offers enhanced visibility and automatic detection of identity-related risks. Common identity-related risks include misconfigurations, default passwords, lack of MFA, overprivileged users, abnormal user behavior, and more.
Protecting Identity Stores with Identity Security Insights
BeyondTrust Identity Security Insights provides a centralized view of identities, accounts, entitlements, and privileged access across your IT estate and detect threats resulting from compromised identities and privileged access misuse. The solution correlates data across BeyondTrust products and third-party solutions, providing a single view of human and non-human identities, accounts, and privileged access. As such, it is able to help you proactively monitor the security hygiene of your identity stores.
Identity Security Insights illuminates risk ratings, entitlement details, and other key information that can be leveraged to respond to potential threats. Users also benefit from proactive recommendations they can quickly act on to reduce risk and improve their security posture.
Top 3 detections from Identity Security Insights to strengthen your security
Identity Security Insights has recently incorporated three new detections based on Active Directory and Microsoft Entra ID that enable you to detect and triage risks to your identity store and strengthen the security of your environment:
1. KRBTGT password that has not been rotated recently
The KRBTGT account is in every Active Directory environment and is arguably one of the most important/risky accounts. Its role in life is to authenticate Kerberos tickets. Keeping this account secure is critical because a compromise to this account could allow a bad actor to act as any account in the domain using the Golden Ticket method.
In a golden ticket attack, a threat actor exploits weaknesses in the Kerberos identity authentication protocol, which is used to access the AD, to bypass normal authentication. By accessing user data stored in Microsoft Active Directory (AD), the threat actor can gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.).
Identity Security Insights will detect if this account password has not been changed recently. An outdated password increases the likelihood that an attacker could or already has compromised the account.
2. Default Domain Admin is still enabled
Identity Security Insights can detect when the default domain administrator account is still enabled. Attackers look to exploit the accounts that have the most privileges, and this is one of the most common ones. Having the ability to detect this misconfiguration allows you to proactively address a commonly exploited threat surface.
3. Azure AD Connector account not protected by Conditional Access Policies
In today’s landscape, a hybrid Azure AD deployment model is very common. This means numerous organizations are leveraging Azure AD Connect, which is primarily used to connect on-premises Active Directory (AD) to in-cloud Azure AD, synchronizing users – including their passwords – and (optionally) groups. It is important to secure this highly privileged connector account. If this account were compromised, an attacker could leverage it to authenticate from their own infrastructure.
Identity Security Insights can detect if the connector isn’t being protected by Conditional Access Policies. If Identity Security Insights detects this misconfiguration, it will send an automatic recommendation that the policies be enabled, allowing you to quickly resolve the threat and reduce the risk to your organization.
Ready to learn more about Identity Security Insights?
The above list of detections represents a small sampling of what’s available in Identity Security Insights. To learn more about the detections built around BeyondTrust’s cloud solutions and other identity providers, contact us today. Or click here to access a free trial so you can see Identity Security Insights in action.
David Faulk, Solutions Engineer, BeyondTrust
David Faulk is a Sr. Solution Engineer at BeyondTrust with almost three years at the company. David started in Open Source software before moving into Cybersecurity. He enjoys Muay Thai, lifting weights, and Drones.
