With sophisticated cyber criminals coming up with new attack methods every day, it’s a fair question to ask whether we can really prevent identity-related breaches. As cyberattackers have continued to pummel organizations’ identity systems during the last few years, the calls for stronger identity system defense have become more urgent—and not a moment too soon. As an example, Gartner named identity system defense as one of the 2022 top trends in cybersecurity.
While it’s a welcome development that identity protection is getting focused industry attention, the question for many organizations remains how best to protect critical identity infrastructure. Should the focus be on prevention, remediation—or recovery? After all, Zero Day exploits are emerging regularly, making it nearly impossible to stay ahead of sophisticated attackers. Maybe security leaders should just focus on the inevitable and get a good recovery plan in place.
There’s a good argument for that: According to an Enterprise Management Associates report, 50% of organizations experienced an AD attack in the last 1 to 2 years, and more than 40% of those indicated the AD attack was successful. Despite the swell of publicity about AD-related attacks, most organizations still don’t have adequate AD disaster recovery plans in place. The EMA report also uncovered that organizations’ top AD recovery concerns include not having a post-attack recovery plan, the inability to recover quickly, and not having a defined responsibility for AD recovery.
Layered defense to cover the entire attack lifecycle
Although many organizations (especially those that have already been breached) lament their lack of focus on recovery, in the end, a layered defense remains the best strategy for organizations to protect their critical identity infrastructure. Organizations need to ensure they’re covering every stage of the AD attack lifecycle—prevention, detection, remediation, and recovery—across the hybrid identity environment.
For some organizations, that might mean reallocating budget from implementing endpoint protection to preventing and remediating attacks against AD and Azure AD, or focusing more effort on developing and testing a disaster recovery plan that assumes AD has been wiped out by the attack.
A comprehensive identity threat detection and response (ITDR) strategy that protects AD before, during, and after an attack would:
- Prevent identity attacks with research-based assessment. Staying ahead of cyberattackers is a constant battle. If organizations aren’t regularly assessing their identity environments for risky misconfigurations and unpatched vulnerabilities, they’re leaving themselves open to attack. Solutions that are continuously updated to uncover new indicators of exposure (IOEs) and indicators of compromise (IOCs) will help organizations quickly close gaps and continuously improve overall security posture.
- Detect attacks with tamper-proof tracking. Cybercriminals strive to develop identity attack techniques that evade traditional agent- and log-based tracking systems, including many security information event management (SIEM) solutions. Organizations should look for solutions that use multiple data sources to gain uninterrupted visibility into advanced attacks that bypass traditional detection methods.
- Accelerate remediation with automatic rollback of malicious changes. As the notorious 2017 Maersk cyberattack demonstrated, malware can spread across a network in minutes, crippling business operations. Organizations cannot rely on human intervention to stop real-time attacks, so automatic rollback of unwanted changes is essential.
- Recover the AD forest in hours (not days or weeks). When cybercriminals take over domain controllers, the clock is ticking. Organizations can’t afford to spend time stepping through the painful manual process of recovering AD or trying to figure out how to quickly provision new hardware. In the event of a cyber disaster, organizations need a recovery solution that automates the process and ensures that AD can be recovered to a malware-free state.
- Cover both on-premises AD and Azure AD. Although cloud adoption continues to rise, most organizations will embrace hybrid identity environments for the foreseeable future. Hybrid AD environments are notoriously difficult to protect, so cybercriminals naturally target them. Organizations need the ability to run security assessments across both on-prem AD and Azure, correlate changes between on-prem AD and the related Azure AD identity, and recover Azure AD resources—such as user accounts, roles, and groups—that ensure access to apps and services.
Identity system defense requires protection, remediation, and recovery
Ransomware groups will continue to devise new ways to attack identity systems. That doesn’t mean organizations shouldn’t try to prevent attacks. But the best way to reduce the risk of a business-crippling identity-related cyberattack is to build a layered identity defense strategy that protects hybrid environments before, during, and after an attack.
About the Author: Itay Nachum, Senior Director of Product Management at Semperis, is a passionate technology evangelist, public speaker, and cybersecurity SME with 16+ years of experience in leading sales engineering and enablement, customer and product strategy operations, global solution architecture, and technical alignment in both startup and global enterprise environments.