Why Identity Security Should Be the Basis of Modern Cybersecurity

This article was originally published by BeyondTrust. You can view the article here.

An Interview with the Authors of the latest book in the Attack Vector series, Morey J. Haber, Chief Security Advisor, BeyondTrust, and Darran Rolls, Identity, Security, Privacy & Compliance Advocate.

It is easier for a threat actor to log in versus hack in.

Morey J. Haber

Identity is rapidly becoming the predominant means through which threat actors penetrate organizations. More and more often, attackers are targeting accounts, users, and their associated identities to conduct their malicious activities through lateral movement and poor identity hygiene.

As perimeters become increasingly identity-based, as threat actors continue to leverage technologies and innovations that make it easier to log in than to hack in, and as the risk associated with an identity-based attack continues to increase exponentially, it is becoming all the more urgent for organizations to prioritize securing their accounts and identities.

Morey J. Haber, Chief Security Advisor at BeyondTrust, and Darran Rolls, Identity, Security, Privacy & Compliance Advocate, recently explored the growing urgency of identity security in their book, Identity Attack Vectors: Strategically Designing and Implementing Identity Security. In this newly released second edition—the sixth installment in the Attack Vector series—Morey and Darran explore how identity security has emerged as a cornerstone of modern enterprise security and a compliance requirement.

In this Q&A style blog, I sit down with Morey and Darran to explore the thought process that went into the writing of the book—and to learn more about why detecting and defending against identity threats should be the basis of all modern cybersecurity initiatives.

Q1: Identity Attack Vectors is now in its second edition—What fueled the decision to reboot this particular edition of the Attack Vectors series?

The decision to create a second edition is squarely rooted in the importance of identity security and how modern identity attack vectors can impact the security of an organization based on poor identity hygiene.

The cybersecurity threat landscape is rapidly changing, and the sheer fact today that it is easier for a threat actor to log in versus hack in poses a fundamental shift in protection strategies for organizations. With so many organizations re-thinking security and Zero Trust Architectures (ZTA) and putting identity at the center, it’s even more critical that everyone understands the threats and possible mitigations.

While the first edition focused on cybersecurity hygiene using identity governance and privileged access solutions, the second edition focuses on identity security and the risks organizations expose themselves to by failing to use the best practices for identity and access management to safeguard all aspects of the identity lifecycle and identity fabric within an organization.

Q2: Why are identity attack vectors different today from what we’ve seen in the past?

Threat actors will always seek the easiest path to conduct their nefarious mission. This is not laziness; it is a matter of their own efficiency.

In years past, coding flaws led to a myriad of vulnerabilities and exploits and spurred entire industries around vulnerability, patch, and configuration management. Today, with the cloud hosting the majority of solutions that businesses license, and popular software having mature development lifecycles and code security tooling, the number of critical vulnerabilities on-premise that are exploitable has significantly decreased. In addition, the financial cost to discover a working exploit by a nation state or organized cyber criminal has skyrocketed. Thus, threat actors are increasingly choosing to compromise identities via social engineering and poor configurations to achieve their objectives at a much lower cost and with much higher reliability.

This is why identity attack vectors are different than what we have seen in years past, and why the new perimeter for cyber security now emphasizes identities in addition to the best practices, like vulnerability management, that were highlighted in years past.

Q3: In your book, you mention that identity has become the new perimeter—what are the contributing influences that have made identities such a key target for threat actors?

Identities have become the new perimeter. This has been stated before, but the reasons are not often understood.

Prior to the pandemic, work-from-home and work-from-anywhere were options truly embraced by a small subset of organizations. COVID-19 changed that. Businesses had to cope with remote workers, new applications in the cloud, an acceleration of digital transformation initiatives, and so on. Today, only a limited number of these changes have truly been undone. And while some organizations do require employees to return to the office, any form of remote access for business does require remote authentication and authorization to connect to assets, applications, and other resources.

In short, just about every entity has changed their network architecture to allow for these factors. This new model is highly dependent on identity, accounts, governance, and fine-grained privileges. If any of these are compromised, then access to all business systems is in jeopardy—all for as simple a cause as stolen credentials, poor identity and access management hygiene, and flaws in the solutions that provide secure remote access overall.

For this reason, identity has become the new perimeter. Stolen or compromised credentials from any source can lead to an exploitation at the same level as the worst exploitable vulnerabilities we have seen in the past. This makes identity protection the number one priority for most businesses today. This also includes hardening the identity and access solutions we have used for governance to date, since they s can also be a part of the attack chain.

Q4: What makes identity attack vectors unique compared to other attack vectors?

In our professional opinion, there are three types of attack vectors:

1. The first is privileged attack vectors. This is the targeted abuse of the most important accounts in an environment that have administrative or root privileges to perform virtually any function against an electronic system.
2. The second is asset attack vectors. This covers software and configuration flaws that need remediation (patching) or mitigation (configuration changes) based on vulnerability, patch, and configuration management.
3. The third is identity attack vectors that cover the machine and human realm for authentication and authorization. If the identities and accounts have their secrets compromised, then normal activity can be leveraged by a threat actor simply by logging in.

If you are a reader of the Attack Vector series of books published through Apress Media and authored by ourselves and our peers, you will notice a fourth book called cloud attack vectors. It is an encapsulation of the concepts found in the first three books strictly applied to the cloud and hybrid environments. In fact, the entire book covers these three attack vectors in detail due to the unique characteristics of the cloud. All in all, any of these three attack vectors can be described as the root cause for all modern threats and attacks.

Q5: Part of building a comprehensive security strategy involves being aware of and planning for the attacks that haven’t happened yet. What types of identity-based attacks do you foresee organizations needing to fortify defenses against in the next few years?

The threats represented by identity security target the identity fabric of all organizations. As a matter of definition, an identity fabric is the working interoperating ecosystem that delivers the workflow, policies, solutions, people, security, integrations, products, secrets, etc. of everything it takes to implement end-to-end Identity and Access Management (IAM) within an organization.

This risk surface contains everything within the fabric, from poor configurations to insecure or poorly implemented products to product integrations. Essentially, any weakness in the identity fabric, anywhere, is represented by identity security, and the risk surface for every organization is distinctly different based on products, people, policies, and workflows and the secrets to integrate everything together.

A comprehensive identity security strategy needs to identify and help mitigate all the weaknesses—and most importantly ensure that no identity and their associated accounts is ever abused as an entry point into an organization’s identity fabric. This model can be incredibly complex, but in reality, it always starts with a basic perimeter approach. It uses identities as the new perimeter and works its way inwards to ensure all exposed connection points, integrations, and access are safeguarded from potential abuse.

Q6: What do organizations need to start doing now to secure against today’s identity-based threats, as well as future threats?

Organizations need to embrace several foundational cybersecurity practices regarding identities to manage the risks, both today and for the foreseeable future. These are covered in detail within the new book, but in summary, your identity security approach should include the following:

• Identity and Asset Inventory – A living, up-to-date database of all identities, accounts, systems, applications, and resources for modeling threats.
• Identity Accountability – The proper implementation of critical IAM solutions, such as Identity Governance and Administration (IGA), Privilege Access Management (PAM), Single Sign-On (SSO), Multi-Factor Authentication (MFA), etc. to ensure all identities are managed and being used appropriately.
• Remote Access – Outside of sitting in front of your own computer, all web access and application and operating system access is via remote access. Therefore, all remote access pathways must be secured from identity attack vectors, and default protocols for inbound remote connectivity properly secured or disabled.
• Least Privilege – All accounts, no matter who owns them, should have the least amount of privileges to perform their tasks and follow guiding principles like zero trust.
• Integrate Directory Services – The more identity directory providers, the worse an organization is managing identity-based threats. Wherever possible, the consolidation of platform and application directory services should occur, including using solutions to fold dissimilar operating systems into a common directory provider.
• Identity Security – Even though identity security is the last recommendation, it should be applied at every step of the first five recommendations. It was added last to allow existing organizations to consider how to model their own legacy environments with identity security, and to allow new organizations to build it in from the start as a best practice.

Q7: What are the biggest and most common gaps you see that can leave organizations vulnerable to identity-based attacks?

Similar to the previous question, the latest edition of identity attack vectors outlines the biggest gaps organizations should consider mitigating to prevent identity-based attacks. Below are a sample few from the manuscript:

• Never reuse passwords and interchange human and machine secrets. Secrets between humans and machines should always be unique and distinct.
• All human and machine accounts should follow the model of least privilege.
• Single sign on should never be used for privileged accounts.
• All privileged accounts should be managed by a PAM solution.
• Every account, everywhere, should use phishing-resistant multifactor authentication. SMS and push notifications have been proven to be highly vulnerable to identity-based attacks.
• All accounts should have associated identities and owners and follow a strict model for identity governance using joiner, mover, and leaver processes.
• Implement an identity security solution based on identity threat detection and response to monitor and manage identity-based risks.

As stated, these are just a few key recommendations, and more details are available in the book.

Q8: A common theme through cybersecurity is “you can’t protect what you don’t know about.” This is a big challenge with identities, especially since they tend to proliferate. How can an organization ‘know that it knows about’ all its identities?

While it is a common theme in cybersecurity to believe that “you can’t protect what you don’t know about,” identity attack vectors represent one partial exception to the rule for two specific reasons: artificial intelligence and good identity hygiene (sprawl). If you can detect and recommend changes or newly identified threats to identities (whether based on behavioral monitoring, inappropriate usage, impossible geo location travel, lack of MFA, etc.), you can isolate threats you truly know nothing about.

In simple terms, machines and humans behave in eerily rhythmic fashions that can be modeled. When deviations occur, a potential threat can be flagged for awareness. This modeling has been around for decades—as an example, for determining fraud prevention on our credit cards. Only recently has this approach been successfully expanded to all types of identity-based threats by using artificial intelligence and new behavioral modeling algorithms.

While it may be impossible to know everything about all your identities within an organization, it is certainly possible to tell when one is being used in a way it has never been used before, doing functions that have never been executed before. That alone is a tell-tale sign of an identity-based attack vector that everyone should be monitoring for, despite any challenges with identity sprawl or shadow IT.

Q9: What is one piece of advice you’d give anyone who is looking to improve their identity security strategy?

One piece of advice we would like to leave with our readers is to “always think identities and not accounts.” Accounts are a subset of an identity and can have a many-to-one relationship with an Identity (many accounts to one identity). Every person has one identity and one identity only. They can have many, many accounts.

Machine identities can have many accounts too, but they always have a human identity owner. When you start managing identities and not accounts, and truly map them all together, you can master identity security and mitigate the risks in your organization’s identity fabric. This will help you pinpoint which identities are at risk, understand where the blast radius can occur based on accounts, and help build a security model to secure both.

Q10: Anything final insights you’d like to add?

If you have read this far in the Q&A, go get and read the book, too. We promise it is not as dry as this Q&A. We happily inserted as much nerd humor as possible (that our publisher would allow) to make the reading enlightening, educational, and at the very least, entertaining.

Order your copy of Identity Attack Vectors today, or click here to learn more about modern attack vectors and gain access to the entire Attack Vector series.