While often overlooked, machine identities outnumber the human identities enterprises need to manage and protect. Their prevalence, coupled with the challenges of managing digital certificates and their sometimes, short-lived nature, creates potential gaps in visibility and control that skilled threat actors will eagerly look to exploit.
Just like human identities, machine identities are at risk. With the right approach, however, cyber-attacks like the SolarWinds supply chain attack can be mitigated through an identity-centric approach that accounts for the human and non-human identities on enterprise networks.
Why machine identities are critical to your security
A large part of the growth of machine identities is directly tied to digital transformation. As companies have embraced an Agile culture with DevOps technology in the name of speed, the number of machine identities necessary to support these efforts has exploded. Calls for agility have made applications increasingly modular, and as developers adopt containers, infrastructure-as-code, and microservices, protecting the communication between these technologies and keeping pace with the speed of changes has only become more challenging. The Internet of Things (IoT), meanwhile, only adds more fuel to the fire. Just like the ecosystem of virtual machines and containers, each connected device also has to be managed and prevented from accessing or being accessed by unwanted systems and applications.
Without effective identity management for non-humans, privilege account management, and account discovery, enterprises are opening a security gap for attackers to exploit. It is not uncommon for advanced persistent threats (APTs) to use forged digital certificates to sign malicious files as part of their attacks. When coupled with poor identity management, these files can find themselves onto corporate systems through a variety of attack vectors, including the supply chain.
Mitigating advanced attacks by focusing on machine identity
In the SolarWinds attack, the threat actor planted a backdoor in updates for the Orion network management software. Once inside their victims’ environments, they moved throughout the compromised networks, installed malicious tools, and leveraged the elevated privileges granted to the Orion application. The threat actor also used forged SAML tokens and impersonated legitimate users so they could access additional services on-premises and in the cloud. The Cybersecurity and Infrastructure Security Agency (CISA) has reported other tactics besides the compromised SolarWinds updates may have been used to gain initial entry as well, such as password guessing, password spraying, and exploiting inappropriately secured administrative or service credentials. All of which tie back to proper identity management.
While this attack contained multiple layers, implementing best practices around machine identity management can disrupt some of the types of activity associated with the attack. To start, organizations need to inventory and document machine identities and what they are being used for in the enterprise. In particular, the focus should be on the discovery of accounts with excessive privileges.
Privileged access rights can be created from a number of sources – operating systems include built in admin rights; privileged users may confer privileged rights on other users or create privileged accounts. Applications may also inherit privileged accounts/rights in various ways; group membership changes may also confer privileged access rights. It is imperative to detect when new privileged rights are conferred so they can be properly audited, managed, and revoked.
Just as with human identities, the principle of least privilege raises the barrier to entry for cyber-attackers. Enforcing least privilege restricts lateral movement from attackers by ensuring applications and systems only have access to the network resources they need to perform their approved functions and do not have privileges to authenticate to a resource out of scope for its normal operation.
Grant a user only sufficient rights and access to perform their duties, while following a least privilege model. Considerations beyond standard rights that should be granted and monitored for applications, devices and systems.
If a machine account does require high-level privileges, someone should be monitoring that account for unusual behavior. Suspicious activity should trigger alerts that can then be appropriately escalated. Organizations should be using an identity and access management (IAM) solution supplemented by privileged account management capabilities to manage the machine’s identity and the secrets used for privileged activity. In addition, machine learning engines can perform behavioral analysis on these accounts to detect and correlate risky behaviors.
Besides relying on a valid username/password, authentication should take into consideration additional context about a user to determine that not only is the individual who they say they are, but that they are behaving in accordance with expected behavior. This context into behavior helps identify potential stolen/abused credentials and possible insider threats, and allow admins to deny authentication to protect intellectual property.
All of the access logs for non-human identities should be vetted the same as human ones. By assigning human ownership to machine identities, organizations create a safeguard that can enable early detection of an attack and potentially mitigate threats by not allowing the same privileged secrets to be used by an application everywhere. This is akin to password re-use, and privileged access management can perform this function for non-human identities using least privilege application control and managing unique secrets per asset.
Finally, these machine identities do not have to be owned by a single individual; it could be a particular team or a group within a team. What is important is that someone is responsible for monitoring the activity of machine identities in the enterprise as their numbers continue to grow.
Regularly attest access rights
The access rights of machine identities should be regularly attested on the same schedule as the human identities of the organization.
List of ALL privileged access and execute an attestation campaign that will provide visibility and verification of privileged access.
These periodic reviews should highlight any changes to assets, accounts, identities, and owners. Teams should correct any discrepancies and certify the changes. Even with complex attacks, managing machine identities effectively reduces risk and lessens the danger posed by the threat landscape organizations are facing today.
Machine identities outnumber the human identities within a typical enterprise and are often overlooked by identity and privileged management solutions. Their prevalence coupled with the challenges of managing complex relationships and dependencies can cause gaps in visibility and control that skilled threat actors will eagerly look to exploit.
Just like human identities, machine identities are at risk. Recent events have proven such. With the right approach, however, cyber-attacks leveraging machine identities, accounts, and their associated privileges can be mitigated through an identity-centric approach that accounts for all identities within an enterprise network.
About the Author: Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust and Identity Defined Security Alliance Executive Advisory Board Member. He has more than 25 years of IT industry experience and has authored three Apress books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition.