Not all vulnerabilities are created equal
Read on to find out why identity is the new vulnerability.
If the history of cyber threats has taught us anything, it’s that the game constantly changes: the bad actors show us a move. We counter the move. Then the bad actors show us a new one.
OFER ISRAELIGVP & GM, Identity ThreatDefense, Proofpoint
Today, that “new move” is the vulnerable state of identities. Attackers realize that even if the network and every endpoint and device are secured, they can compromise an enterprise’s resources once they gain access to just one privileged account. Within organizations, one in six endpoints has an exploitable identity risk, as noted in the Analyzing Identity Risks (AIR) Research Report.
The 2023 Verizon DBIR Report 2023 highlights the risks of complex attacks involving system intrusion and the need to disrupt the attacker once they are inside. “Once attackers have access to your environment, they will typically look for ways to escalate privileges, maintain persistence and locate paths to move across the organization to achieve their ultimate goal, whatever that may be".
The problem has escalated because the management of enterprise identities, and the systems used to secure them, is quite complex. This complexity is further complicated by the constant changes made to accounts and their configurations.
Attackers are increasingly focused on privileged identity account takeover (ATO) attacks because they can compromise organizations much more easily and quickly this way, as compared to the time, effort and cost to exploit a software vulnerability (a common vulnerability and exposure or CVE). And we should not expect this trend to stop anytime soon, given that these ATOs have reduced attacker dwell times from months to merely days, with very little risk to attackers that they’ll be detected before completing their crime.
Take a “back to the basics” approach.
Security teams work to protect their networks, systems and endpoints in their infrastructure, and have continued moving up the stack to secure applications. As identities have become the predominant attack vector, we now need to move to better protect identities.
This makes for the foundational building blocks of a successful identity threat detection and response (ITDR) strategy, which is essential today (find out more about ITDR in article 7).
If we think of security in battle terms (as we often tend to do), identity is simply the next hill we need to defend. As we’ve done with the network, endpoint and application hills in the past, we should begin by applying good old-fashioned, basic cyber hygiene/security posture practices to prevent as much risk as possible. While there is value in both preventative and detective controls, preventative controls are preferred and are often less costly to deploy. In other words, as we take this next hill to secure identities, we should not forget that an ounce of prevention is worth a pound of cure.
Organizations should consider managing the remediation of identity vulnerabilities (those most commonly exploited in today’s attacks) in the same or similar way to how they manage the millions of other vulnerabilities across their other asset types, including their network, host and application vulnerabilities. In other words, identity must be treated as an asset type and its vulnerabilities should be included in the process for prioritizing vulnerabilities that need remediation. A requirement for doing this is the ability to continuously scan the environment to discover those identities that are vulnerable at the moment and why.
Proofpoint Spotlight TM provides this solution, enabling the continuous discovery of identity vulnerabilities, their automated prioritization based on the risk they pose, and visibility into the context of each vulnerability. Spotlight even enables fully automated remediation of vulnerabilities where the remediation creates no risk of interruption to the business.
The key factors for determining prioritization should include:
the vulnerable asset’s importance to the business
the threat likelihood of the vulnerability being exploited
the strength and effectiveness of any compensating controls that mitigates the risk associated with the vulnerability.
Once these factors are considered, identity vulnerabilities associated with privileged identities often bubble up fairly high on the prioritization list.
Privileged accounts can be used to create harm to the most important systems of a business. The threat likelihood of these accounts being exploited has increased as they’ve become the top focus of attackers. Additionally, since most ATOs go undetected, the risk of these vulnerabilities is clearly not mitigated by sufficient compensating controls.
Fortunately, many of the vulnerabilities discovered around these privileged identities are relatively easy to remediate, such as cleaning unsecured credentials off endpoints.
Compare this to the effort associated with remediating software vulnerabilities (CVEs), for which remediation often requires costly potential code changes and the completion of full regression testing.
Identity vulnerability management is a compensating control for many un-remediated CVEs since many software vulnerabilities are leveraged to enable early tactics of an attack. Once attackers exploit these, they must still work to escalate privileges. As such, the remediation of identity vulnerabilities offers a compensating control for many un-remediated CVEs that, when left vulnerable, can stop the attacker from further progressing by escalating privilege.
Learn more and watch our cybersecurity experts discuss how IDTR can help your organization get ahead of identity vulnerabilities.
Watch the webinar
Cyber attackers target people. They exploit people. Ultimately, they are people. That's why people—not technology—are the most critical variable in today’s cyber threats.
Our 2023 Human Factor report takes an even closer look at new developments in the threat landscape, focusing on the combination of technology and psychology that makes the modern attack chain so dangerous.
