Point of view:

A CISO perspective on identity threat

Hear from Yonsey Núñez, CISO at DTCC.

YONESY NÚÑEZ
CISO, DTCC

Compromised credentials and commandeered accounts can act as a skeleton key for your networks and corporate systems. With such a potentially lucrative reward on offer, cybercriminals are increasingly focusing their attacks squarely on your identities to unleash data exfiltration, take over IT environments and launch ransomware attacks.

To gain a deeper understanding of how industry leaders are tackling this shift in the threat landscape, I recently participated in a webinar led by Proofpoint's Group VP Product Marketing, Tim Choi, and Group VP & GM Identity Threat Defense, Ofer Israeli. We discussed why identity attacks are such a growing problem, the challenge of identifying vulnerable users and how to protect people and data from attacks leveraging compromised accounts.

The ease offered by compromised identities

Our industry uses the term people-centric a lot. We know that attacks are targeting people to launch ransomware or exfiltrate data. But, for today's cybercriminals, that is no longer the end of the matter.

Threat actors are now targeting people to compromise identities and then using those identities to further elevate their access and privileges. They then make lateral moves within organizations to gain intel, launch further attacks, and steal more data.

Thanks to tools like Mimikatz and Bloodhound that can identify hidden relationships, user permissions and attack paths, the whole process of targeting identities, stealing credentials and escalating privileges is now very simple.

Understanding high-risk identities
Cybercriminals need to know two things to increase the chances of a successful attack: where is the data they want, and which identity will give them access to it.Most of the time, the answer to the latter is a service account. These are not always protected in a privileged access management solution and often have access to many different files and systems with static passwords that can do nothing. Regular users who are shadow administrators are also very high-risk identities. They're not usually marked as privileged but have often inherited all kinds of access through complicated Active Directory group memberships, which are very hard to follow.

Where are organizations most vulnerable to identity attacks?

Most organizations have struggled with Identity and Access Management (IAM) for many years. Access has a way of becoming a living, breathing organism, so security teams need to make sure they understand what's going on.There are three main areas of concern: shared credentials, stored credentials and shared secrets.Most users will have tens, if not hundreds, of usernames and passwords across various accounts.And many are probably reusing credentials across at least some of them. All it takes is for just one site to suffer an attack, and those credentials can be sprayed across many more accounts and systems.When it comes to password storage, organizations must be extremely careful. Get them out of the environment they are used in as a starting point. Unfortunately, many identity attacks originate from drive-by hacking, where cybercriminals get credentials from password dumps or data breaches and try their luck, password spraying across corporate accounts.

THREAT ACTORS ARE NOW TARGETING PEOPLE TO COMPROMISE IDENTITIES AND THEN USING THOSE IDENTITIES TO FURTHER ELEVATE THEIR ACCESS AND PRIVILEGES. THEY THEN MAKE LATERAL MOVES WITHIN ORGANIZATIONS TO GAIN INTEL, LAUNCH FURTHER ATTACKS, AND STEAL MORE DATA.

Protecting your identities

Cybersecurity is like an asynchronous war. And by the time we've built a new control or defense mechanism, the bad guys have figured out a new way of circumventing it. That's what is happening right now.

There are plenty of statistics out there to confirm that even in the largest breaches, threat actors get in right through the front door. How? Because they gain access to a shared credential and identity that has more access than anyone at the target organization was aware it had.

How Proofpoint Spotlight™ and Proofpoint Shadow™ can help

Proofpoint's Spotlight and Shadow solutions tackle both sides of the identity attack issue.

Spotlight handles the hygiene aspect, discovering and cleaning up vulnerable identities within your environment.

At the same time, Shadow creates a hostile environment for cybercriminals by laying traps to deceive them into lateral movement, which will alert security teams to their presence. So, you get greater visibility to understand and remediate risky identities while taking steps to detect and deter privilege escalation and further harm to your data, systems and networks.

THERE ARE PLENTY OF STATISTICS OUT THERE TO CONFIRM THAT EVEN IN THE LARGEST BREACHES, THREAT ACTORS GET IN RIGHT THROUGH THE FRONT DOOR

THERE ARE
PLENTY OF
STATISTICS OUT
THERE TO
CONFIRM THAT
EVEN IN THE
LARGEST
BREACHES,
THREAT ACTORS
GET IN RIGHT
THROUGH
THE FRONT DOOR

Identities are a company's

CROWN JEWELS

Attackers have begun to focus on compromised identities to enable data exfiltration, take over IT environments and launch ransomware attacks. Watch the full webinar to learn more.

Watch the webinar