Identity Attack Vectors: Implementing an Effective Identity and Access Management Solution

By Morey J. Haber and Darran Rolls

Discover how poor identity and privilege management can be leveraged to compromise accounts and credentials within an organization. Learn how role-based identity assignments, entitlements, and auditing strategies can be implemented to mitigate the threats leveraging accounts and identities and how to manage compliance for regulatory initiatives.

As a solution, Identity Access Management (IAM) has emerged as the cornerstone of enterprise security.  Managing accounts, credentials, roles, certification, and attestation reporting for all resources is now a security and compliance mandate. When identity theft and poor identity management is leveraged as an attack vector, risk and vulnerabilities increase exponentially. As cyber attacks continue to increase in volume and sophistication, it is not a matter of if, but when, your organization will have an incident. Threat actors target accounts, users, and their associated identities, to conduct their malicious activities through privileged attacks and asset vulnerabilities.

Identity Attack Vectors details the risks associated with poor identity management practices, the techniques that threat actors and insiders leverage, and the operational best practices that organizations should adopt to protect against identity theft and account compromises, and to develop an effective identity governance program.

What You Will Learn

• Understand the concepts behind an identity and how their associated credentials and accounts can be leveraged as an attack vector
  
• Implement an effective Identity Access Management (IAM) program to manage identities and roles, and provide certification for regulatory compliance
  
• See where identity management controls play a part of the cyber kill chain and how privileges should be managed as a potential weak link
  
• Build upon industry standards to integrate key identity management technologies into a corporate ecosystem
  
• Plan for a successful deployment, implementation scope, measurable risk reduction, auditing and discovery, regulatory reporting, and oversight based on real-world strategies to prevent identity attack vectors

Who This Book Is For

Management and implementers in IT operations, security, and auditing looking to understand and implement an identity access management program and manage privileges in these environments

• Language: English
• Publisher: Apress
• Release date: Dec 17, 2019
• ISBN: 9781484251652

Book preview

© Morey J. Haber, Darran Rolls 2020

M. J. Haber, D. RollsIdentity Attack Vectorshttps://doi.org/10.1007/978-1-4842-5165-2_1

1. The Three Pillars of Cybersecurity

Morey J. Haber¹  and Darran Rolls²

(1)

ORLANDO, FL, USA

(2)

AUSTIN, TX, USA

The foundation of cybersecurity defense has been muddied by point solutions, false promises, and bolt-on solutions that extend the value of a given technology based on a specific need. After all, if we each count the number of security solutions we have implemented, from antivirus and firewalls to security monitoring and single sign-on solutions, we will typically find dozens of vendors and hundreds of individual solutions throughout an organization. The average user or executive is not aware of most of the cybersecurity technology stack they depend upon, even though they may interact with most of it on a daily basis.

If we step back and try to group all of these solutions at a macro level, we will find each one falling into one of three logical groups. This is illustrated in Figure 1-1, the three pillars of cybersecurity.

../images/480623_1_En_1_Chapter/480623_1_En_1_Fig1_HTML.png

Figure 1-1

The three pillars of cybersecurity

These pillars can be described as

Identity – The protection of a user’s identity, account, and credentials from inappropriate access

Privilege – The protection of the rights, privileges, and access control for an identity or account

Asset – The protection of a resource used by an identity, directly or as a service

Although some solutions may be supersets of all three pillars, their goal is to unify information from each pillar in some form of correlation or analytics. Take, for example, a security information and event manager (SIEM) solution. It is designed to imbibe security data from solutions that reside in each group and then correlate the data to inform advanced threat detection and adaptive response. Correlation of common traits across the pillars enables a more holistic view of the environment. Time and date parameters are a typically connection point in most SIEM solutions. In others, connections between assets or identities provide a simplistic way of looking at how the pillars come together to support the entire cybersecurity foundation of your company. Let’s look at a simple correlation:

Who is this user (Identity)?

What do they have access to (Privilege)?

What did they access (Asset)?

Is that access secured (Privilege)?

Is that asset secured (Asset)?

Was the access in accordance with the user’s responsibilities (Identity)?

This helps answer the key question "What is inappropriately happening across my environment that I should be concerned about?" Answering this question is the primary goal of every security team and forms the basis for any incident management process. A good security program should provide coverage across all three pillars and identify solutions that provide meaningful data to help correlate across the boundaries of this overlapping Venn diagram.

Having this level of oversight and control helps answer the following questions:

Are my assets and data secured?

Are the privileges configured appropriately?

Was the access by the right identity at the right time?

For most security vendors and their customers, the integration of these three pillars is critically important. If security solutions are isolated and do not share information, or only operate in their own silo, or between only two of the pillars, their detection and protection capabilities and data they can report will be limited in scope. For example, if an advanced threat protection solution or antivirus technology cannot share user information, or report on the context of the identity, then it is like riding a unicycle. The balance of information from the threat is not equally distributed. When processing threat information as an isolated log, event, or alert entry, key insights are missed. You need to have integrated data from all three pillars to be truly effective at dealing with modern threats.

If the unicycle analogy does not resonate with you, imagine not tracking privileged access to sensitive assets. You would never know if an identity is inappropriately accessing sensitive data. Moreover, you would never know if a compromised account is accessing sensitive data on what assets. Exploiting this lack of visibility is how threat actors are breaching our environments today. Without this visibility, we cannot track indicators of compromise and relate them back to the three pillars.

Therefore, when you look at new security or information technology solutions, ask yourself what pillar they occupy and how they can support the other pillars you trust and rely on every day. If they must operate in a single silo, make sure you understand why and what their relevance will be in the future. To this point, what is an example of a security solution that operates only in one silo? Answer – one that does not support any integrations nor operate between the three pillars. In many new deployments, this may sound like an Internet of Things (IoT) device or a traditional antivirus solution that can report on an infection on an asset but has no knowledge of the identity (account or user) or the privileges that the malware tried to use to infect the asset.

To that end, an IoT door lock or camera that provides physical protection for assets based on a static identity that cannot share access logs or integrate with current identity solutions is a bad choice for any organization. A standalone antivirus solution that has no central reporting on status, signature updates, or faults is another poor choice. There is no way of knowing if the AV is operating correctly, whether or not there is a problem, or even if it is doing an exceptionally good job blocking malware. Why would you essentially pick a consumer-grade antivirus solution for your enterprise-grade environment? Unfortunately, this happens all the time, and we end up with the bolt-on approach to solve the problem. And even when it does alert, it fails to collect the required information to properly mitigate the threat based on data from all three pillars.

As we stabilize our cybersecurity best practices and focus on basic security hygiene, consider the longer-term goals of your business. If you choose a vendor that does not operate across these three pillars and has no integration strategy to promote interoperation and data exchange, it is truly a point solution, and you should be fully aware of the risks.

Everything we choose as a security solution should benefit the integration of these pillars; if they do not, then ask a lot of questions. For example, why would you choose a particular camera system without centralized management capabilities? It falls into the asset protection pillar and can monitor physical access by an identity, but without centralized capabilities and management, it is a standalone silo not supporting your foundation. It needs to support all three pillars to be an effective security solution and, ultimately, provide useful information for correlation, analytics, and adaptive response.

Some may argue that there could be four or even five pillars for a sound cybersecurity defense. They could be education, partners, and so on to support your foundation. We prefer to think of all tools and solutions in these three categories. Why? A three-legged stool never wobbles! And, each of these has documented attack vectors that can be managed as integrated pillars. Those are the basis for our other books, Privileged Attack Vectors and Asset Attack Vectors.

While it’s no secret that identifying and correcting network security holes is critical to protecting any business from harmful attacks, the processes of privileged access management, vulnerability assessment, and configuration management often get overlooked as a critical component for sound security practices affecting assets. This is basic cybersecurity hygiene. To that end, vulnerability management should be an ongoing process, but too often organizations are lazy in maintaining a proper vulnerability workflow and only react when disaster strikes and they are forced to inspect the process in detail. Even then, some businesses fail to learn the lesson of proactive vulnerability assessment and remediation and are behind in managing all three pillars. You cannot protect an identity well when the asset itself can be exploited.

Additionally, many organizations look at vulnerability management in isolation. Take a step back and look at the wealth of asset and risk information that is captured in a vulnerability scan. Usually this includes everything from vulnerabilities to accounts and groups available to the local asset. Examine how this data can not only help prioritize patches and mobilize IT resources but also be applied to strengthen other security investments across the organization, including asset management, patch management, application control, analytics, and threat detection – to name a few, based on the raw diversity of the data itself. This information can even help you strengthen your identity posture by locating the presence of appropriate and inappropriate (rogue) accounts across your organization. It is yet another tool that helps you with the challenges and strategies outlined further in this book and managing identity attack vectors .

© Morey J. Haber, Darran Rolls 2020

M. J. Haber, D. RollsIdentity Attack Vectorshttps://doi.org/10.1007/978-1-4842-5165-2_2

2. A Nuance on Lateral Movement

Morey J. Haber¹  and Darran Rolls²

(1)

ORLANDO, FL, USA

(2)

AUSTIN, TX, USA

To a threat actor, lateral movement means all the difference between compromising a single resource and potentially navigating throughout an organization to establish a persistent presence. Their goal is to remain undetected and ultimately conduct their nefarious mission even if some defenses manage to track their infiltration. While the hacker might succeed based on an opportunistic phishing attack or a targeted attack based on stolen credentials or an exploit, lateral movement is the means to find data of value, compromise additional assets, execute malware, and ultimately own accounts and identities to continue their attack. Lateral movement, by the most traditional definition, is the ability to pivot from one resource to another and to navigate among other resources in any environment. The key takeway for our conversation today, and why we need to talk about lateral movement, is not about assets however; it is about resources since they can be so much more than just computers and applications.

Resources engaged in lateral movement can be any one of the following and, most importantly, any combination of them too. This is documented in Table 2-1 along with the most common privileged and asset attack vectors.

Table 2-1

Resource lateral movement techniques

While the techniques for lateral movement vary greatly between these resources including privileged and asset attack vectors , the objective is the same – to laterally move between resources that are similar or share underlying services. That is, you can laterally move from an operating system to an application and then compromise additional accounts using any combination of the attack vectors (and there are definitely more) referenced in the preceding text. This raises the obvious question, how to protect against lateral movement when it can occur in so many different ways and between so many different things?

First, consider the underlying faults that allow lateral movement to occur. They occur due to privileged attacks or asset attacks and ultimately can own an identity. The latter is typically accomplished through vulnerability, patch, and configuration management. These are traditional cybersecurity best practices that every organization should be doing well, but in reality, as we all know, very few have them working like well-oiled machines. The conversation we need to have with our teams is that lateral movement, due to poor basic cybersecurity hygiene, is the primary attack vector for modern threats like ransomware, bots, worms, and other malware. Contemporary concepts like zero trust and just-in-time identity and privileged access management cannot mitigate the threats from asset attack vectors . A successful attack is based on software flaws and not credentials used for the interaction of resources. Therefore, for lateral movement based on asset attacks, we need to ensure the basics are being done well week after week, month after month, and year over year to ensure we do not expose cracks in our security posture that could lead to a vulnerability and exploit