Putting Zero Trust 2.0 into practice in five steps (InfoGuard Cyber Security Newsletter)

Identity protection – we can only protect what we're able to see

The bold headline of this blog article accurately captures the biggest challenge in identity protection. All too often, complete transparency about user identities, privileged users and service accounts is severely limited, which opens the door to cybercriminals. We want to bring this security risk to light in this article. We will also highlight the various challenges that companies face when they do not have complete insight into the activities and authentication requests of their human and non-human accounts. Of course, we will also be looking at solutions to provide much-needed transparency – so switch on the lights.

The main question is: What does transparency mean when it comes to protecting companies from compromise? In the context of identity protection, visibility is the ability to display all identities, data and security risks associated with an organisation. This information makes it possible to derive the necessary security measures and thus achieve comprehensive identity protection for all (in)human accounts. This is important because without complete transparency about elements such as user and authentication activities, access authorisations, risky identities, authorised applications, etc., critical gaps in identity security could go unnoticed.

Challenge – password synchronisation

Identities are one of the main targets of cyber attacks. But beneath the surface of known identity attacks lies a subterranean world of misconfigurations, forgotten user accounts, outdated settings, misbehaviour and insecurely integrated functions - also known as Identity Threat Exposures (ITEs). Attackers use these ITEs to steal credentials, escalate privileges and move laterally within the affected organisation's infrastructure. The problem: Most companies lack transparency.

The vast majority of organisations today use a hybrid identity infrastructure with Active Directory (AD) for on-premise resources and a cloud IdP for SaaS. Typically, AD synchronises users' hashes with the cloud IdP so that they can access SaaS applications with the same credentials as on-premise resources. This significantly increases the potential attack surface of the SaaS environment. This is because every attack in which the attacker gains possession of passwords paves the way to the cloud resources.

All ITEs that enable attackers to gain access to users' plain text passwords therefore offer attackers direct access to the SaaS environment. ITEs that disclose weakly decrypted password hashes (NTLM, NTLMv1, admins with SPN) or enable attackers to reset user passwords (shadow admins) are already being used extensively by attackers. Detailed information on the ITEs mentioned can be found in a detailed report by our technology partner Silverfort.

Challenge – service accounts are rarely in the spotlight

But that's not all: service accounts play an infinitely important role in today's complex business environment. These non-personal, machine-to-machine (M2M) accounts are used by applications, systems and services to perform important automated tasks within a network. To perform routine tasks, these accounts require access to resources such as databases and file shares. If they are not managed properly, such service accounts can pose a significant risk. This is because they allow cybercriminals to exploit compromised credentials to take over such accounts and then move laterally (ITE - lateral mover) through a network unnoticed.

To effectively manage service accounts, you need to know all the account types - often hundreds or even thousands. This makes it extremely difficult to keep track of each individual account and its activities. According to a report by Osterman Research, just under 20% of companies surveyed believe they know which service accounts exist in their organisation. Frightening - don't you think? The lack of transparency makes it difficult for companies to detect associated unauthorised access or malicious activity.

Without appropriate controls such as continuous monitoring and strict access policies, compromised service accounts often remain undetected. This allows cybercriminals to gain undetected access to critical systems and sensitive data over an extended period of time. This gap in security controls not only increases the risk of data breaches, but also the potential for operational disruption and insider threats. Eliminating this vulnerability is critical for organisations to strengthen their defences and build a resilient security posture against cyber threats.

Challenge – MFA for privileged users, PsExec and remote PowerShell access and more

Identity protection is definitely not a ‘nice-to-have’. For example, the NIS2 Directive defines the minimum set of security measures that regulated organisations must implement to meet its requirements. Article 21, section 2(j) refers directly to multi-factor authentication (MFA). The rationale: The security measures should include multi-factor authentication or continuous authentication solutions, especially where there is a likelihood that the lack of MFA protection could lead to a cyber breach . This certainly includes privileged user accounts, PsExec or remote PowerShell access as well as critical applications and servers with particularly sensitive information.

The compromise of privileged users is a main target of attackers. These user accounts are authorised to access multiple resources within the environment, execute code and interact with data. In a typical environment, these users are administrators, helpdesk and IT teams, which is why MFA protection for these users is of the utmost importance. A compromise can therefore have serious consequences for the affected organisation.

Attackers can also use compromised credentials to move laterally, expanding their initial access and spreading into the target environment. This propagation is the key component behind many ransomware and data theft attacks. Their favourite tools are command line access tools such as PsExec and Remote PowerShell. The ultimate protection against these attacks is to enforce MFA for users accessing resources via these tools. However, attackers also target critical resources, for example through a ransomware attack that locks down business-critical applications or by stealing sensitive business data or intellectual property. Identifying these resources and MFA protection for user access to these resources is therefore a top priority.

Challenge – lack of context and visibility

In most cases, a user is connected to their company's hybrid environment with several different identities via local services and various cloud services - including those with privileged rights. In addition, very few user directories can provide information about the risks and data associated with a particular identity. The vast amount of user data that resides in systems such as Active Directory or an organisation's SIEM makes it even more difficult to effectively track, manage and monitor identities, access permissions and activities.

Unfortunately, very few solutions can aggregate all inventory and identity data. This leads to fragmented and incomplete information about who has access to which resources and how they are using them. Even if security administrators know some or all of the identities and activities associated with a user, they may not have a clear idea of what permissions have been assigned, inherited or shared. This lack of visibility can lead to potential identity-related risks, such as unauthorised access or abuse of privileges.


infoguard-blog-bildquelle-identitaetsschutz-silverfortImage source: Silverfort

This lack of visibility can lead to potential identity-related risks, such as unauthorised access or abuse of privileges. Without full visibility of your users and their access capabilities, it becomes increasingly difficult to protect sensitive data and critical assets. For this reason, it is important to recognise that security really starts with visibility.

6 steps to comprehensive identity protection

Of course, there are a few more points to consider regarding identity protection, but we don't want to overstep the mark here either. These three challenges alone make it clear that it is crucial to take identity protection seriously.

Our 6-point programme will show you how to do this:

  1. Know where you are at risk
    Make sure you have an overview of the ITEs in your environment. If you synchronise AD users with your cloud IdP, make sure you follow Microsoft's best practices and minimise the number of unused users.
  2. Eliminate risk where you can
    Work closely with the identity team to weed out the ITEs that result from misbehaviour or misconfigurations. Also set up a process to resolve these as soon as - or before - they occur.
  3. Containment and monitoring of existing risks
    For ITEs that cannot be remediated, such as service accounts or the use of NTLM, ensure that the SecOps team has a process in place to closely monitor for signs of compromise.
  4. Take preventative measures
    Apply identity segmentation rules or MFA policies to prevent user accounts from being victimised by ITEs where possible. Enforce access policies for your service accounts that prevent access to all targets outside of their assigned resources.
  5. Connect the identity and security teams
    The responsibility for identity protection is split between the identity and security teams, with the latter using their knowledge to prioritise the ITEs to be fixed, while the former puts these fixes into action.
  6. Attend our webinar on 28 May 2024
    If you would like to find out more about the topic of ‘Identity protection best practice’, register now for our webinar on 28 May 2024 at 3.00 PM (in German). Find out how easy comprehensive identity protection is thanks to the Unified Identity Protection platform from our technology partner Silverfort - it's worth it!

Silverfort – creates transparency and delivers "best practice" identity protection

Silverfort is the first unified identity protection platform that combines all the necessary identity threat prevention and detection capabilities in a single solution:

  1. Extend MFA to ‘non-protectable systems’
    With Silverfort, you can implement agentless and proxyless MFA for any device, server or application, including resources that could not be protected before. This prevents data theft while meeting compliance and cyber insurance requirements.
  2. Capture and protect service accounts
    Silverfort automatically captures all non-human identities (machine-to-machine access). This allows you to analyse behaviour and prevent unauthorised use with a zero-trust approach, without password rotation.
  3. Detect and respond to identity attacks (Identity Threat Detection & Response - ITDR)
    Thanks to Silverfort, you can detect account takeovers, lateral movement of ransomware and enforce real-time responses, including customisable MFA and blocking of access.


Source: Silverfort

Through native integration with all leading IAM solutions, Silverfort provides comprehensive MFA, service account protection, identity threat detection and response (ITDR), identity segmentation and identity security management (ISPM) in hybrid environments. Silverfort extends modern identity protection to any user accessing any resource, including those that previously could not be protected, such as legacy applications, command line access, service accounts and more. With these capabilities, Silverfort provides organisations with comprehensive protection against cyberattacks with compromised credentials, both on-premises and in the cloud.

Find out more about Silverfort

If you would like to read more articles about the latest trends, innovations and technologies in cyber security, subscribe to our blog updates now and receive the latest articles delivered conveniently to your inbox.

Subscribe to blog updates!

<< >>

Cyber Risks

Reinhold Zurfluh
About the author / Reinhold Zurfluh

InfoGuard AG - Reinhold Zurfluh, Head of Marketing, Mitglied des Kaders

More articles from Reinhold Zurfluh

Related articles
AWS ransomware - and what's really behind it
AWS ransomware - and what's really behind it

Recently, a customer contacted InfoGuard's Computer Security Incident Response Team (CSIRT) and reported that [...]
Cyber Threat Intelligence Insights: Timing of Ransomware Incidents
Cyber Threat Intelligence Insights: Timing of Ransomware Incidents

In the last blog post, we looked at the 53 largest CSIRT cases in 2022. In this post, we will focus [...]
Two-factor authentication – feel the authentication flow
Two-factor authentication – feel the authentication flow

During the Covid-19 pandemic, remote working is becoming a crucial factor in many companies’ survival. Have [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media