Exposure Management 101: Identity Security

Introduction

Identity security is a major pillar for any security angle, especially for exposure management. Attackers target identities so they can move laterally and obtain privileges throughout the organization. At the core of every identity are properties and attributes, which can be exploited by attackers, with ease in many cases. It is these properties and attributes that must be secured to truly secure the identity. Tools like multi-factor authentication (MFA) and privileged access management (PAM) have no chance of protecting identities that have exploitable properties and attributes. 

Identity Security 

It is often thought that identities can be secured and protected by using layered solutions like PAM, MFA, etc. This is just not the case, as the identity itself needs to be secured. In every identity store (on-prem Active Directory, Entra ID (AKA Azure AD), AWS, Google Cloud, Okta, etc.) the identity has configurations that grant it abilities beyond just a standard user. In many cases these configurations can be attacked, providing the attacker with immediate information that can be used to impersonate or leverage the account in other ways.  

For on-prem Active Directory, the list of identity properties and attributes is very well known. Thus, it is a simple process to verify if any identities have exploitable configurations and then flag them for remediation. The problem is that these queries are not well known, nor is the ability to analyze the output from them.  

In addition to identity security for configurations, there is another significant concern for identities in every organization. When an administrative user account that is designed to administer domain controllers logs onto a workstation, this breaks the “tiering model” which is geared to protect the identity and its credentials. Being able to track when a user from a lower tier (tier 0 or 1) logs into a machine in a higher tier (tier 1 or 2) is vital in knowing when there is a potential for credential theft.  

Combining and Normalizing Asset, Identity, and Issue Priorities 

There is a significant gap in every organization when it comes to protecting identities, assets, and knowing which settings need immediate attention. When looking at a single security issue, such as vulnerabilities, it is rather easy to know which vulnerability to remediate first, based on that vulnerability's priority. 

However, when identity security issues are combined with vulnerabilities, patching, misconfigurations, cloud security, and identity priority, it can be an extremely complex analytical problem to know what needs to be remediated first, to reduce the attack surface the most.  

A solution like Nanitor is able to do this with ease, due to the fact it is built on a common codebase. Every security issue has a priority, which is normalized against the other issues. So, identity security is just one of many security issues, so a single prioritized list of security issues can be analyzed and generated so the organization knows exactly which issue needs to be done first, second, etc, as you can see in this figure. 

Conclusion 

If your security stack fails to include identity security regarding properties and tiering, the attackers have a significant advantage. Layered security solutions on top of identity do not protect the identity itself from attack and even impersonation. It takes rigorous knowledge and analysis to know what needs to be checked and configured. Tiering is also very difficult to monitor, as there can be thousands of workstations that need to be monitored for incorrect logins. A true exposure management solution can do this with ease like Nanitor can.  

To see where your assets and environment are with patches and to know which assets you need to address, schedule a demo with us or contact joe@nanitor.com for a customized demo.