End-user digital identities are among the main targets of cyber-attacks. Almost two-thirds of last year’s security breaches were aimed at obtaining credentials ⁽¹⁾, with privileged accounts being the most targeted. To prevent, detect, and block these types of threats, Datanet Systems recommends using the Identity Risk Management platform of Illusive Networks, an Attack Surface Management solution that integrates several innovative protection technologies.

Although the issues related to digital identity exploitation are well known today, many companies are not aware of their scale and severity. On one hand, there are risks that are not properly managed, as is the case with administrators who do not use dedicated solutions – 87% of them do not have accounts enrolled in Privileged Account Management / PAM applications⁽²⁾. However, the reasons are justified, as PAM solutions pose limitations and are not fully compatible with many applications and services. Additionally, the privileged accounts’ outdated passwords are still common – 62% of administrators have had their login data unchanged for over a year, and 17% for over 5 years!

 

 

On the other hand, in many organizations, there are “Shadow Admin” accounts that are not known. A “Shadow Admin” is a regular end-user who, however – due to configuration errors or temporarily unrevoked rights – enjoys privileges that the legitimate administrators are not aware of. In 40% of cases, if an attacker manages to compromise such a false identity, he can obtain administrator rights over a domain by simply resetting his password.

Last but not least, there is an issue with the identification information that is exposed. 1 out of 6 terminal equipment presents at least an exploitable identity risk, 55% of the login data being stored in browsers, and 34% in applications. The problem is that more than a quarter of this data is credited to legitimate administrators and 41% belongs to users in the “Shadow Admin” category.

 

Why traditional protection methods are not enough

As mentioned, companies know the implications of identifying risks and try to prevent them by using various solutions and methods. These include, for example, reducing the number of privileged accounts in Active Directory (AD), which is not a very effective “cyber-hygiene” measure because administrators will still have to do their job and, therefore, will still be exposed to identifiable identity data. As an example, the rapid adoption of the hybrid work model has led to an exponential increase in support requests from remote end-users. The problem is that 1 in 5 terminal devices caches critical security information, such as administrator login data.

On the other hand, even the traditional solutions fail to completely eliminate the risks. For example, Identity and Access Management (IAM) applications, which authenticate and authorize end-users or PAM-type applications, do not block the proliferation of privileged accounts, nor the emergence of “Shadow Admin” accounts, or even prevent the storage of user-profiles, including name and password, in applications. These are requirements that are not fully covered even by the Single Sign-On (SSO) or Multifactor Authentication (MFA) applications, which are normally used to compensate the shortcomings of IAM solutions.

One of the solutions most used for overcoming these security problems today is the Attack Surface Management (ASM) system that ensures the proactive removal of sensitive data detected on terminal equipment, data that allows attackers to access the infrastructure and obtain privileged rights.

 

Illusive Networks, main strengths

Not all ASM systems are equal. The Illusive Networks’  Identity Risk Management (IRM) platform, recommended by Datanet Systems specialists, stands out by combining ASM functionality with proprietary technology to create “false targets” for detecting attacks and attackers’ intentions.

Essentially, using the Illusive’ platform, a company can eliminate three main categories of identity risks:

• Improperly managed identities – such as administrator accounts that are not enrolled in WFP or MFA applications;
• Configuration errors – the case of users in the “Shadow Admin” category or of reused identities and passwords;
• Exploitable identities – such as credentials stored in cached systems or applications.

To achieve this, the Illusive IRM platform integrates three main components, which complement each other:

• Attack Detection System (ADS),which ensures the rapid detection of security events and limits the lateral movements of attackers, reduces the volume of false alerts, provides continuous protection by dynamically adapting to business changes, covering the gap left by security solutions based on signatures and patterns of behavior. To do this, ADS turns virtually any terminal equipment into a fake target, using over 75 “deception” techniques that can mimic credentials, connections, data, applications, equipment, and other artifacts that may be useful to an attacker. To mimic the target as accurate as possible, Illusive uses an agentless method – unlike other solutions that are using locally installed agents or “honeypot” methods – thus preventing attackers from detecting and removing the security measures.To reduce the operational effort, ADS includes a smart system that automates the creation of false targets, taking into account the type of each terminal equipment. For example, through the Trap Server functionality, ADS interacts in an invisible manner with attackers, moving real data out of range and creating a completely false attack surface. At the same time, using ADS, organizations can automate the creation and customization of hundreds or thousands of fake Word or Excel files, which mimic logos and headers, and can be used as bait for attackers, signaling unauthorized access attempts. The ADS management console provides real-time information about how close the attacker is to real data, the entire timeline of his activity from the moment he interacted with a fake target, the methods used, etc.
• Attack Surface Manager (ASM),which ensures continuous reduction of attack area, even when the number of users and applications changes, providing visibility on non-compliant credentials that can be exploited by attackers (redundant identities, excessive and/or vulnerable privileges, etc.), prioritizing remedial measures to correct these violations according to the level of risk generated and automatically applying predefined or customized corrective measures. Using the ASM module, IT departments can limit and restrict access to critical, system-defined data, and can proactively identify attack routes and access rights that allow attackers to create breaches and escalate privileges.Newer versions of ASM extend the scope to Cloud environments. Thus, the module detects and removes credentials stored in browsers for accessing applications delivered as-a-Service, detects privileged accounts and violations of the rules defined in Azure AD, etc. With these new capabilities, IT departments can quickly identify high-risk identities, such as users with vulnerable credentials who are used in both the cloud and on-premises or those who access and use unauthorized cloud services.
• Attack Intelligence System (AIS) – provides real-time access to information related to detected security events, collecting data from both compromised equipment and fake targets. Thus, immediately after detection, IT teams can see the attackers’ position in relation to critical business objectives and benefit from the contextual information needed to understand the nature of the incident and which facilitates the process of investigating and establishing response measures. Using telemetry data collected from several sources, AIS provides detailed information on the tools, tactics, and techniques used by attackers, and by using it together with ADS and ASM, blocking and remediation actions can be taken quickly.

Benefits of collaborating with Datanet Systems

Beyond these technological advantages, Illusive’s IRM platform allows for rapid deployment, is very scalable, being able to handle up to tens of thousands of terminals, and comes with over a hundred predefined remediation and automation measures.

In addition, the Identity Risk Management platform is compatible with several applications and cloud environments – Datanet specialists can provide integration services with solutions and services such as Microsoft Defender for Endpoint, Azure Active Directory, Microsoft 365, Azure Sentinel, etc.

For more information on “Identity Risk Management with Illusive Networks”, Datanet Systems recently organized a webinar that included a hands-on demonstration – video available here.

 

Datanet Systems is an Illusive Networks partner, having competencies for implementing projects with this IRM platform. Our specialists know the specific challenges, as well as the ways to overcome them, and can ensure compliance with delivery deadlines and allocated budgets. Upon request, we can provide an Identity Risk Assessment (IRA) service that allows you to find out which credentials of system administrators in your company are being mismanaged, which privileged accounts are misconfigured, and which credentials are exposed and may be exploited in privilege escalation attacks.

For more technical and business information on Identity Risk Management’s Illusive Networks platform, integration prospects, and the services provided by the company, please contact us at sales@datanets.ro.

______________________

1 – Verizon: 2021 Data Breach Incident Report

2 – Illusive: Analyzing Identity Risks (AIR) 2022