A spate of high-profile attacks have recently shaken trust in organizations’ ability to properly secure their organization’s and customers’ data and to provide a reliable service. Recent organizations who have been in the news for falling victim to these attacks range from casinos to hospitals to key infrastructure providers. They’ve faced really tough choices like: Do you pay a $30M ransom knowing that cooperation may make you a high-profile target for future attacks? Or do you completely rebuild from scratch knowing a rebuild will take 10-15 days with finance teams estimating cost of $8M lost revenue per day?
A key attribute of many of these attacks is that a small number of identities (even one identity in some cases) were compromised in order to gain broad access to the organizations’ systems and resources. In most cases, the identities were secured using multi-factor authentication (MFA). Attackers used hacking tactics, such as social engineering or penetrated contractors with access, to bypass the standard protections employed by these enterprises.
Many teams fail to take the initial, but important, authentication step to minimize risk of identity compromise: switching to phishing resistant MFA technology. MFA based on one-time passcodes either delivered over text or using a mobile app are now easily phishable by today’s hackers. Teams looking to extend the life of their MFA investment must deploy a MFA technology that is more phishing resistant, i.e., passkeys or some of the commercially available hardware tokens.
But expanding to phishing-resistant MFA still does not eliminate risk of compromise or reduce the blast radius once an identity has been compromised. What makes these identity-compromise driven attacks particularly damaging is the relatively unfettered access the attacker gets after they’ve impersonated even a single insider through identity compromise. Even with an MFA-based identity security approach, hackers can hijack sessions or trick or otherwise force legitimate users into giving up credentials. Once a hacker has established an authenticated session, they have infiltrated an organization’s digital perimeter and most organizations fail to add strict additional checks for sensitive data requests. This broad approach to access and permissions is the biggest cause of the resulting large “blast radius” when even a single identity is compromised in an attack.
So, how can organizations easily take action to minimize this blast radius?
Here are five ways to address the issue:
1. Eliminate Shared Accounts
Some systems require specific, named accounts to gain administrative access. These named accounts are then shared by multiple actual users. Privileged Access Management (PAM) tools offer the ability to manage such shared accounts by vaulting or rotating the passwords of the shared accounts. However, this strategy has limitations because users may make copies of the credentials and retain access even after they are no longer in that role or organization. Ensure that the vendors of these target systems provide a short roadmap to eliminating named account access or consider ways in which you can replace those systems. The risk is too high to do nothing.
2. Minimize Standing Privileges
Standing privileges, or the roles and access a user accumulates over time but no longer need, are an enormous risk because a compromised identity gives the attacker access to a potentially large number of systems. Manually review who has access to critical systems such as your compute infrastructure (both on-premise and in the cloud) or key systems such as HR or CRM, and specifically scan for individuals who have been promoted and may no longer require access to a system. Leverage existing identity management technology natively available in these systems (ie - roles or groups) to specify new roles or identify existing roles that are required to gain access. Ensure that membership of these roles is limited to those users who need access at any given point of time. Periodically review these role memberships to account for movers, joiners and leavers. Some IGA and PAM solutions may provide a level of automation to consolidate such roles into a central directory, but periodic manual reviews of those roles are still required.
3. Define a “Break Glass” Process
In many cases, administrative access is required to be expanded to additional identities in an exceptional situation. Define a break-glass process, for those situations, which includes removing those excess privileges after the exceptional situation has been addressed. To facilitate timely approvals, ensure that each category of exceptional situations that would have break-glass access requests has more than one backup approver so that if someone is out of office at the time the request is made, there are still others who can fill in. Having a “No Single Points of Failure” matrix can help in this process.
4. Ensure API Security
An often overlooked vector is the broad access that APIs may provide to your data. According to some surveys, over 83% of traffic to enterprises is over APIs and not through manual interfaces, meaning a single identity with access to these systems that is compromised can cause immense repercussions for your organization. Ensuring that the same care is employed in API-based access as it is during interactive access to your systems is critical, and yet this is an often overlooked weak link in your landscape.
5. Employ Dynamic Access Management
Manual processes to review each group membership or to address break-glass issues can be time consuming to build. It is even harder to maintain a regular review cadence or to manually remove permissions once the break-glass situation has been addressed. Automatically determining privileges based on systems of record such as ticketing, HR and CRM can ensure only the users who are supposed to access a certain system or customer data are dynamically given permissions to access it. Newer dynamic access management systems offer these capabilities. They can also protect APIs and human interfaces using the same set of techniques.