Have You Ever Care About Identity Integrity?
Terrence Chou
Posted on April 12, 2024
Because of fascinating features and thorough services, organisations are more willing to embrace public cloud platforms (AWS, Azure, GCP, etc) to enlarge their business footprint. A robust defence and recovery framework against cybersecurity incidents is always a key to ensure business continuity. Intrinsically, every technical stuff could be fully controlled in that people define each of them; in other words, every employee could be a potential exposure point, accidentally revealing their business environment to the external world. According to numerous public researches, it is really. We all must keep in mind that modernisation not only means service frameworks but also cyberattack patterns! Every catastrophic disruption could result from the organisation's pillars and one of them is identity!
Identity Attacks Have Raised Than Ever
In general, the types of attacks we have learned could be summarised below:
To pause your service(s) functioning - The most common case is the DDoS attack and it happens quite often, especially when a bunch of competitors share the same commercial market(s). Intrinsically, this kind of disruption would be a short-term period in that the intention behind the scenes does not aim to completely destroy your service(s), but temporarily stop you gaining revenue from the specific event(s) instead. The common DDoS attack is volume-based, meaning that your business continuity primarily relies on how many atypical requests you could mitigate before they get in your core infrastructure; for instance, leverage your ISP's Anti-DDoS offering or deploy the RTBH (Remote-triggered Black Hole) architecture to achieve.
To infiltrate your business environment(s) and exfiltrate sensitive data - Compared to the DDoS attack, the infiltration attack is much more difficult to prevent in that it could get in your environment(s) via a variety of manners; for instance, visiting a suspicious website or opening a phishing e-mail without too much awareness. An unexpected daemon/process could reside in your house and steal your treasures silently. When you notice that there is something wrong, it does not mean that the event just gets started, but comes to the end instead. In order to gain more granular visibility and formulate a robust runbook whenever an event comes up, most organisations typically implement the NDR (Network Detection and Response) and EDR (Endpoint Detection and Response) solutions to strengthen.
When we look at an essential of those solutions, they enrich both the observability and security on the infrastructure layer without any doubt; however, they do not take too many focus on the application layer. We have lived in an era where every modernised cyberattack aims to manipulate your service(s) and even tamper with your business data instead of taking over your core infrastructure. The most effective and easiest manner is to penetrate any of the identities's permission (as a trojan horse) within your organisation. Is it FEASIBLE?! Our resources are well-protected via a number of security frameworks across different tiers!
However, the truth is that this kind of tragedy has happened over and over again, it is just because you have not been aware of.
ITDR, A New Norm
The most well-known and widely deployed identity store is Microsoft Active Directory (AD) when excluding any of the Identity Provider (IdP) platforms (well, I have not noticed that Active Directory has been launched on Windows 2000 Server Edition since 1999 😗). Although we understand what benefits we could gain from both the managed application services and cloud IAM services, the thing is that the Microsoft service frameworks are still valuable for a large amount of enterprises around the world; Microsoft keeps increasing its market share in the Cloud Infrastructure Services arena that could demonstrate this point.
What does that mean on the other hand? That is to say that you should invest in how to ensure your Active Directory's integrity as much as possible. According to Microsoft's research, over 80% of breaches were caused by identity-based attacks. A general pattern is someone who is neither an IT employee nor an employee within the organisation promotes their permission from a user/guest role to an administrator role successfully without any approval, then takes away/tampers with business-sensitive data.
Let us look at the security boundary of Active Directory. Since it covers not only the IAM principle but also the EDR scenario (all the activities are written in Windows Event Logs), a new security framework (or more precisely, a marketing term 😜) joins the game accordingly - Identity Threat Detection and Response (ITDR). What ITDR does could be spotlighted on the discovery, tracking, and notification pillars.
- Discovery - According to your Active Directory's profiles, correlate all of them with the IOA (Indicators of Attack), IOC (Indicators of Compromise), and IOE (Indicators of Exposure) indices to dig into any potential security leak/vulnerability.
- Tracking - Every Active Directory's object, including User Accounts, Group Policies, and DNS Records could be modified by any authorised user/role, which means each workflow should contain four W-ingredients to ensure every single change is well-monitored: Who made the change? When did this change take place? Which object was influenced? And, what action applied to this object?
- Notification - Since every single change is well-monitored, a warning message will be delivered immediately to inform all the correlatives that something goes wrong and must react right away whenever an atypical/unauthorised modification is detected.
Because of these weapons, you have a clear blueprint of what you should defend and precise guidance on how to consolidate your Active Directory's defence boundary; no fears anymore 😎
You Should Be Greedy For Visibility
How will you take any action once you are aware of something atypical? Why GuardDuty, Inspector, CloudTrail, and other equivalent services are extremely prominent for detecting and responding to any unsecure exposure? In effect, those concerns emphasise one spotlight in common: every access must be well-traced in that each of them could be a potential clue of an incident, which visualises every single behaviour granularly so that you will be able to react promptly if something goes wrong.
As I mentioned from the outset, most modernised cyberattacks aim to open up your infrastructure (door) and take over applications (control) on your behalf; nothing will be deemed illegitimate as usual! Of course, ransomware is a thing you need to beware of; however, Active Directory is another stuff you must pay attention to. Please bear in mind that Active Directory is not a single and individual component, but a complex and multi-relational ecosystem instead. None of the enhancements/optimisations are based on what you feel, but what you observe instead. Data are always out there and waiting for mining, the challenge is always how to utilise them more straightforwardly and efficiently. That is why XDR (Extended Detection and Response) comes into play; X could even mean Anything in that it is a methodology/framework rather than a single product, and ITDR is part of the XDR subsets.
Never Too Late To Commence
Hunting always follows the footprints! In the IR (Incident Response) world, every effective reaction relies on how many clues could be investigated; otherwise, you will be overwhelmed or even exhausted by countless false alarms. Active Directory is an invaluable but invisible contributor, your service framework could not function properly without its reliability. To be hunted or to be hunting? Think about the position you want to be.
Posted on April 12, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.