Contributed by Darren Mar-Elia, VP of Products, Semperis (www.semperis.com)
The scene is set for identify-focused security to take centre stage in 2023.
In recent years, we’ve seen organisations openly embrace hybrid cloud environments as they move to more flexible models in the so-called ‘new normal’ era. The world of work has continued to become increasingly digitalised as a result, underpinned by a plethora of innovative applications, solutions, technologies and devices that are serving up numerous productivity and operational benefits.
By contrast, the security considerations of this transition have been a little more complex.
In embracing the cloud, the traditional network perimeter ceases to exist. Instead, organisations find themselves managing hybrid identity environments with an endless array of possible entry points to defend. And preventing attackers from moving freely between on-prem environments underpinned by Active Directory (AD) and cloud environments underpinned by Azure AD have emerged as a key concern among many enterprises.
Indeed, the primary motivator for many developing hybrid environments was operational necessity in response to the pandemic—not security. As a result, many organisations are now retrospectively attempting to bridge the security gaps.
Unfortunately, this task is proving to be tricky. Be it preventing, detecting, remediating, or recovering from threats that target AD, challenges are strewn across the entire AD attack lifecycle.
Indeed, many firms lack confidence in their ability to meet the challenges of the current threat landscape. Conducting a survey of IT and security leaders at more than 50 organisations, we found that just one third (33%) were confident in their ability to prevent on-prem AD attacks, while little over a quarter (27%) expressed confidence in mitigating Azure AD attacks.
The importance of identity threat detection and response
Given the fact that identity systems have become a prime target for cybercriminals, these statistics are concerning.
It is estimated that AD is exploited in 9 out of 10 cyberattacks. Indeed, Gartner advises that misused credentials are now the top technique used in breaches, with nation-state-level attackers that actively target AD and the identity infrastructure seeing phenomenal success.
Further, hybrid environments aren’t going anywhere. Not only is AD the primary identity store for 90% of organisations worldwide, but Gartner also predicts that only 3% of organisations will migrate completely from on-premises AD to a cloud-based identity service by 2025.
For these reasons, Gartner not only named identity system defence as one of the 2022 top trends in cybersecurity, but also devised an entirely new category: Identity Threat Detection and Response (ITDR).
Clearly, organisations know they need to better protect their identity systems.
Critically, more than three quarters (77%) of our survey respondents admitted that they would likely suffer from a severe or catastrophic impact if a cyberattack were to take down AD, while just 32% indicated they were “extremely confident” that they could recover from an AD attack.
For this reason, as firms seek to turn the tide on AD-related threats, ITDR solutions specifically designed to defend identity systems have quickly climbed the priority ladder, with organisations seeking several methods of protecting and recovering their hybrid environments.
Here, we look at the most important ITDR requirements as identified by our survey respondents.
Automated, fast AD recovery
Our survey reveals that a clear majority (77%) of firms would suffer from a severe impact (as they have a general disaster recovery solution, but no specific support for AD) or a catastrophic impact (they would need to conduct a manual recovery using backups, which would require days or weeks) if a cyberattack took down AD. For this reason, the ability for firms to recovery quickly (within hours instead of days or weeks) and in an automated manner is a leading priority for those seeking ITDR solutions.
Detection of attacks that bypass traditional tools
Survey respondents also cited the failure to detect attacks that bypass traditional monitoring tools as a top overall concern in protecting AD. Organisations are seeking solutions that use multiple data sources—including the AD replication stream—to detect and mitigate the effects of advanced attacks.
Improved transparency in AD and Azure AD
Detecting attacks that move from on-prem AD to Azure AD, or vice versa, has emerged as a top concern for organisations managing hybrid environments. Indeed, only one-third of respondents expressed that they would be very confident in preventing or remediating an on-prem AD attack, and only 27% indicated the same level of confidence regarding Azure AD. Firms require solutions that can provide greater transparency into activities that involve both AD and Azure AD environments.
Discovery of legacy misconfigurations and vulnerabilities
Given the number of attacks that exploit AD vulnerabilities on a near-daily basis, organisations are understandably concerned about assessing their environments for vulnerabilities that could leave them open to attackers. Knowing where those vulnerabilities lie is the first step towards improving security. A long-term maintenance plan involves checking identity security posture continuously for weaknesses—something that organisations are seeking in ITDR solutions.
Automated remediation
Cyberattacks often move at lightning speed once attackers drop malware, so automatic remediation is critical to preventing an exploit from leading to elevated privileges and an eventual network takeover. In the notorious 2017 NotPetya attack on shipping giant Maersk, the company’s entire network was infected in minutes. Survey respondents indicated that automated remediation of malicious changes to stop fast-spreading attacks was the most important remediation capability, followed by tracking and correlating changes between on-prem AD and Azure AD.