News

Orgs Failing at Identifying Exploitable Identity Holes

• By Kurt Mackie
• February 25, 2022

Organizations generally don't have the means to discover identity risks and therefore need automated tools, according an annual report on the state of identity-based security risks for organizations, according to Identity security company Illusive

The company also released this week a new identity risk management platform, comprised of two parts called Illusive Spotlight and Illusive Shadow, to help curb this trend. Illusive Spotlight automatically discovers and fixes privileged identity risks, while Illusive Shadow adds protections against the risks that can't be automatically fixed or remediated. Illusive's new report, "Analyzing Identity Risks 2022," coincidentally makes the case for organizations to use such identity security tools.

According to the report:

Even the most well-intentioned security teams can't mitigate identity risks unless they're aware of them. While some organizations have attempted to manage this risk by getting visibility through red team exercises, annual audits, scripts and spreadsheets, these have been vastly incomplete and therefore ineffective.

New York- and Tel Aviv, Israel-based Illusive describes itself as a company that was "founded by nation state attackers" with origins in Israeli military intelligence, per a company description.

Top Identity Risks
The "Analyzing Identity Risks 2022" report is a compendium of identity compromise risks found over the course of last year on "millions of endpoints on which Illusive is deployed." The sample included a total of 25 organizations, representing "financial services, healthcare and retail companies" with about "1,500 to 75,000 endpoints each."

Illusive found a lot of identity-based security holes in its study, with identity deemed as the "top vector for attacks." Here are the report's main findings, based on last year's stats:

• One in six endpoints had exploitable identity risks.
• Forty percent of so-called "shadow admin risks" could be exploited in a single step.
• Eighty-seven percent of local administrators weren't part of a privileged account management solution.
• Privileged account passwords were exposed on "13% of endpoints."

Unmanaged Identity Risk
Illusive categorized identity risks under three categories, namely "unmanaged," "misconfigured" and "exposed."

Unmanaged identity risks are things like "outdated local admin passwords" or admin IDs that are not controlled by an account management solution, such as Microsoft's Local Administrator Password Solution (LAPS). Another source of unmanaged identity risks is the use of temporary or test accounts, where the local administrator's identity may be unknown. The report also found that 21 percent of local administrators were using the default "Administrator" account name, which makes attacks easier, the report argued.

LAPS ensures that local administrators use unique passwords. Organizations that fail to use such account management solutions could be subject to issues like password reuse, which just aids attackers, according to the report.

Illusive contended that administrative passwords should be "changed every 30 to 90 days." However, that wasn't the practice found in its study sample, where 62 percent of local administrator passwords went "unchanged for more than 1 year."

Misconfigured Identity Risk
The misconfigured identity risk category pertains to regular end users with IT administrator privileges that are not known or managed by the IT department.

The study found that 13 percent of these so-called "shadow admins" had domain administrative privileges, which, if the account were to be compromised by attackers, could lead to privilege escalation in a network.

The study also found that 1.7 percent of the shadow admins had "Microsoft Active Directory DCSync permissions," described as the "crown jewels of an organization" because it permits the copying or synchronizing of domain controllers and is at the highest permission level.

Exposed Identity Risk
On the exposed identity risk side, the study found that privileged account passwords were simply left on 13 percent of endpoint devices.

There are different sources for such exposed passwords, such as "cached credentials, in-app password stores, OS password stores and disconnected or 'hanging' remote desktop protocol (RDP) sessions," the report indicated.

The in-app passwords often can be hard coded into older or "legacy" applications, and they don't undergo an Active Directory check. The report found that 34 percent of exposed identity information was "stored as in-app credentials."

Web browsers are a big risk problem for exposed identities. The report found that "55% of exposed privileged identities" were stored in browsers. Illusive contended that "most privileged access management (PAM) solutions tend to overlook these risks," but attackers have been automating the collection of these browser-based credentials.

In general, the report argued that "the large number of gaps in security posture around identities, even at organizations with highly mature security practices," have just made things easier for attackers. Moreover, organizations haven't been effective in finding those gaps.