Why Identity is the perimeter you should care about
Traditional Options for Protecting Your Network’s Perimeter
Most, if not all organisations protect themselves at the perimeter with one or more firewalls, and additionally, many organisations add layers of protection inside the network and the DMZ. Vendors offer a vast array of products to help, including intrusion detection systems, intrusion prevention systems, email filtering, and anti-virus and anti- malware software. Organisations can also choose more modern solutions designed to protect against today’s advanced attacks; options include network- or endpoint-based threat detection products, incident response tools, and behavioral analysis products.
Although these traditional solutions add valuable additional layers of protection, none provides a silver bullet. In fact, we know from today’s threat landscape and our experience in responding to attacks, that protection at the perimeter of the organization is failing. While most traditional solutions provide some level of protection against attacks, we know that breaches are inevitable — eventually, traditional perimeter protection will fail and attackers will get in.
To understand why this is the case, let’s look at the basic anatomy of today’s advanced attacks.
First, to penetrate an organization, attackers commonly use a combination of social engineering and malware, often in the form of an email phishing attack. Specifically, they target an organisation using information harvested via social engineering, social media, and open source data, and then lure unsuspecting users into downloading malware onto their computers.
Once the attackers have established an initial foothold, either through the malware approach just described or by other means, they obtain legitimate credentials — especially credentials with a privileged level of access — or create new credentials, so that they can move laterally to perform reconnaissance and gain higher levels of access.
Attackers typically remain present in the target organisation for long periods of time – often tens to hundreds of days. During this phase, it’s likely that the attacker is no longer using malware; rather, a human actor is using the legitimate credentials that have been obtained or created to blend in with the other activity in the environment.
Once the attackers have found what they’re looking for, they complete their mission by staging the data they’re after and complete the process of stealing what they’ve found.
The Key Element to a Successful Attack: Credentials
However attackers breach an organisation’s perimeter, they need one critical thing to successfully complete their mission: credentials.
Attackers can steal credentials from unsuspecting users through a brute force method, or they can obtain the password hash and pass it when required (a pass-the-hash attack). Either method enables attackers to masquerade as real users, blending in with the day-to-day noise of legitimate activity so they can move laterally without detection. In some cases, attackers have the audacity to escalate their privileges — often by exploiting a vulnerability — and create their own credentials within the organisation’s identity store.
Considering Identity as the Perimeter
Traditional perimeter protection (firewalls, intrusion detection systems, anti-virus software, and so on) is valuable, but clearly no longer sufficient to keep attackers from gaining access to corporate networks. Therefore, to protect themselves, organizations need a new paradigm: organisations should stop treating the edge of their network as the only perimeter, and should consider expanding their definition of perimeter to include identity.
This can be achieved by supplementing traditional perimeter protection by adding additional layers of security around the use of any credentials through Two-Factor Authentication, Adaptive Authentication, and Single Sign-On (SSO).
Two-Factor Authentication requires not only something the user knows (a username and password) but also something the user has, such as a one-time password (OTP). By increasing the level of protection associated with the authentication process, Two-Factor Authentication mitigates the risk of attackers misusing legitimate credentials — a stolen user ID and password become worthless to attackers because they lack the associated token or other second factor.
Adaptive Authentication provides an effective option for enabling stronger authentication by analyzing the context of the user behind the scenes. It blends a variety of techniques for assessing a user’s context to achieve an aggregated risk score. For example, Adaptive Authentication can take into account information about the user’s IP address, device, geographical location, and behavior.
Single Sign-On (SSO) often improves the user experience since users have to log on only once to get access to their applications and data. But SSO also provides other benefits — in particular, it can help safeguard a user’s identity. That is, without SSO, users often suffer from username and password fatigue, and reuse relatively easy to guess usernames and passwords across applications.
It’s important to understand that these approaches not only help prevent attackers from using stolen credentials; they can also help prevent legitimate users from misusing their own credentials.
It’s also important to remember that any protection wrapped around the user’s identity needs to apply wherever those credentials are used which is commonly at the edge of the network, where the user is logging in externally via a VPN or during access to cloud-hosted or on-premises applications.
Keith Graham, CTO, SecureAuth