Cyber Resilience: Identity is at the Heart of Response and Recovery

Identity is undoubtedly the crucial security perimeter, argues Alex Papadopoulos. So when your organisation is hit by a cyber attack, do you have an accurate understanding of your identity domain?

It’s happened. Your organisation is now one of the 70% hit by a cyber attack. What now? Given my role, you’d expect me to say you bring in the incident response team, but what exactly will they find? Do you have a clear incident response plan? Who is taking the lead internally? And, crucially, have you got an accurate understanding of your identity domain?

That may feel like a lot of pressure in an opening gambit, but trust me, it’s nothing compared to navigating an incident. Fortunately, as you are reading this and (hopefully) not dealing with an attack in real-time, there is time to ask these questions. I’d like to focus on the importance of that last identity domain question.

Understanding Active Directory

Identity is undoubtedly the crucial security perimeter. Security is founded on people and their identities. Those identities are the gateway to the organisation’s intellectual property (IP) and data, making identity management business critical.

“Most of the Fortune 500 use AD as the identity backbone for facilitating user access to data”

Active Directory (AD) is the dominant identity access management solution for most enterprises today, including retailers, banks, military, government, and small businesses. In fact, most of the Fortune 500 use AD as the identity backbone for facilitating user access to data across the organisation.

As mission-critical workloads have shifted to the cloud, there’s an increased reliance on the new version of AD in Microsoft Azure, called ‘Microsoft Entra ID’. Keeping track of access controls, application consent, and configuration changes across an organisation (both large and small) can be incredibly challenging, but not doing so can be incredibly dangerous.

Most AD domains we see in incident response are more than a decade old, and some are even two decades old. With great age comes great complexity, and configurations that were once robust and secure now present threats due to design flaws and entropy that result in vulnerabilities.

It’s not just us defenders who know this; the attackers also do. And they specifically target the AD environment for two reasons:

• They know they will get initial access – most likely via a known vulnerability (seven of the most used exploits in 2023 were known and had patches)
• They also know that they are almost guaranteed to find a simple attack path to escalate their privileges to domain administrator or global administrator and get the keys to the proverbial castle

Do you know what you have?

It’s normal for businesses to change requirements over time. Applications that were once crucial get upgraded, people leave or change roles requiring different access privileges. As these changes happen, it’s common for some debris to be left in the Active Directory and forgotten about. And it’s that forgotten debris that leaves a business vulnerable.

“If an attacker does get into your network, a hardened identity domain will slow them down or maybe even force them to give up”

In the UK, every year, your car has to pass its MOT test to ensure it’s roadworthy. The test is designed to ensure every vehicle on the road meets a minimum standard of safety to protect the driver and other road users. The MOT criteria are updated regularly, adapting to advances in vehicle technology. Regular updates and testing are an effective part of road safety.

Similarly, your AD environment needs a solid, regular cybersecurity assessment and remediation plan. A good security assessment will identify issues and vulnerable configurations and deliver actionable, risk-prioritised action items and guidance to rectify any issues.

As I said earlier, the most used exploits by attackers are known. Organisations that have gone through detailed assessments gain an understanding of all the known vulnerabilities that exist at that point in time. Whilst new vulnerabilities will arise in the future, remediating those identified that can give attackers privileged access in AD will significantly enhance an organisation’s security posture.

If an attacker does get into your network, a hardened identity domain will slow them down or maybe even force them to give up and move on to another network. Without a simple attack path, attackers must invest more time and make more noise as they search for an opportunity to escalate privileges exactly – what network defenders need to spot and contain attacks before they have a significant impact.

Speed of response

Understanding the Active Directory environment plays a critical role in cyber defence. It can ensure known issues and vulnerabilities are remediated and identify problems before an attack happens.

One truth is universal in cybersecurity: speed is of the essence. With dwell times now under 24 hours for ransomware, attackers operate quickly. For organisations, every second impacted by an attack has serious repercussions both financially and reputationally. So, every step you take to learn how to make your organisation more robust and secure is vital. Investing in hardening your identity domain will pay dividends for most cyber attacks your organisation will likely encounter. I highly recommend you do so ASAP.