How IAM can help move the finish line for hackers

Identity and access management can be leveraged by an enterprise to secure a network that might already be compromised. Here's how...

access computer through your phone skeleton key unlocking
Thinkstock

During a recent conversation with my mother-in-law the topic came up about my studying for the Certified Ethical Hacker (CEH) exam.  After she finished chuckling, she asked a typical question I receive about CEH, “Is there really such thing as an ethical hacker?” 

Well, of course there is. I began to describe the battle between “white-hat” and “black-hat” hackers in terms of renaissance military times.  Starting with the basics, that the network is like a castle, the castle walls are similar to how a firewall works, the drawbridge works like a VPN does, etc.  She was a bit intrigued and asked how modern security measures keep the attackers out, to which I eventually made the comment, “the truth is, most people have already been hacked and don’t even know it.”  This time making the real-world analogy that most breaches are like a sleeper cell, just waiting for activation. 

A typical bad actor will gain access to a network via a compromised account, either by stealing or guessing someone’s login credentials. However, continuing to use the account once access is gained by the criminals is a very bad idea for a number of reasons. As a result of this, the next step attackers usually take is to create a backdoor account, which essentially means they ‘fly under the radar’ or staying on the network unnoticed.  The majority of the biggest breaches on record have all shown this exact pattern of having a backdoor account that hides in plain sight. At this stage of a breach (and at this point in my explanation to my mother-in-law) is where my expertise comes in, my industry focus on (IAM) is the solution to this common issue.

Traditional defense-in-depth isn’t working

Let’s dive a little deeper into this topic by going back to the renaissance military analogies. A castle has a moat, drawbridge, arrow slits in the battlements, a strong inner keep and more. These multiple defensive layers are designed to weaken and ultimately defeat an attacker.  Today an organization’s network will have intrusion detection, firewalls, network isolation strategies, encrypted data and more. Unfortunately, if a bad actor is able to obtain those compromised credentials and gain access to the network, all the defensive layers in place are now irrelevant.  A perfect example of this was described by the Department of Homeland Security Assistant Secretary Dr. Andy Ozment when he testified regarding the nation state attack against the Office of Personnel Management saying that, “encryption would not have helped in this case." This is because the attackers were using valid credentials stolen through social engineering, which made it impossible for the other security products to detect a bad actor.

This is why phrases like “you’ve already been hacked” or “they’re already in the network” have become so common.  But this can be a scary state to be in.  If the criminals are already in the network, how do we secure it? 

The solution is to evolve your traditional defense-in-depth practices by combining them with modern IAM to implement: identity-in-depth.

Effective cybersecurity demands IAM

If I could distill the goals of IAM down, I would liken them to the Yin and Yang of simple identity management and security.  On one hand, we leverage IAM solutions so that we can make sure the business can remain agile, user requests are handled automatically, and accounts are provisioned and deprovisioned in target systems quickly and efficiently.  And on the other hand, IAM is leveraged to create a framework for security.  Both can be viewed as the primary purpose for IAM, but we’re going to be focusing on security here.  While there is a virtual buffet of solutions to consider, it’s important to first take a look at two core concepts in IAM security and how they move the goal posts for attackers out of reach.

Identity governance

I prefer the phrase Identity Governance mostly because it carries more gravitas that is inherent over the term Identity Management. You can do identity management in a spreadsheet, but governance is a whole different ball of wax.  Modern governance solutions not only make sure that accounts are properly synchronized with an organization’s cloud, internal directories and mailbox servers, but when leveraged correctly, they can do even more.  As a quick example, imagine an attacker has created a backdoor account, which has dangerous entitlements and access to critical systems with sensitive data.  This is where your governance system begins to kick-in.

First you get a notification that an account was created out-of-band or through a non-sanctioned process.  Then, the entitlements system recognizes that an account was just granted sensitive entitlements, which automatically generates a risk review workflow.  But wait, there’s more! Finally, the entitlements they just created will be automatically removed, causing the attacker to sit back in confusion. The point here is that modern governance has the ability to find the needle in the haystack and remove it before you have a chance to step on it, proactively stopping the attack before it happens.

Privileged access management

The next question should be, why do you have a network environment that allows dangerous entitlements or access to critical data to be doled out in the first place?  These entitlements are what we call ‘privileged’, and only a select few should have access to these accounts in the first place!  But in order to allow employees to have access to what they need on the network, organizations can turn to privileged access management (PAM).

PAM solutions are designed to catalog servers, credentials, risky entitlements, and more in a secure library or vault where they can be temporarily used on demand by authorized employees.  Access to these systems and capabilities can be granted through approval workflows, that can be fully audited and recorded with searchable indexed commands and a user’s session can even be recorded in a DVR like experience.  In fact, you can even monitor what a user does while using the access in real-time.  With this approach, coupled with continuous authentication, push-to-verify, and two-factor authentication prompts, your network can become an incredibly robust and secure environment.

This is the proverbial tip of the iceberg.  In a world more and more driven to hybrid computing, where firewalls might not even exist, and credentials are easily stolen, you must realize that the possibility of an attacker already being in your network is more likely than not.  Waiting for the attack and dealing with the fallout, which will lead to your inevitable search for a new job, won’t cut it.  You need IAM now more than ever, and you likely don’t have much time before you might realize that on your own.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart