How To Leverage Identity in An Attack

May 26, 2021
How To Leverage Identity in An Attack

Identity Access Management (IAM) has evolved from an IT efficiency play into a foundational component of enterprise security frameworks everywhere. IAM centrally manages user accounts, credentials, roles, policies, attestation/certification, and audit/reporting for all of the organization's users and resources. Today, IAM is an essential capability that supports both security and compliance mandates; however, organizations with poor identity management practices can leave the door open for user accounts to be compromised as attack vectors, increasing both risk and the severity of vulnerabilities exponentially. As cyber attacks continue to increase in volume and sophistication, it is no longer a matter of “IF”, but WHEN, your organization will have a cyber security incident. Threat actors target accounts, users, and their associated identities to conduct malicious activities through privileged attacks and to exploit asset vulnerabilities. In this post, we will look at how an IAM program done well sets organizations up for success by defining core use cases that help ensure users have the right access, and that the proper audit/monitoring controls are in place.

According to the Verizon 2021 Data Breach Investigation report, privilege misuse attacks are considered to take the longest time to discover. This means that the intruder will have sufficient time to plant a backdoor or manipulate the code such that it benefits the intruder’s group. In case of a ransomware attack, once the data has been decrypted, there is a possibility that the intruder has implemented a vulnerability where the hacker can get back when needed.

Follow Idenhaus on LinkedIn

How Can An Organization Leverage Identity in an Attack?

How can identity be leveraged in an attack? Let’s look at a scenario where an engineer/ developer is working on a proof of concept (POC) that is accessible via the Internet. Since it is a POC, the developer is not worried about the access or the identity that is required to validate the test case. In most cases, the piece of code is given the highest level of access for the test case to run successfully. This results in a vulnerability in the system by giving an attacker an easy way to penetrate the live system and misuse the privileges. This is usually how an outsider attack is performed and the reason for this is a weak identity. This is one of the ways on how an incident is reported.

Insider threats are usually prompted when employees/users have elevated privilege to perform an activity. It can also occur if an organization does not conduct access certification campaigns to review the access needed and revoke if it is no longer needed. There have also been instances where an insider threat is triggered months after the resource has left the organization. The Verizon report stated that about 70% of attacks that occurred last year were because of insider threats cumulatively.

  • Identity Management solutions offer a range of capabilities that mitigate the risk of compromised accounts.
  • Role-based access control
  • Segregation of Duties
  • Enforce Least Privilege access model
  • Access Reviews/Attestation campaigns to remove unnecessary access
  • Automatic disablement of user accounts on separation
  • Enforce password complexity and expiration policies
  • Multi-factor Authentication/Risk-based Authentication
  • Tight integration with authoritative systems, such as a Human Resources Information System, to control the identity lifecycle
  • Privileged access management to reduce the number of administrator accounts and provide strict controls on the use of privileged accounts

Identity Management systems also make it possible to track and log large amounts of user data that give a detailed view of each user’s activity. This data can be accessed within the IAM system itself, through an SIEM, or data analytics platform such as Splunk. By collecting user activity data over time and implementing some basic analytics, we can establish user access patterns, identify anomalies, and discover possible incidents sooner. Typical data collected includes:

  • What applications the user accessed
  • When the applications were accessed
  • How many login attempts the user made
  • User session details
  • The user’s location and/or IP address of their session login (This can be particularly helpful if the user’s session is originating from outside the organization’s geography)

Next Steps and Responses

Once we have an identity to help correlate user activity over time across key applications and systems, we can generate insights that help the organization identify and respond to an attack. Some areas to look at are:

  • Attempts to access to applications the user typically does not use or does not have access to
  • Multiple attempts to change or reset passwords
  • Attempts to disable/unenroll/reconfigure multi-factor authentication (MFA) systems. Updates to security questions, user profile information (e.g. phone numbers) can be suspect
  • A large number of failed login attempts and/or account lockouts

Identity is a valuable data source for the identification and detection of suspicious activities that may be indicators of a cyber-attack. Implementing an effective Identity Access Management program to manage identities and roles, provide certification for regulatory compliance, and thinking through the identity-centric use cases can mitigate the threat and severity of a cyber attack. Following best practices when designing and maturing your identity management technologies in a corporate ecosystem will pay dividends down the road. A successful IAM deployment will lead to a measurable reduction of risk, improved auditing and discovery, and proactive oversight founded on real-world strategies to prevent identity attack vectors. We recommend beginning with an Identity Management strategy to define a solution roadmap that guides the organization towards a successful implementation.

You can learn more about the importance of an IAM roadmap by watching this video.

Read our latest blog, Staying Ahead of Hackers with User Access Reviews – Part 2

To receive the IAM Strategy and Cybersecurity articles in your inbox every two weeks (Tuesdays 8 PM EST), subscribe to our Identity Management biweekly and/or our Healthcare Cybersecurity and IAM Digest.


Follow @Idenhaus on Twitter and subscribe to our YouTube channel


By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us.

More News