Are Identities Part of the Attack Surface?


Introducing the Insurance Data and Analytics Maturity ModelOne of the most exploitable assets of an IT estate is the information and assets of users; however, identities are often omitted from instantiation in an attack surface. Organizations must stop thinking of identities as only something to control access and start thinking of identities as a top domain asset that is the entre to an attack surface. One must remember that an asset is anything of value, and identities certainly qualify as assets.

The need to treat identities as exploitable components of an attack surface is grounded in threat research. Verizon’s 2022 Data Breach Investigations Report stated that the “human element” is the primary means of initial access in 82% of breaches. Regardless of whether social engineering or stolen credentials are used, the common denominator is that identities were used as the attack vector.

So, we’re on the same page, identity-based attacks are one of the more rapidly growing threats to organizations. These attacks won’t decrease until we consider identities as part of the attack surface. In other words, acknowledge the problem.

How Did Identities Get Left Behind the Attack Surface Bandwagon?

Answering this question requires a nuanced approach. For three decades, identities were only thought of as something to provision, control access, and report. The cybersecurity industrial complex followed the mantra of need-to-know and least privilege, seldom looking outside the box of identities as an attack vector.

The quest to solve identity risk principally as an access problem drove an onslaught of identity and access management (IAM), privileged access management (PAM), and identity governance and administration (IGA) solutions. While these products were integrated with Active Directory (AD) as their authoritative identity source, AD vulnerabilities were often ignored.

Why? Few focused on connecting the dots by mapping out an identity attack surface. For example, AD is a prime target of hackers. Still, performing an identity ecosystem risk assessment was often skipped in deference to classic product risk assessments focused on access control restrictions. These partial identity risk assessments opened the door for successful Kerberoasting, password spraying, LDAP reconnaissance, and other sophisticated attacks against identity infrastructures.

Many of these attacks could have had proper defenses deployed if identities were treated as part of the attack surface, with threats revealed from a proper risk assessment. In today’s digital economy, identities are shared or federated everywhere, substantially expanding the identity attack surface. Lest we forget, harken back to the earlier pandemic days, with the scattering of identities to the world’s four corners and the rapid adoption of cloud computing.

Are Identities the New Perimeter?

Today’s network perimeter is gelatinous, following users as they travel, work at home, or exist within partner and vendor clouds. We have often thought endpoints defined the perimeter, but it is the user or their identity. The construct of an endpoint changes too often and is easily manipulated by adversaries. One could say the same of identities; however, it is the base essence of a trust model. The design of zero-trust architectures should begin at the identity level, not the device level.

The first barrier to overcome in addressing identities as the new perimeter is the poor quality of identity data. Identities can have many attributes shared and unique among different sources, and identities can morph over time, reflecting job status, roles, responsibilities, etc.

If there isn’t an identity fabric to weave these disparate identity attributes, the problem is exacerbated. Identity analytics is required to understand an identity attack surface. With user attributes spread across diverse data sources, including AD, LDAP, SQL, and APIs, piecing together an identity attack surface could take months, if not years.

Complex? Wait, it gets better. Decentralized identity, or DID, is going to change everything. DID is all about the sovereignty of one’s identity: The individual owns and controls their identity. The implications are that additional layers of technology on the attack surface—including the distributed ledger decentralized identities—will be controlled. Acknowledging identities as a gateway asset to an attack surface is gaining traction. This traction has led to the development of purpose-built products, including identity security posture management (ISPM) and identity attack surface management (IDASM), and identity threat detection and response (ITDR) to save the day.

But can these types of solutions save the day? Maybe! Institutions will still need a centralized place to visualize and manage all their identity data. But they will need to model identities between data sources to define today’s expansive cloud-based identity attack surfaces. This data can be ingested by leading attack surface management solutions using rich, extensible APIs.

What’s Next?

I encourage owners of identity stores, enterprise architects, and CISOs to start an internal working group to define how to identify their organization’s identity attack surface. This process begins with the inventory and centralization of identities and associated attributes across the IT estate and cloud ecosystem. Two essential technologies must be blended to ensure success: an identity fabric and an attack surface management platform. Why? Identities are assets, and an attack surface extends past identities. The objective is to acknowledge and integrate identities as an integral part of the attack surface, not treat it as a separate architectural access control exercise.

To learn more about Data Fabrics, you can get in touch with the Radiant Logic team. To stay up to date with my research on identity attack surfaces and other cybersecurity issues, follow my work here.

This blog post was originally published on Radiant Logic’s blog.