Threat spotlight:
Break the attack chain with Identity Threat Defense
Get your defenses right every time and break the attack chain.
This age-old saying has shaped countless cybersecurity strategies. The belief is that a single compromise of our defenses can lead to a catastrophic outcome. As new risks emerge and attackers develop tactics to evade our controls, defenders are burdened with the daunting task of safeguarding an ever-expanding array of connected identities. Many organizations are now embracing resilience strategies - it’s not a matter of ‘if’ but ‘when’ - accepting the inevitability of an incident.
EVP, Cybersecurity Strategy, Proofpoint
GVP, Product Marketing, Proofpoint
The attacker only has to be right once. Defenders have to get it right every time."
Block targeted phishing, malware, and social engineering attacks
Protect against impostor attacks
Detect and respond to cloud account takeovers, including suppliers/vendors
Cut off common attack paths
Prevent privilege escalation
Detect lateral movement
Detect and block data exfiltration attempts
Gain insight into risky user behavior
First is stopping initial compromise. Preventing attackers getting into your organization through phishing, social engineering, imposter threats, business email compromise (BEC) and ransomware.
Aegis Threat Protection offers the best opportunity to stop the majority of these attacks.
Secondly, you must stop lateral movement. If an attacker does get in you have a small problem, but the attacker wants to make it a bigger problem by moving laterally and seeking identities that grant privileged escalation. They’ll try to get as much access as possible using Active Directory.
Identity Threat Defense provides visibility into identity attack paths to plant deceptions and prevent lateral movement and privilege escalation.
Thirdly, is the chance to protect data itself from loss or theft. Attackers will try to target valuable data and launch ransomware attacks. This is where information protection, insider threat management and data loss prevention solutions come into play.
Sigma Information Protection helps to defend data from data loss, accidental or otherwise.
Since its inception in 2011, no other concept has captured the essence of successful cyber attacks quite like the attack chain (formerly known as the 'cyber kill chain'). Surprisingly, even after twelve years, the attack chain remains as relevant as ever, while defenders struggle to prevent the most impactful incidents. One primary reason for this ongoing challenge is simple: defenders have been fixated on the impossible task of protecting everything within their organizations. Instead, they should aim to neutralize the attacker's tactics, techniques, and procedures (TTPs) that cannot be easily replaced, effectively disrupting the completion of the attack chain.
In today's dynamic threat landscape, cybercriminals employ an array of tactics to infiltrate organizations and inflict havoc on their cybersecurity. From the rise of Business Email Compromise (BEC) attacks to cloud account takeovers and ransomware incidents, the frequency of such incidents continues to escalate. One trend is the exploitation of trusted third-party relationships to compromise organizations through their suppliers.
What may appear as an innocuous initial email can rapidly escalate into a full-scale compromise, providing attackers unrestricted access to the organization's domain and enabling them to infiltrate email accounts for fraudulent activities.
Alarmingly, credential phishing emails leading to compromised accounts often evade detection, leaving behind no traces of compromise or evidence of malware. Even with the implementation of multifactor authentication (MFA), these attacks continue to surge. Once accounts are compromised either through a credential phishing email or malicious Remote Desktop Protocol access, organizations are faced with the next phase of the attack chain: privileged escalation and lateral movement within their networks.
In the middle of the attack chain lies the threat actor's quest to breach an organization's defenses. Often, they accomplish this by compromising the identities of employees, contractors, service providers, or edge devices. Their primary objective is to leverage this initial access and elevate their privileges, typically targeting Active Directory (AD). AD, ubiquitous across organizations, is susceptible to compromise, granting attackers unparalleled control over the organization's computing infrastructure. This access gives them the ability to move laterally and spread malware internally, causing even more harm.
Attackers don't merely rely on a single stroke of luck. Their success hinges on this series of precise maneuvers to achieve their ultimate objectives, often centered around monetary gains through data exfiltration. Once they have navigated through the intricate web of identities, they’re able to target valuable data, skillfully orchestrating successful data theft operations. To counter the scenario of loss of intellectual property or customer identifiable data, we must disrupt this intricate chain of events so that defenders can gain the upper hand and steer the course of cybersecurity in their favor.
The best way to build a picture of the attack chain is to look at it in its entirety. The patterns become unmistakable: most initial compromises happen through phishing and compromised credentials, most privilege escalation and lateral movement happens through AD, and most data exfiltration happens through either those same compromised identities or the actions of an insider with that level of access already.
On the way to achieving their objective of data exfiltration, cybercriminals will have moved through your networks and systems from one identity to another, escalating their privileges as they go. A typical organization has almost infinite attack paths that result from the simple fact that AD connects almost every computing asset in the organization. In practice, this could mean anything from using cached credentials on a compromised endpoint to finding a single server where the Domain User group is a local admin, enabling their tools to run in that context, or innumerable other combinations.
How do attackers understand and choose between the multitude of attack paths available to them? In practice, it’s often similar to how we navigate the real world – by using mapping applications. The same way you might use Google or Apple Maps upon arriving in a new city to find the quickest way from where you are to where you want to go, an attacker with a compromised identity might use conceptually similar tools (Bloodhound, Impacket, or PingCastle to name a few) to get to where they want to go, which is always the highest level of privilege in AD (known as a tier 0 entitlement, or simply Domain Administrator).
If an attacker gets into your ‘city’, you could remediate by closing roads to stop them getting to your key assets. But, if one road is used by your own people for real traffic flow, you can’t do that. So, you need to set a trip wire on that road to detect attackers, whilst allowing your real traffic to pass through.
These traps could be deceptions or fake credentials which an attacker could use to log in to systems in your environment. When used, these will alert you when an attacker tries to use the road and with that visibility you can prevent big issues from happening like ransomware or data exfiltration.
Ultimately, what really makes attackers miserable is when they can't get from where they are, to where they want to go. If they can’t continue along the path their tools point them to, they’ll give up and leave your environment.
The term ITDR represents a groundbreaking shift in cybersecurity practices, introducing a new class of tools and best practices specifically designed to protect and defend identities from exploitation by adversaries. This marks a departure from the historical focus on ensuring legitimate access, expanding the scope to encompass proactive defense against identity-based threats.
The formalization of ITDR as a major cybersecurity market category is the clearest indication yet that identities deserve the same level of management, control and protection currently applied to networks, systems, and software. And it can’t come soon enough - more than half of surveyed enterprises had breaches because of exploited identities and credentials (1).
Recognizing the significance of this paradigm shift, Gartner introduced the term in early 2022 while highlighting security and risk management trends.
At the time, Gartner Research Vice President, Peter Firstbrook emphasized that organizations had made considerable strides in improving Identity and Access Management (IAM) capabilities but that “much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure. ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation.”
1) ESG Research: The Identity Security Paradox
The notable SolarWinds incident in 2020 was a grounding example of how threat actors get access to vulnerable environments and serves as a stark reminder of how we should be thinking about identities. While it is extremely challenging to prevent a well-resourced adversary from gaining initial access to an environment via a malicious software update or similar supply chain attack, the subsequent lateral movement, via Golden SAML, towards the ultimate target (often data in Microsoft 365) is much more detectable and preventable than the highly sophisticated method of initial compromise.
Viewing the attack chain in its totality makes it clear where defenders should focus to mitigate the risk of similar incidents in the future. As organizations embrace the pivotal role of identities in the cybersecurity landscape, the integration of ITDR solutions becomes paramount. By proactively defending against identity threats and investing in comprehensive identity management, organizations can fortify their security posture and safeguard their most valuable assets.
The rise of ITDR as a critical market category is a testament to the growing awareness of identity-centric risks and the collective commitment to bolstering defenses in an ever-evolving threat landscape.
To combat these escalating threats and safeguard organizational assets effectively, the adoption of proactive measures and comprehensive security controls is imperative. We must break the attack chain by implementing robust controls that block targeted phishing and malware attacks, swiftly detect and respond to account takeovers, identify and halt lateral movement, prevent privilege escalations, and fortify defenses against data exfiltration attempts.
Critical to breaking the attack chain is the utilization of Identity Threat Detection and Response (ITDR) solutions, which emerge as critical controls capable of thwarting attacks before they fully materialize into devastating incidents like ransomware or data theft. By actively monitoring and analyzing identity-related activities, ITDR solutions provide the necessary proactive defense measures to thwart threats at their earliest stages.
Organizations can then effectively mitigate the risk of significant security breaches, safeguarding critical data and preserving operational continuity.
ITDR solutions scan each endpoint and identity repository to give both bottom-up and top-down views into risks related to unmanaged, misconfigured, and exposed identities. As a result, your security teams get the visibility required to take away the attack paths through Active Directory that are needed for attackers to deploy ransomware and steal large amounts of data.
By embracing ITDR and its associated practices, we empower ourselves to confront emerging threats head-on and ensure the resilience of our organizations in the face of ongoing identity-based challenges. With ITDR in combination with solutions in place across the attack chain that block initial compromise and tools to defend data, we are better armed to break the attack chain.
With identity as your new perimeter, you need a new set of tools to defend it. Proofpoint Aegis Threat Protection and Proofpoint Sigma Information Protection join forces with Proofpoint Identity Threat Defense to break the attack chain and provide a platform approach to protecting your people and defending your data.
Break the attack chain – detect and prevent identity risk to stop lateral movement and privilege escalation.
Find out more
