Discover your risky identities

Unmanaged, Misconfigured, Exposed.

Find out where your risky identities reside.

THREAT ACTORS LEVERAGE NUMEROUS TECHNIQUES TO OBTAIN ACCOUNT CREDENTIALS FOR THE SIMPLE REASON THAT THEY OPEN THE DOOR TO A HOST OF CYBER ATTACKS.

OFER ISRAELI

GVP & GM, Identity
Threat Defense, Proofpoint

Without the need to break through perimeters, cybercriminals can lay in wait undetected, moving through networks, laying multiple malicious payloads, exfiltrating data and targeting other high-value users along the way. As always, any effective defense against this style of attack requires an understanding of who is likely to be on the receiving end – your risky identities. These can be grouped into three categories:

Unmanaged identities

This includes service accounts that often go unmanaged by privileged access management as they were undiscovered during implementation. Another common unmanaged identity is the local admin. Set up to facilitate IT support requests, these identities are often forgotten after creation. Finally, many privileged accounts go unmanaged because they remained undiscovered during deployment.

Misconfigured identities

Shadow admins are commonly misconfigured due to the complexity of nested identity groupings, which can make it extremely difficult to see the complete rights and entitlements of all identities. As a result, shadow admins can be granted unintended excessive privileges.

Identities configured with weak or missing encryption and those that do not enforce strong passwords also fall into this category. As do service accounts, machine identities with privileged access rights may be misconfigured to incorrectly allow for interactive login by humans.

Exposed identities

This category includes cached credentials, which are commonly stored on endpoints, memory, registry and disk, as they can be easily exploited.

Cloud access tokens stored on endpoints are also a common means for attackers to gain access to cloud assets. Finally, remote application sessions may be improperly closed, allowing cybercriminals to compromise an open session and its privileges, often without the risk of detection.

While these are the riskiest identities in most organizations, it is crucial to understand that any single identity can be compromised and should be protected accordingly. However, by gaining visibility into those most at risk, you can bolster training, tools and protocols where they are needed most.

What Identities Are Risky Within an Organization?

		What are they?		How are they risky?
Service Accounts	→	Identities used by applications e.g. Web Server connecting to database	→	Unchanged static passwords Difficult to implement password rollover
Local Admin	→	Privileges account local to endpoint or server not part of identity infrastructure (e.g. AD)	→	Full control over endpoint or server if compromised. No centralized visibility to existence
Shadow Admin Accounts	→	Active Directory account that inherits privileges because they are in a nested group or access list	→	Unrecognized privileged access leads to lack of adequate security controls for these accounts
Exposed Credentials & Cloud Tokens	→	Passwords, hashes of passwords or cloud tokens stored in memory, browser applications, database clients	→	Attackers who have landed on endpoint/server can use stored credentials
Legacy App Accounts	→	Accounts created in legacy systems (e.g. mainframe) that are not managed by identity infrastructure	→	Full control over legacy app if compromised. No centralized visibility to existence
Open Remote Desktop Sessions	→	Stored RDP session credentials on Windows machines	→	Attackers can use stored. Credentials to compromise other machines

Proofpoint Identity Threat Defense

A complete Identity Threat Detection and Response solution to defend and mitigate gaps in identity posture that can lead to exploitation. More than half of surveyed enterprises had breaches because of exploited identities and credentials⁽¹⁾. Proofpoint Identity Threat Defense is undefeated in 150 red team exercises (and counting).

Continuous discovery: discover and prioritize identity vulnerabilities.
Automated remediation: automatically mitigate risks on endpoints and servers.
Runtime detection: deploy deception for failsafe intruder detection

Our preventative controls can discover and fix identity vulnerabilities before threat actors attempt to exploit them. At the same time, our detective controls alert security teams as soon as a threat actor attempts to compromise an identity.

As well as putting protections in place to keep cybercriminals out, our solution places lures to catch them should they get in.

Planting deceptive content that only a threat actor would interact with gives your organization a viable and proven alternative to unreliable behavioral analytics for accurately detecting privilege escalation and lateral movement.

These tools and techniques combine to create an advanced solution that can prevent, detect and alert of attempted identity threats – and recover quickly from successful attacks before they can cause lasting damage.

_{^{(1) ESG Research: The Identity Security Paradox.}}

Where do risky identities reside?

Service Accounts

Local Admin Accounts

Shadow Admin Accounts

Exposed Credentials & Cloud Tokens

Legacy App Accounts

Open RDP Sessions

Endpoints & Servers

Enterprise Active Directory

Azure Active Directory

Illuminate your security

BLINDSPOTS

Discover attackers and stop them before they move laterally in your environment. Proofpoint Identity Threat Defense discovers privileged identity risks on 1 in 6 enterprise endpoints.

Discover more