It’s no surprise that modern cyberattacks are looking for ways to move laterally both within an on-premises environment, as well as over to an organization’s cloud-based services, applications, and resources. With most every environment leveraging some form of hybrid configuration, any identity credentials that are susceptible to hacking techniques provide an attacker with potentially unfettered access to both the cloud and on-prem environment.
And why is it so easy for an elevated identity to be compromised? Weaknesses in your identity configuration, management, and monitoring are likely the cause.
Think beyond just an insecure password – undocumented or forgotten accounts, permissions, and delegations; a lack of additional authentication factors; standing privileges; and more, all plague most organizations (because we’re all so focused on dealing with the “next” issue). It’s these weaknesses that cybercriminals look for and take advantage of… all because they know you haven’t addressed them.
In this Real Training for Free webcast, we bring back Yiftach Keshet, VP of Product Marketing at Silverfort, who shared with us a few months back some of the common identity security gaps that exist in on-premises environments. In this new session, we’re going to take a deeper dive into those gaps, that enable threat actors to also access SaaS-based applications and platforms.
Up first, 4-time Microsoft MVP Nick Cavalancia takes my seat as he discusses why identity continues to be a primary attack surface, using the MITRE ATT&CK Framework to demonstrate how nearly every action taken inevitably traces back to a weak identity attack surface.
Up next, Yiftach will redux his dive into the most common security gaps, taking each one steps further showing how they can be used to provide access to on-prem and cloud environments alike. These include:
- How adversaries abuse on-prem weaknesses to laterally move to and compromise the cloud environment by gaining initial access to a machine, and then use one of the following two paths to gain access to cloud environments:
- NTLM path: Scraping an NTLM hash from memory, cracking it offline, and accessing a SaaS portal via the browser. What enables the attack is that NTLM traffic is huge (over 60% of authentications, leaving hashes lurking across numerous machines for attackers to pick up and use).
- Kerberos path: Identifying Admins that are associated with Service Principal Names, and conduct Kerberoasting attacks to get their initial hash (with follow up similar to the NTLM) cracking the hash and using it to access a SaaS environment.
- Identify users with excessive access privileges: 1 out of 7 users (on average) has access privileges similar to those of admins despite not being included in a any admin group. Naturally there's also no protection for these users as no one knows that they are de-facto privileged. Attackers can take their chance and target these users for “under the radar” lateral movement.
- Stale accounts and shared accounts: common malpractice that creates a huge attack surface. Stale accounts are not protected (more than 15% of all users in many cases). Shared accounts can't be protected with MFA. Both types are extensively targeted.
Yiftach will also demonstrate how it’s possible to detect these types of attacks, as well as discuss best practices of how to mitigate identity weaknesses through security controls that include multi-factor authentication and identity segmentation.
This Real Training for Free webcast will be full of practical real-world content! Register now!