Detecting malicious identity-based behavior has become crucial

Speaking with Channel Post MEA, Ray Kafity, the Vice President – Middle East Turkey and Africa (META) at Attivo Networks talks about the growing number of identity-based attacks and explains how their CEIM solution,IDEntitleX can protect regional organisations from such attacks.

What are identity-based attacks, and how different are these attacks from other cybersecurity attacks?
Identity-based cyberattacks occur when an attacker steals identities or credentials, elevates privileges, and compromises critical data. By stealing identities, they can impersonate authorized users, access resources, move laterally throughout the network and cloud environments, conduct reconnaissance, elevate privileges, and identify targets. Afterward, the cybercriminals then misuse this personal information and act fraudulently in the victim’s name or use the credentials to access sensitive data better, thereby evading any access control measure. These attacks are different as they use legitimate credentials to execute their attack rather than leveraging application and OS vulnerabilities or using zero-day exploits. Instead, they misuse Active Directory through privileged credentials and access vulnerabilities to move laterally through the network and steal information while impersonating a trusted staff member.

How would you quantify the landscape for identity-based attacks in the region?
Employee sign-in has become considerably more secure thanks to tools like MFA and SSO, which are far safer than simple username and password combinations. However, while these passwordless authentication methods are becoming more popular in the Middle East, astute attackers have learned to bypass them. Credential data now accounts for 61 percent of all breaches, according to the Verizon Data Breach Investigations Report for 2021.

In general, the “human element” is present in 85 percent of breaches, while phishing is present in 36%. These figures show that attackers seek to gain access to genuine credentials and regularly use them to travel around networks unnoticed. Therefore, unintentional exposure of credentials is a prime issue in the region, leading to more identity-based attacks. It makes sense that securing identities should be at the top of any CISO’s to-do list.

What kind of threat do organizations in the Middle East face from such attacks?
The SolarWinds attack is an excellent example of the dangers that identity-based attacks can pose. The incident indicates that organizations throughout the world are failing to manage and monitor their identities properly. According to research, insider threats account for up to 57 percent of breaches, costing the Middle East $11.65 million each year. Employee/third-party irresponsibility is a primary source of those occurrences. These attacks can therefore cause profound implications both on a reputational and financial level.

What can a CISO do to identify and detect such attacks, and what should be the response mechanism to counter them?
With the development of identity-based cyberattacks, today’s enterprises must be able to recognize when attackers attempt to exploit, misuse, or steal organizational identities. Detecting malicious identity-based behavior has become crucial given attackers’ propensity for stealing and reusing user credentials and mining Active Directory (AD) for credential data. Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Network Detection and Response (NDR), and other detection systems are all useful. However, they lack what solutions in the Identity Detection and Response (IDR) category do, which is to safeguard enterprise identities.

While many solutions aim to make networks safe, IDR provides companies with the ability to uncover and correct credential and entitlement issues in real-time and detect live attacks. When modern attackers travel through networks unnoticed by exploiting insecure credentials and entitlements, IDR solutions can help, whereas other tools simply can’t.

As a cybersecurity specialist, how can IDEntitleX protect regional organizations from identity-based attacks?
IDEntitleX, a new Cloud Infrastructure Entitlement Management (CIEM) solution by Attivo Networks, provides visibility for identity exposures and entitlement risks and limits the attack surface for cloud identities and entitlements. With the addition of IDEntitleX, we now offer unprecedented visibility and protection against identity privilege escalation and lateral movement threat activity. Attivo now provides the only end-to-end analysis of identity and entitlement exposures and risks across endpoints, Active Directory (AD), and the cloud.

The new IDEntitleX solution mitigates this risk by giving security teams a uniform picture of identities and exposures across the enterprise, allowing them to handle provisioning management issues while retaining operational efficiency. Coverage includes AWS and Azure multi-cloud support and detailed entitlement visibility for users, applications, virtual machines, containers, serverless operations, and other assets targeted by attackers.