Verizon research shows credential theft is the leading cause of compromise of enterprise cloud networks, one that has lead to some of the most notorious data breaches in recent times.
An obvious example is the large-scale hacking campaign against US and UK state and private entities known as SolarWinds (SolarBurst) attacks. Now, research by Silverfort Labs suggests a compromise of service accounts likely contributed to the success of the SolarWinds campaign and could have been avoided.
According to Verizon’s 2020 report, account takeover (ATO) attacks constitute 80% of all data breaches with cloud breaches closely behind – 77%. The high rate of attacks testifies to the incompetence of the existing approaches to corporate account security.
Attackers typically target inadequately protected cloud enterprise networks in a two-stage process. To initially breach an organization’s public or enterprise cloud perimeter, attackers compromise SaaS apps or infrastructure via VPN or RDP remote connections by using stolen credentials. In the second stage, attackers proceed with lateral movement to spread across the networks from machine to machine.
The inability of enterprises to protect themselves from credential theft stems from the fragmented nature of identity and access management (IAM) systems within the network.
Thus, most enterprises use multiple solutions, such as Microsoft Active Directory, a VPN for remote access, and some kind of privileged access management system. What’s lacking is a single solution that will analyze the whole picture and identify anomalies that may indicate an intrusion.
Silverfort Labs research showed that if service accounts had been protected with proper access policies, SolarWinds attacks could have been prevented early and attackers’ ability to move laterally would have greatly been impeded.
The company believes this campaign should serve as a wake-up call for enterprise security stakeholders. Service accounts constitute a sensitive attack vector and must be protected better.
The security company proposes a new concept it calls unified identity protection that can provide consolidated defense against ATO attacks and close the security holes described above. The protection provided by this approach is three-fold. It involves continuous unified monitoring of all authentication requests, real-time risk analysis of every authentication attempt, and enforcement of adaptive authentication and access policies on all access attempts.
Silverfort Labs experts advise adopting several best practices that can help protect against ATO attacks, including implementing a solution that can provide holistic visibility across all users, resources, and environments, performing a continuous risk analysis of user behavior and access patterns, and enforcing access control policies for all resources no matter whether they are located on-premise or in the cloud.