On May 17th, the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory highlighting the most common techniques attackers use to gain initial access to networks. The advisory was coauthored by respective cybersecurity authorities in the US, Canada, New Zealand, the Netherlands, and the UK. The advisory details technical details on the most used attack methods that bad actors use to gain an initial foothold, and while there are not too many surprises, it is always illuminating to see the methods and mitigations suggested by CISA. The five methods called out are exploiting public-facing applications, external remote services, phishing attacks, leveraging trusted relationships, and valid accounts.
The advisory then goes on to outline that these malicious attackers will often exploit the following (very common) vulnerable points in an organization stemming from weak controls, misconfigurations, and other generally poor security practices to gain unauthorized access:
- Multi-factor authentication (MFA) not being enforced
- Incorrectly applied privileges or permissions within access control lists
- Software that is not up to date
- Using vendor-supplied default configurations, or default login username/password combinations
- Remote services (i.e. VPNs) that lack sufficient ways of preventing unauthorized access
- Weak password policies
- Unprotected cloud services
- Open ports and misconfigured services that are publicly exposed
- Failure to detect or block phishing attempts
- Poor endpoint detection and response
It continues on to provide guidance on mitigations that can be used to strengthen the network defenses and breaks these mitigations down into categories:
- Controlling Access
- Implementing Credential Hardening
- Establishing Centralized Log Management
- Employing Antivirus Programs
- Employing Detection Tools and Searching for Vulnerabilities
- Maintaining Rigorous Configuration Management Programs
- Initiating a Software and Patch Management Program
While all of the above mitigations are essential, a modern approach to identity governance and administration (IGA) can help with, among others, several key components of the Controlling Access piece that are worth highlighting, namely:
- Adopting a zero-trust security model. Here, CISA talks about how zero-trust requires continuous verification via real-time information from multiple sources to determine access requirements. They also mention that zero-trust architecture enables granular privileged access management and affords users only the rights required to perform their assigned tasks. This concept is frequently referred to as least privilege.
- Controlling who has access to your data and services. The advisory again hints at least privilege in describing that personnel only should have access to data and systems needed to perform their jobs. It then goes into detail about role-based access control (RBAC) and how strong RBAC helps to ensure that access is tailored to each user, with processes in place for entry, exit, and internal movement of identities. It also talks about deleting unused accounts (also sometimes referred to as orphaned accounts), and immediately deprovisioning access when it’s no longer needed.
Modern IGA solutions provide customers with ways of continuously running certification campaigns and surveys that can ensure that unneeded or unused access is flagged and ultimately removed; a key component of the ‘never trust, always verify’ mindset of zero-trust. IGA solutions also assist in implementing least privilege in a variety of ways, including implementing RBAC, continuous identity lifecycle management, enforcing Separation of Duties (SoD), and more. Identity lifecycle management is particularly critical in mitigating entitlements creep as people change roles, which often is cited as a common attack pathway. Modern IGA can also help organizations in identifying orphaned accounts and assigning ownership in real-time to minimize the attack surface.
While no one solution alone can tackle all the weaknesses covered in the advisory, modern identity governance and administration (IGA) can help with several controls highlighted by the CISA, namely in preventing privileges and permissions being incorrectly applied, being vigilant in assuring that the right users have the right levels of access, and that low-hanging fruit like unmonitored accounts are assigned ownership. These can all be quick wins in an overall IAM project, and simply achieved with IGA.
For more information on how to quickly implement a modern IGA solution, within 12 weeks, read more about the Omada Accelerator Package.