Even in ancient times, several lines of defense were necessary during sieges. A moat prevented the city wall from being tunnelled, and the crown jewels were kept in the particularly heavily fortified citadel.
The same applies to cyber attacks today. In most attacks, regardless of who is behind them, the identity layer is the first point of entry into an organization’s network. In many cases, it has been shown that attackers are able to maintain persistent, undetected and long-term access in compromised environments by using legitimate credentials, among other things.
To avert danger on end devices, a company should, on the one hand, fall back on proven practices. It concerns, for example, the implementation of MFA (multi-factor authentication), the introduction of EDR (endpoint detection and response) and AV (anti-virus) solutions, the use of a firewall, the regular installation of patches and – if necessary – the use of secure passwords.
On the other hand, however, additional steps are required to increase cyber security as part of a defense-in-depth approach. This includes the following measures:
1. Use of application control solutions: Businesses must block the execution of unknown EXE files as they may contain potentially dangerous commands. The reloading of malicious code and its execution on the compromised end device is part of an attack in almost all break-ins into IT systems.
2. Limitation of Access Rights: The consistent implementation of a least privilege concept and the deactivation of accounts that are not required are indispensable. Limiting privileges is critical because credential theft allows attackers to access critical information. A just-in-time expansion of authorizations should also be supported. This means: If a user needs elevated or highest rights to work on the system or to carry out certain work steps, these rights may only be assigned temporarily and purpose-related – to the binary or the action. Threat detection functions can accelerate the detection and prevention of attack attempts.
3. Detection of shadow admins: Shadow admins are often equipped with sensitive permissions that give them the ability to escalate privileges in cloud environments. These identities, often born from misconfigurations or lack of awareness, can be targeted by attackers, leaving the entire environment at risk. There are various solutions for detecting shadow admins, such as the open source tool zbang.
4. Backing up backups: Organizations should reliably back up domain controllers, as attackers could attempt to access or create a copy of the Active Directory domain database to steal credentials or other device, user, or access rights information. Tools with threat detection functions that protect the NTDS file in which sensitive Active Directory data is stored can be considered for the backup.
5. Use of AES Kerberos encryption: Using AES Kerberos encryption instead of RC4 can prevent an attacker from misusing a valid Kerberos ticket-granting ticket (TGT) or snooping on network traffic to invoke a ticket-granting service (TGS) that might be vulnerable to brute force methods. For example, the RiskySPN module of thezBang tool can be used to detect Kerberoasting.
6. Protection of Credential Certificates: Saved user certificates for logging on to target systems must be reliably secured in order to prevent attackers from attempting to sign certificates with tokens. This can also be used to mitigate threats such as a Golden SAML attack, in which attackers receive a valid SAML token, i.e. a fake authentication element. This gives them almost any authorization for almost all services of a company – depending on which services use SAML as an authentication protocol.
“Isolated security measures are no longer sufficient in an era of escalating cybercrime. The order of the day is: Defense-in-Depth – now. This means that a company must take multi-layered security measures to protect confidential systems, applications and data and to minimize the possible negative effects of an attack,” explains Christian Götz, Solutions Engineering Director DACH at CyberArk. “A good starting point for this is an identity-based security approach, i.e. a security concept that classifies identity as the central line of defense of a company – regardless of whether it is a person, an application or a machine.”