Identity-related attacks are one of the most common vectors of compromise in modern cyber attacks. In these attacks, threat actors work to steal identities, impersonating real users so they can move laterally and access resources on the network. Identities with greater access and admin-level privileges to valuable data are most likely to be stolen or ransomed.

Enterprises often think they have identity security in place, but many solutions on the market only protect access, rather than digital identities or the greater identity infrastructure. Endpoint detection and response (EDR) and endpoint protection platform (EPP) solutions, for example, protect identity data only to the extent of detecting or stopping malicious tools attempting theft. However, most endpoint security solutions do not stop attackers from conducting identity-based attacks.

This blog post delves into how enterprises can strengthen their security tech stack with robust identity security that focuses on minimizing the identity attack surface, securing Active Directory (AD), and advanced detection and response for identity-based assets.

What Is Identity Security?

When asked what their company does for identity security, many frequently bring up Identity and Access Management (IAM), Privileged Access Management (PAM), or Identity Governance and Administration (IGA) solutions. While useful, these solutions are for authentication, access management, and compliance requirements; they do not protect identities and credentials. Other solutions like multi-factor authentication (MFA) or Single Sign On (SSO) further secure the authentication process, but still leave identity data open to attack.

Let’s use an analogy to clarify. Suppose a network is an office building with many doors. When employees go to the office, they check-in at the front desk to get an access badge showing they work there. As an employee, they can open the doors, but the doors have locks. Employees need explicit permission to open these doors, signified on their access badges as colors matching the doors. They check out the key from a guard at each door to open the lock. The guard checks the colors on the access badge to confirm that the person has permission to get a key to open the door.

Relating this back to the fundamentals of identity security:

• Authentication is checking in to get the access badge showing they are employees.
• Access is having the proper color on the badge to get the key for the door.
• IGA handles procedures to grant access badges and provides an audit trail of who has to access the door.
• IAM is the guard checking the access badge to validate that the person has permission to get the key to open the door.
• PAM is a specific color on the access badge for doors that lead to sensitive areas, with a particular key that the guard only gives to the appropriate people and a log book to sign in and out.
• MFA is when a door requires a key and access code to open.
• SSO is an access badge with multiple colors showing permission for several doors.

What happens if someone steals or copies a key or access badge? They can get access to the office. None of the controls mentioned above prevent this from happening. In this scenario, nothing stops an attacker from masquerading as a legitimate employee and entering the office.

Identity Security in the Security Stack

To continue with the analogy in the previous section, identity security is the safe that protects the keys and access cards themselves from unwanted targeting by malicious parties and outright theft. It is a secure lanyard that hides the access badge from view, so attackers cannot take pictures and copy it. It can also be thought of as additional precautions that protect the actual credentials so attackers are unable to take advantage of them.

Since there is no universally accepted definition of the term ‘identity security’, a working definition is a category of security controls focusing on securing identity data (such as credentials and passwords) and identity infrastructure (such as directory services like Active Directory).

Cybersecurity secures information systems and networks by reducing existing risk and then managing residual risk. Identity security is no different and provides two core capabilities:

• Reducing existing risk by addressing identity attack surface vulnerabilities
• Managing residual risk by detecting and responding to identity-based attacks

Identity security should cover identity data no matter where it resides, whether on the endpoint or on the network in Active Directory. It should be able to detect local credential theft, whether from the operating system (OS) or application credential storage, as well as any  attempts to harvest identity data from domain controllers.

SentinelOne’s Singularity Identity and Ranger AD provide proactive and intelligent identity security capabilities in real-time, helping to reduce risk across the entire identity attack surface.

Ranger AD | How to Reduce Risks Originating from Active Directory

Ranger AD identifies vulnerabilities within the Active Directory and Entra ID (formerly Azure AD) domain controllers and provides remediation assistance to fix them. Ranger AD looks for weak settings, improper access control list entries on objects, and numerous insecure parameters in the AD database that attackers can exploit to progress their attacks.

For example, it can identify if an object has unrestricted rights to replicate the AD database, which can lead to a Golden Ticket, DCSync, or DCShadow attack. Ranger AD can identify if insecure protocols like Server Message Block (SMBv1) are still allowed. Further, it can flag an Entra ID account that has permission to allow external users to access the Azure cloud instance.

Ranger AD checks several hundred settings and can identify over 130 different vulnerabilities. It can automatically fix some of these vulnerabilities with its remediation scripting engine and provides the remediation steps and all references to understand vulnerabilities that require manual intervention. This significantly reduces the identity attack surface available for malicious activity and restricts the attacker’s ability to exploit those vulnerabilities to perform lateral movement.

Ranger AD-Protect is a bundled offering that provides attack detection capabilities for domain controllers. Using data inspection, event log analysis, and behavioral correlation, Ranger AD-Protect can detect attacks originating from any device on the network. It prevents Kerberos-based attacks and AD enumerations in real time. Some examples of these attacks are Golden and Silver Ticket attacks, Pass-the-Hash (PtH) attacks, and enumeration of critical AD users and groups. It is a simple solution that installs on the domain controller but provides critical detection capabilities.

Singularity Identity | How to Stop Credential Misuse in Active Directory Environments

Singularity Identity secures identities by using concealment and misdirection. Singularity Identity conceals the locally stored credentials from discovery, whether memory-resident or stored locally in applications and the OS.

For example, attackers looking for credentials stored in Chrome, WINSCP, or dozens of supported applications will not find them. It also identifies AD queries attempting to harvest data from the domain controller, such as members of privileged groups, domain controllers, Service Principal Names, and more, and conceals the results. Singularity Identity then provides decoy identity data as lures and bait for local and AD objects so the attackers do not suspect anything is wrong and continue their activities. Attackers that fall for these baits and lures have their attack activity misdirected away from the production assets.

Singularity Identity generates an alert on the SentinelOne console when the attackers attempt to query AD for sensitive or privileged objects or when they try to enumerate and access locally stored credentials. This detection happens during the early part of the attack cycle, during the reconnaissance phase, and provides the earliest possible detection of any security control.

Since Singularity Identity is part of the SentinelOne agent, defenders receive market-leading, AI-driven EDR with first-in-class Identity Threat Detection and Response (ITDR) capabilities. By adding SentinelOne’s extensive cloud offerings, its native Singularity Data Lake, and Purple AI, security operation centers (SOCs) gain the ability to respond to enterprise-wide threats with natural language queries, AI-driven threat hunting, and the ability to look across data from every SentinelOne product and partner solution.

Conclusion

Today’s enterprises have centered their businesses around identity-based infrastructure to scale their day-to-day operations and develop in the long run. At the same time, identity continues to emerge as a principal target for threat actors who exploit vulnerabilities and misuse Active Directory, contributing to some of the most damaging ransomware attacks to date.

To secure the identity layer of their tech stacks, global organizations trust in SentinelOne to close identity-based gaps and build up resilience within their sensitive AD crown jewels. Learn more about SentinelOne’s identity security solutions or request a demo today.