Modern cyberattacks are diverse, use different tools and techniques, and target multiple points of entry. Ransomware is still one of the top threats organizations face today, and it’s only getting worse as threat actors continue to employ new techniques such as identity threats. Identity-based attacks are the driving force behind ransomware – as a single point of attack can now provide attackers with a potentially life-changing opportunity.

Cyberattackers are now after your identities.

Compromising identities

Threats such as ransomware often use identity-based attack techniques. Identity attack techniques (such as lateral movement and compromising a valid credential) are typically used by the attacker to move quickly to a more lucrative target in the organization and evade prompt detection.

Threat actors are targeting enterprise Active Directory (and Azure AD accounts) to gain a foothold in a target’s environment. Cybercriminals have a variety of methods to gain access to identities. A leaked or stolen password can often be used to break into databases with multiple credentials. In fact, passwords still account for 80% of all cyberattacks and are a growing concern among security professionals. Hackers often use automated scripts to try different stolen username and password combinations to take control of people’s accounts. When a user’s account gets compromised, they can fall victim to fraud, identity theft, unauthorized financial transactions, and other criminal activities.

For instance, Kerberoasting is an identity attack technique used by cybercriminals to obtain valid Active Directory (AD) credentials. Kerberoasting attacks target AD service accounts because they often offer higher privileges and enable attackers to hide for extended periods of time. Kerberoast attacks are also notoriously hard to detect amid daily telemetry, making them even more attractive to cybercriminals. Password exposures are used by attackers to compromise databases and execute data exfiltration attacks on endpoints. Identity tools don’t detect these incidents and there’s no way for security teams to learn about a compromised credential or password exposure.

Lateral Movement Fuels Cyberattacks

Once an attacker gets their hands on a user or identity, all they have to do is hand over the credentials they’ve stolen to the identity provider that’s responsible for user authentication, and the lateral movement begins. That’s why lateral movement poses such a significant identity threat, as attackers have access to stolen user credentials, as well as the ability to pull credentials out of compromised machines which allow cybercriminals to log in to multiple machines in the same environment, distribute a ransomware payload, or encrypt multiple machines at once.

The security teams lack visibility and there aren’t tools in their stack that can discover or alert all these incidents in an environment, which is alarming since the hacker legitimately compromises the AD. Attackers relentlessly seek to compromise service accounts, which often have high privileges, so that they can conduct lateral movement virtually undetected and thus access multiple machines and systems easily

Sealing the Identity Gaps

Identity compromise is the most common starting point for a breach, so identity threat detection is often the first alarm that goes off. Now, these crucial early indicators are made possible with Zscaler ITDR^TM. Zscaler ITDR provides security teams with the visibility and protection they need for their identity management systems. You can detect identity-based attacks and be able to identify anomalous credential abuse, attempts at privilege escalation, and lateral movement.

Reducing Risk with Actionable Insights, for Better Response

Zscaler ITDR automatically surfaces hidden risks that might otherwise slip through the cracks, such as unmanaged identities, misconfigured settings, and even credential misuse. The solution offers organizations visibility and autonomous response capabilities, while also providing continuous assessment of AD misconfigurations, vulnerabilities, and active threats in real time and giving prescriptive guidance to close exposures and gaps in customer AD environments.

Restrict or terminate those identities causing trouble and shut down threats before they have a chance to wreak havoc. You could also respond with capabilities such as tricking the attacker into misdirection and deception. For example, when a solution detects an identity-based attack, it can provide fake data that redirects and lures an attacker to a decoy using Zscaler Deception. Zscaler provides a deception environment of decoy systems and data mimicking production assets to misdirect attacks, engage attackers, and collect information on adversary tactics, techniques, and procedures (TTPs). Zscaler automatically isolates the compromised system conducting the identity-based attack from the rest of the environment, limiting interaction only with the decoy environment.

Besides, Zscaler ITDR is integrated into the Zscaler Zero Trust Exchange which dynamically applies access policy controls to block compromised users when an identity attack is detected. This paralyzes the hacker from laterally moving across the systems and further checks the spread of ransomware.

Conclusion

While breaches are inevitable, and preventative security measures are not enough, Zscaler boosts your cyber defense stack against identity attacks. Zscaler ITDR delivers complete visibility in a single pane of glass and helps your security teams to detect and respond, in real time, to emerging identity threats in your cybersecurity environment including ransomware and sophisticated identity attacks.

Read more about our ITDR technology here.