Whitepaper: Preventing Privileged Account Takeover

[fs-toc-omit]Addressing the Threats of Privileged Identity and Privileged Access in Organisations

Introduction

In today's digital age, securing identities is of paramount importance for any organisation. With the increasing sophistication of cyber attacks, it is essential to prevent privileged identity compromise and the abuse of privileged access. This whitepaper explores the critical aspects of unauthorised access through effective identity and access management strategies, focusing on the pivotal roles of Privileged Identity Management (PIM) and Privileged Access Management (PAM).

Understanding Identity Compromise

Identity compromise occurs when unauthorised individuals gain access to an individual's or an organisation's credentials. This can lead to severe consequences, including data theft, financial loss, and reputational damage. According to a 2023 report by IBM, the average cost of a data breach was $4.45 million, with compromised credentials being the most common initial attack vector.

Common Methods of Identity Compromise

1. Phishing: Fraudulent attempts to obtain sensitive information by disguising as trustworthy entities.  In the Verizon 2024 data breach investigation report the human element (phishing) was involved in 68% of breaches.  The end goal of phishing is to trick people to giveaway their credentials. Its easier for cybercriminals compared to brute-forcing credentials.
2. Credential Theft: Unauthorised access to passwords and other authentication details, often through breaches of third-party services. A study by Microsoft revealed that 73% of passwords are duplicates across multiple accounts, increasing the risk of credential theft. In the IBM 2024 Threat Intelligence report, 85 % of attacks were caused by phishing and the use of valid account credential theft. Furthermore, credentials were cited as the “top initial access vector”, accounting for 47% of cloud environment attacks in the Google 2024 Threat Horizons Report.  This makes credentials theft the “cybercriminals’ most common entry point” into an organisation.
3. Adversary-in-the-Middle Attacks: Interception and manipulation of communication between two parties, allowing attackers to gain access to credentials and other sensitive information. This has been leveraged by cybercriminals to defeat conventional multifactor authentication (MFA 1.0), this includes PUSH, QR code, SMS  and one-time-passwords-based MFA. With Adversary-in-the-Middle Attacks(AITM), MFA is totally bypassed allowing the threat actors access to organisation sensitive systems. This was the case of Microsoft breach where the threat actor used AITM to compromise multiple organisations relying on Microsoft Authenticator.

Identity compromise has become the cybercriminals' most reliable approach to infiltrate organisations cum account takeover.

The Challenges of Privileged Identity and Access Management

Phishing and stolen or compromised credentials are the two most prevalent attack vectors, costing businesses an average of $4.88 million per breach in 2024.  As indicated in the Verizon 2024 data breach investigation report, stolen credentials have been responsible for more than 31% of all breaches over the past 10 years. In addition, breaches involving “stolen or compromised credentials took the longest to identify and contain (292 days) of any attack vector” according to the IBM 2024 cost of data breach report.  All this is because anyone (genuine user or attacker) can access anything with the correct credentials as such detective controls has failed organisations.

Privileged accounts often have access to critical systems and sensitive data, making them prime targets for attackers. A compromise of privileged account credentials gives rise to unauthorised privileged access which then leads to catastrophic consequences. A typical example is the SolarWinds attack, where compromised privileged identities led to widespread breaches. In this attack, attackers gained access to privileged accounts and used them to distribute malware, affecting thousands of organisations globally. As identified in the IBM 2024 cost of data breach, malicious privilege insider attacks resulted in the highest average cost of USD 4.99 million.  Compromised privileged identities can result in significant data breaches, ransomware, exposing sensitive information and causing substantial harm to an organisation. Trust is crucial for organisations, and a breach of privileged accounts can severely damage an organisation's reputation, leading to loss of customers and business opportunities.

To limit and or prevent privilege account takeovers, organisations need a privileged identity management.

Privileged Identity Management (PIM)

PIM involves managing identities with elevated access to ensure they are properly controlled and monitored. It focuses on the lifecycle of privileged identities, from creation to deactivation, ensuring that these accounts are used securely and responsibly.

Key Features of PIM

• Identity Lifecycle Management: Ensuring identities are managed from creation to deactivation. This includes regular reviews and updates to ensure that access rights remain appropriate.
• Multi-Factor Authentication (MFA): Adding an extra layer of security for privileged accounts.
• Just-In-Time Access: Granting access only when needed, reducing the risk of misuse of privileged credentials. This approach minimises the attack surface by limiting the duration for which privileges are granted.
• Role-Based Access Control (RBAC): Assigning access based on roles ensures that users have the minimum necessary access to perform their jobs. This principle of least privilege helps prevent excessive access rights.
• Audit and Compliance: Regular audits to ensure compliance with policies and regulations. Auditing privileged access helps organisations detect and respond to inappropriate use of privileges.

Benefits of PIM

• Improved Control Over Privileged Identities: By managing the lifecycle of privileged identities, organisations can ensure that these accounts are used appropriately and securely.
• Reduced Risk of Unauthorised Access: Just-in-time access and RBAC reduce the risk of unauthorised access by limiting the availability and scope of privileged accounts.
• Prevent breaches: MFA helps to prevent account takeovers and as a result reduces the likelihood of a breach.
• Better Compliance with Identity Governance: Regular audits and compliance checks help organisations meet regulatory requirements and ensure that privileged identities are managed responsibly.

Privileged Access Management (PAM)

PAM focuses on securing and controlling access to systems using privileged accounts. It involves protecting the credentials of privileged systems and monitoring their use to prevent misuse and detect suspicious activities.

Key Features of PAM

1. Credential Vaulting: Secure storage of privilege systems' credentials to protect them from theft. Credentials are stored in an encrypted vault, reducing the risk of unauthorised access.
2. Session Management: Monitoring and controlling privileged sessions to detect and respond to suspicious activities. This includes recording sessions for audit purposes.
3. Access Control: Restricting access to critical systems to authorised users only. PAM ensures that only authenticated and authorised users can access sensitive systems.
4. Audit and Reporting: Tracking and reporting access activities to ensure accountability and transparency. Detailed logs of privileged access help organisations detect and investigate potential security incidents.

Benefits of PAM

• Enhanced Security for Sensitive Systems: By securing privileged credentials and monitoring their use, PAM enhances the security of critical systems.
• Prevention of Credential Misuse: PAM reduces the risk of credential misuse by storing them securely and monitoring their use.
• Monitoring of Privileged Activities: Continuous monitoring of privileged activities helps organisations detect and respond to suspicious behaviour.
• Compliance with Access Control Regulations: PAM helps organisations meet regulatory requirements by ensuring that access to sensitive systems is properly controlled and monitored.

Key Differences Between PIM and PAM

PIM is aimed at managing identities with privileged access, it focuses on security the identity lifecycle from creation, establishment, storage, usage, revocation and termination. PAM on the other hand focuses on securing and monitoring access to privileged systems, preventing misuse of authorised privileges. In other words, PAM focuses on the actions performed on privileged system using privileged identities ensuring that privileged system is appropriately used.

By managing the lifecycle of privileged identities, PIM ensures that privileged identities are not compromised. PAM ensures that authorised privileged access is not misused as in the case with malicious privilege insiders. PAM prevents privilege insiders from abusing their privileges and outside threat actors who manages to compromise privileged credentials from causing extended damages. So PAM is all about compliance with authorised access policies while PIM deals with the identities.

How PIM and PAM Work Together

PIM and PAM complement each other by providing a comprehensive approach to securing privileged identities and privileged access to critical systems. Integrating both ensures robust security and compliance, protecting organisations from identity compromise and unauthorised access to critical systems.

Example Scenarios

• Scenario 1: Using PIM to manage privileged identities and PAM to control access to critical systems. PIM ensures that privileged identities are properly authenticated and verified while PAM secures the access and actions performed with these identities.
• Scenario 2: Combining identity lifecycle management with session monitoring for enhanced security. PIM manages the lifecycle of privileged identities, and PAM monitors their use, ensuring that privileged activities are secure and appropriately used.

Benefits of Combining PIM and PAM

• Comprehensive Security: Integrating PIM and PAM provides a holistic approach to managing and securing privileged identities and access to critical system.
• Improved Risk Management: By combining the strengths of PIM and PAM, organisations can better manage the risks associated with privileged identities and access.
• Enhanced Compliance: Together, PIM and PAM ensure that organisations meet regulatory requirements for identity and access management.

Choosing the Right Solution for Your Organisation

Factors to Consider

• Organisational Needs: Assess the specific requirements for identity and access management. Consider factors such as the size of the organisation, the number of privileged accounts, and the sensitivity of the data and systems.
• Implementation Timing: Determine when to implement PIM and PAM based on security priorities. Consider the urgency of addressing identity and access management challenges and the availability of resources for implementation.
• Integration Scenarios: Evaluate potential scenarios for implementing both solutions together. Consider how PIM and PAM can be integrated to provide comprehensive security and compliance.

When to Implement PIM

• Scenario 1: When the organisation needs to manage the lifecycle of privileged identities. PIM is essential for ensuring that privileged identities are created, used, and deactivated securely.
• Scenario 2: When regulatory compliance requires strict management of privileged identities. PIM helps organisations meet regulatory requirements for identity governance and lifecycle management.

When to Implement PAM

• Scenario 1: When the organisation needs to secure and monitor access to critical systems. PAM is essential for protecting privileged system credentials and ensuring that access to sensitive systems is secure and appropriately used.
• Scenario 2: When the risk of credential misuse or insider threats is high. PAM helps organisations prevent the misuse of privileged credentials and detect suspicious activities.

Potential Scenarios for Implementing Both

• Scenario 1: Large organisations with complex IT environments. Implementing both PIM and PAM ensures comprehensive management and security of privileged identities and privileged access to critical systems.
• Scenario 2: Organisations handling sensitive data or critical infrastructure. Integrating PIM and PAM provides robust protection for sensitive data and systems, ensuring that privileged identities and access are managed securely.

MFA 2.0: Advanced Authentication Approach to Preventing Privileged Identity Compromise

MFA 2.0 the AuthN by IDEE’s advanced authentication that leverages a multi-faceted approach to prevent identity compromise. Unlike MFA 1.0 ( such as PUSH, QR code, SMS  and one-time-passwords-based), MFA 2.0 is not just phishing-resistant but phish-proof and cannot be bypassed using sophisticated attack methods such as AitM. MFA 2.0 unique characteristics includes strong identity proofing, same-device MFA, identity binding, and transitive trust to ensure robust protection against unauthorised access.

‍

‍

Strong Identity Proofing

MFA2.0 uses robust mechanisms to verify user identities during the enrolment process, reducing the risk of fraudulent accounts.

Same-Device MFA

MFA 2.0 occurs on the same device, preventing interception of authentication credentials and/or tokens.

Identity Binding

MFA 2.0 binds user identities to specific trusted devices, ensuring that only trusted devices can be used for authentication.

Transitive Trust

MFA 2.0 utilise explicit transitive trust in establishing trust across a user verified and trusted devices to prevent unauthorized access.

MFA 2.0 has demonstrated effectiveness in securing enterprise networks by ensuring only authorized personnel can access critical systems. By combining multiple layers of security, MFA 2.0  significantly reduces the risk of privilege identity compromise.  The use of same-device MFA and identity binding simplifies the authentication process without sacrificing security. It can be seamlessly integrated into existing systems, providing a scalable solution for organisations of all sizes. Hence, organisations can effectively mitigate the threats of account takeover.

This multi-layered  approach ensures that only the owner of the privileged identity can access a privileged system on a trusted device with a trusted credential and under the owner’s total control. Hence, prevents privileged account takeover.

Enhancing PIM and PAM with MFA 2.0

MFA 2.0 ensures that the complete user identity life cycle is immune to phishing, provable and cannot be subverted by a privilege insider. It significantly enhance PIM and PAM by ensuring stronger identity proofing, and establishing immutable identity credentials that cannot be stolen, phished or bypassed by insider or outside threat actors. MFA 2.0 enhance the entire digital identity lifecycle to prevent compromise of privileged identities which in turn prevents unauthorised access to privileged systems.  Integrating MFA 2.0, with PIM ensures that privileged identities are adequately protected with phish-proof MFA and PAM (if required) monitors and detects insider threats.

By leveraging MFA 2.0 to protect the initial point of entry, a holistic approach to securing privileged identities and access can be achieved.

Conclusion

AuthN by IDEE offers robust MFA 2.0 for preventing identity compromise and securing privileged access. The integration of PIM and PAM, strengthened by IDEE's phish-proof MFA, provides a comprehensive approach to modern cybersecurity that is resilient to sophisticated attacks.

IDEE IAM Cheat Sheet: Assess your existing identity and access management practices to identify gaps and areas for improvement.

Implement MFA 2.0: Consider integrating AuthN by IDEE’s phish-proof MFA 2.0 to enhance the security of your privileged identities and privileged access management