Whether those credentials were stolen from endpoints, obtained using social engineering, or purchased on the dark web, the message is the same: Infiltrating a network using a compromised identity is a highly successful tactic for today’s attackers. Until organizations prove they can consistently stop it, attackers have little reason to abandon the technique.
Much of the conversation about identities revolves around user identities. And while user identities are vulnerable, there are literally billions of nonhuman entities populating today’s networks.
In 2020, Cisco published a report estimating that by 2023, there will be almost 30 billion networked devices in use around the world, up from 18 billion just a few years ago. Nonhuman identities now outnumber human users by a significant margin, and most of today’s communication over the Internet isn’t between humans – it’s between machines.
Unfortunately, a compromised machine identity can have consequences just as serious as a compromised human identity. It’s a problem that today’s organizations need to recognize – and address – before it is too late.
Understanding Machine Identities
The term user identity is fairly intuitive, but machine identity can apply to a wide range of devices, applications, and processes.
Essentially, a machine identity is anything that has the means to operate or communicate over the Internet and is not a human. That includes smartphones, laptops, web applications, servers, databases, industrial control systems, and countless other nonhuman entities. These devices talk to each other all the time, which means they need to be able to verify that the entity they are communicating with is what it claims to be.
How many times has the average user logged into an online account from a new laptop (or even just a new browser) and been greeted with “this device is unrecognized”? When that happens, the system is prompting the user to re-authenticate. When the account holder’s identity is verified, the application will then hold the new device ID and recognize it in the future.
The need for proper authentication is even clearer when areas like critical infrastructure are considered. A manufacturing plant might have hundreds of different machines working on an assembly line, and there is usually a structured system that serves as a controller for multiple systems beneath it.
Those systems need to be able to authenticate every device on the factory floor. After all, when a device receives an instruction, it needs to be certain that the system giving it that instruction has the proper authorization. Without that authentication, it would be easy for an intruder to give a device incorrect – or even damaging – instructions.
Why Attackers Target Machine Identities
If a machine identity is compromised, it opens the door to several different attack actions. Attackers might use the device to conduct man-in-the-middle attacks, or listen to data going back and forth over the network and steal information. Others might perform acts of sabotage, as in the factory floor example. Still others might leverage the compromised identity to move laterally throughout the network, the same way they would with a compromised user identity.
Tying those identities together with what should be proper authorized access for legitimate resources requests is Microsoft’s Active Directory (AD). It’s kind of like a GPS – a directory of information sources, all very complex in structure. More than 90% of enterprises today use AD as their identity service, and attackers will often target AD in an attempt to escalate their privileges even further.
The soaring number of machine identities in use today makes them considerably more difficult to secure. It isn’t easy to make sure that every system is patched and updated on a continuous basis. Identities are secured using digital certificates, and those certificates also need to be managed. Some enterprises today use millions of such certificates, and keeping track of expiration and renewal dates can be a significant challenge at scale.
Automated tools have helped address some of these issues, but they also add a layer of complexity, which creates vulnerabilities of its own. After all, the more complex the system, the more difficult it is to notice when something is amiss. Most organizations already lack visibility into the machine identities on their networks, which means that an attacker who compromises a machine identity could collect data where no one is looking, often for a long period of time.
Also see: Best Website Scanners
Securing Machine Identities
One area where automation shines is in identifying and tracking vulnerabilities. With machine identities numbering in the millions, manually accounting for each one simply isn’t possible. Instead, organizations can use modern cybersecurity tools to automate the process of tracking credentials.
Additionally, while the nature of Active Directory makes it notoriously difficult to secure, there are automated tools capable of monitoring AD for potential attack paths and even attacks in progress. Keeping machine identities secure requires the ability to continuously monitor AD and other areas for vulnerabilities and misconfigurations. Detecting and remediating these issues before an attacker can exploit them remains one of the most effective ways to keep identities – machine or otherwise – secure.
Attackers can usurp machine identities in a number of ways, but the ability to shut down potential attack paths and detect abnormal behavior in real time can significantly reduce the level of risk an organization faces. Attackers won’t stop targeting identities anytime soon, and savvy organizations should ensure their identity security tools have the necessary visibility and protections in place to guard their machine identities as well as their user identities.
About the Author:
Tony Cole, CTO at Attivo Networks