In an era of growing complexity in IT environments, the rise of hybrid threats poses a significant challenge for cybersecurity professionals. Learn about the strategies to safeguard your organisation’s hybrid environment, including identity threat detection, least privilege access, just-in-time access, and application control.
As IT environments become increasingly complex, the region’s cybersecurity professionals deal with more complex threats. One of the latest is the hybrid threat. The term “hybrid threat” refers to the environments targeted by the campaigns. Hybrid environments are more common globally since organisations are headed for the cloud. For business reasons, enterprises had to leave some elements of their IT stack on the premises. The complex setups that resulted challenged the IT and security functions daily. Threat actors leveraged the chaos to their advantage, using various techniques to flit between on-premises networks and their associated clouds.
The misunderstood cloud and the staggering multiplication of accounts and identities have led to a much larger attack surface and more opportunities for attackers. Azure AD Connect, for example, requires many different accounts on-premises and in the cloud. Permissions in these accounts may be able to replicate directory changes and modify passwords — global admin tasks that should never fall into the hands of any third party
Certificate-based authentication allows nefarious parties to gain a persistent foothold and move without challenge. The threat actor compromises an account with the right permissions to assign credentials to an Azure-native application, which they then use to access sensitive services and data. Any unused or misconfigured accounts left over from cloud migration can be candy to malicious groups, who can use them for stealthy infiltration and to cover their tracks. They can delete virtual machines and data and disrupt services. They can even hijack email accounts, reconfigure security controls, and create scheduled tasks that (among other things) deploy ransomware payloads.
The problem is, in being quick to adopt the cloud, enterprises have not been so quick to adopt the security posture to match. Here are three best practices that are important steps towards a safer hybrid environment.
Get familiar
You must become familiar with your organisation’s identities, accounts, and privileges. “Attackers think in graphs; defenders think in lists,” remember? Attackers will look at all these entities and their dependencies to find a path to your crown jewels. Understanding those dependencies can help you anticipate where and how they might strike. Think in terms of over-provisioned and under-protected accounts.
Another recent and famous cybersecurity catchphrase is “attackers no longer hack in; they log in”. Identity has become the new perimeter. Compromise the right one, and you can wander and act with impunity. Any account is yours for the taking, any system or application you command, whether on-premises or in the cloud. Identity threat detection and response (ITDR) is the emerging answer to hybrid attacks. Combining identity access management (IAM) and identity security reclaims visibility and understanding of the environment, especially the complex interdependencies between accounts, privileges, and access. This is a critical capability in a hybrid environment. Without it, the SOC is blind. Security teams not only need to be able to see everything for which they are responsible. They need real-time recommendations to target at-risk areas and proactively reduce risk intelligently.
Get strict
In a complex hybrid environment, tightening permissions to “least privilege” levels is more important than ever. To prevent lateral movement, ensure that each account is aligned with the role of the human or application that uses it. It should not have more permissions than are needed to fulfil a function. To this end, endpoint privilege management tools that cover all the major platforms — Windows, Mac, Unix, Linux, and so on — are fit for purpose. No user should have local admin privileges unless sysadmin is their core job. One slip-up and an attacker could dump credentials and disable endpoint security.
Where possible, implement password management tools. They are designed to discover privileged accounts and enforce just-in-time access automatically. This brings a high degree of control and protection, not to mention auditing capabilities. These approaches do not only work in on-premises environments. Because the modern attacker often uses on-premises privileged accounts to access similarly provisioned accounts in the cloud, any step we take to tighten privileges on premises will also protect the cloud environment from compromise. So, in general, implementing just-in-time and least-privilege policies across a hybrid environment reduces the attack surface and blocks many vectors commonly used in hybrid attacks.
Get control
Attackers will use any tool at their disposal to get the job done. Remote-access tools are very popular in the work-from-home world. But they are vulnerable to compromise, as are admin tools like PowerShell and AADInternals. Traditional cybersecurity solutions like anti-virus or endpoint detection and response (EDR) are not equipped to flag activity using off-the-shelf native tools. After all, they are in everyday legitimate use. Not inherently malicious. Application control can join forces with privilege management to drastically reduce an attacker’s ability to access tools and privileges. They will soon find it more difficult to execute code or move laterally, reducing their dwell time considerably.
En garde
Ultimately, whether the adversary is a teenager in their bedroom, an operationalized criminal team, or a state-backed battalion does not matter. If you have the right controls in place, threat actors will have their work cut out for them and may — if they are working on the principle of “lowest hanging fruit” — move on to easier targets. If you know the identities, accounts, and privileges operating in your network; if you tighten access to implement the principle of least privilege and just-in-time access; if you look to the tools bad actors use and cut off their access; if you do all these things, you will be thinking as they do — in graphs — and you will be on track to establishing a safe hybrid environment.
