For many years, the identity infrastructure has been one of the most neglected elements in enterprise security, and a new report which is based on data from many companies is now showing that identity has become concerningly vulnerable and must be addressed. Major attacks on Change Healthcare, Okta, MGM, U-Haul, and many others over just the past six months have demonstrated the growing impact identity plays in maintaining the confidentiality of customer and corporate data. 74% of breaches are a result of human error or misuse—whether that’s people misusing privileges or having their credentials stolen.
To better understand the identity weaknesses in an organization’s environment, Silverfort released its Identity Underground Report 2024, which is based on real data from hundreds of organizations in all sizes, industries, and geographies. This is the first identity report 100% dedicated to exposing the frequency and prevalence of identity threat exposures (ITEs). The data, analysis, and insights aim to help identity and security teams benchmark their programs, empowering them to make informed decisions on where to invest to improve identity security.
Among other findings, Silverfort showed that two out of every three businesses are opening their cloud environments to cyber risks by syncing on-prem passwords to the cloud. This means that attackers can leverage legacy on-prem vulnerabilities to compromise credentials, which can then be used to maliciously access the cloud environment too. Although businesses continue to move to the cloud, 82.4% of organizations still rely on a hybrid identity infrastructure that combines on-prem and cloud identity solutions. This is therefore becoming a significant concern. Ransomware groups such as Alphv BlackCat are known to use Active Directory as a gateway to compromise cloud identity providers.
- Password Exposers: Enable an attacker to discover a user account’s password. Password Exposers expose the password or hash to common compromise techniques. This can include, for example, NTLM (and NTLMv1) authentication, and admins with SPN. The Identity Underground report found that 64% of all user accounts authenticate (at least in some cases) via the weakly encrypted NTLM protocol, providing attackers easy access to cleartext passwords. Easily cracked via brute force, NTLM authentication is a prime target for attackers looking to steal credentials and spread deeper into an environment.
- Privilege Escalators: Allow an attacker to gain additional access privileges and cause far greater damage. Typically, Privilege Escalators are a result of a misconfiguration or insecure legacy settings and can be found in examples like Shadow Admins and Unconstrained Delegation. According to the report’s findings, a single misconfiguration in Active Directory spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset admin accounts’ passwords or manipulate accounts in other ways but are usually under the radar. Attackers use Shadow Admins to change settings and permissions and give themselves more access privileges as they move deeper within an environment.
- Lateral Movers: Open the option for an attacker to spread within a network without being detected. This can include service accounts and prolific users. Silverfort found 31% of user accounts operate as service accounts, which are non-human identities and are often highly privileged. Attackers target service accounts, as they are often overlooked or unknown to the security and identity teams that manage them and are typically difficult to protect.
- Protection Dodgers: Potentially open legitimate user accounts for attackers to use. Protection Dodgers stem from human error or mismanaged user accounts; they are not inherently security flaws or misconfigurations like the other ITEs listed. Examples include new users, shared accounts, and stale users. The report found that 13% of user accounts are categorized as "stale accounts," which are effectively dormant, serving as easy targets for attackers and allowing them to evade detection.
Approximately 7% of user accounts inadvertently hold admin-level access privileges, giving attackers more opportunities to escalate privileges and move throughout environments undetected. Whether in the cloud or on-prem, this report demonstrates the importance of consistent identity security controls to keep data confidential and secure. Without a comprehensive way to protect cloud as well as on-prem environments—and gather a complete picture of the entire hybrid identity infrastructure—attackers will continue to take advantage of these gaps. Businesses need to understand where they are exposed, eliminate risks and ITEs where they can, and continue taking preventative measures to prevent future gaps in their cyber posture.
This report puts an important spotlight on critical weaknesses. It's up to security leaders to take the right action against them, today.
Hed Kovetz is the CEO and Co-Founder of Silverfort. Before founding Silverfort, Hed served in product leadership positions at Verint, where he led the company’s nation-scale cybersecurity platform and won the company’s innovation competition for his patent-pending inventions. He also spent years helping build the cybersecurity infrastructure for countries around the world, leading massive teams globally. Hed got his start in Unit 8200 of the Israeli Intelligence Corps, where he worked for six years and was asked to lead research.
