CDK Global was the latest company to fall victim to a massive cyberattack and as a result, was forced to shut down many of its systems. With cyberattacks accounting for more than $200 billion in lost revenue for businesses each year, accounting for nearly 1% of the 2023 U.S. GDP, organizations of all sizes can no longer ignore this issue.
Not only were CDK Global’s systems shut down, but they also asked customers to disconnect from all virtual private networks and halt administrative updates to prevent further damage. Based on the company’s response and the small amount of information offered thus far, it indicates they were hit with ransomware or another similar attack that leverages lateral movement through the infected network.
This attack demonstrates another example of the number of companies that remain vulnerable to lateral movement identity attacks. We’ve seen countless companies - Snowflake, Ticketmaster, UHaul, and many others – get breached in recent months and they all have a common thread: identity security gaps that let attackers break into the network and move laterally, wreaking havoc on a company's infrastructure.
Most companies invest in multi-million dollar endpoint or network segmentation technologies, but recent headlines prove that pouring more budget into these products isn’t the answer. By the time the attacker gets to the endpoint, it’s game over. Protections need to come before.
Security concerns mirror cloud growth
Sixty-seven percent of companies sync their on-prem passwords to cloud environments in an insecure manner—increasing the attack surface and making them highly enticing targets for attackers. The mass transition to the cloud that happened four years ago, while it made it easier for businesses to operate and scale, it also made it that much easier for attackers to break in.
Companies bridge their networks with privileged user identities and non-human identities, creating – often unknown – gaps in their infrastructure. To defend and contain lateral movement before a threat actor can get to the proverbial “crown jewels,” companies must deploy identity segregation – even identity micro-segmentation – to prevent the nature of these attacks.
Take a new approach to identity
A well-designed identity segregation architecture focuses on three fundamentals:
- Better managing access, striving for least privilege: CISOs must granularly limit access, especially on privileged-user and privileged-non-human accounts, based on source, destination, protocol, time, and other factors. Over-privilege can lead to unintentional risks in an organization such as data loss or theft, as well as creating more and unnecessary targets for phishing attacks.
- Align on what the company defines as normal: To establish a risk, or what’s deemed abnormal activity in a network, CISOs must first clearly establish a baseline of what “normal” identity behavior is for all accounts. If a Seattle-based user suddenly signs on at midnight in a foreign country and accesses new and different documents, that should quickly raise a flag.
- Quickly spot abnormal activity: When CISOs have the right tools in place to proactively monitor and alert them to these abnormal activities, their teams can then respond quickly. This helps identify and prevent any further deviation of activity, and if it’s that attackers are trying to break into the network, the security team can efficiently mitigate and contain the identity compromise.
Many factors contribute to a breach, but the lack of identity segregation and protection is always a top reason contributing to a breach, even at some of the most powerful companies with the best security.
Why identity is the Achilles heel
When a company lacks strong controls and and had gaps in identity, the only option they have is to shut down all systems to contain the breach.
As we’ve seen in recent breaches like Okta and AppDirectory, those traditional identity providers do not offer the 360-platform of identity security needed, they focus on the management of the apps. These identity point solutions operate in silos, securing only what they know, resulting in a striking 83% of companies reporting identity-related data breaches. This leaves over 90% of enterprises relying on a patchwork mix of one or more cloud identity providers (IdPs), and other point products to secure the accelerating number of identities.
Attackers know this and take advantage of the gap in security to hop from one part of an organization to the next to steal data. This further proves the point that identity security has become a gray area many companies are trying to figure out. By deploying the three-step identity segregation architecture outlined, CISOs can get one step closer to securing their entire organization and preventing further identity-based breaches.
John-Paul Cunningham, chief information security officer, Silverfort
