How Identity and Credential Misconfigurations Dominate Security Exposures

Of late, identity and credential misconfigurations have emerged as a predominant source of security exposures across organisations. Recent data reveals that Active Directory (AD) accounts are responsible for 80% of all identified security exposures, underscoring the critical nature of this issue. This statistic is derived from the analysis of over 40 million exposures, which present high-impact risks to numerous critical business entities. Research conducted by industry leaders highlights the pervasive and alarming nature of these vulnerabilities.

Active Directory, a cornerstone for user-network resource connectivity, dominates the attack surface. Reports indicate that Active Directory accounts for over half of the entities identified across all environments. This infrastructure, while essential, is highly attractive to attackers due to the elevated rights it can confer. Compromising an Active Directory account enables an adversary to elevate privileges, conceal malicious activities, execute harmful code, and even gain access to cloud environments. The dynamic configuration issues inherent to Active Directory, coupled with the challenge of keeping it up-to-date, create hidden vulnerabilities that many security tools fail to detect.

Misconfigurations and credential attacks are the primary contributors to these exposures. Issues in member management and password resets introduce gaps often overlooked by traditional security tools. Techniques such as credential harvesting, dumping, relay, and domain credentials are prominently identified by attack path analysis for AWS, Azure, and GCP. Tools like Mimikatz facilitate these attacks, making them popular and effective. Poor practices exacerbate these risks; highly privileged Active Directory credentials are frequently cached on multiple machines, with 79% of organisations exhibiting this vulnerability. Among these, one in five have admin-level permissions on 100 or more devices, highlighting a significant risk.

Moreover, poor endpoint hygiene is a widespread problem. Over 25% of devices lack Endpoint Detection and Response (EDR) coverage or contain cached credentials, providing attackers with ample opportunities to establish footholds. These overlooked vulnerabilities in identity and endpoint security create fertile ground for hackers, demanding urgent and comprehensive attention from organisations.

Industry leaders are stressing the importance of broadening exposure management beyond traditional vulnerabilities. Misconfigurations and user behavior must be included in the scope to effectively manage potential adversary pathways. Research indicates that a mere 2% of exposures exist on critical ‘choke points,’ which are exploited by adversaries to access crucial assets. Despite the significant focus on managing traditional software vulnerabilities tracked by CVE identifiers, these efforts only address a small fraction of the actual exposure landscape. Analysis uncovered approximately 15,000 exposures per organisation, with CVE-based vulnerabilities constituting less than 1%.

In the cloud, the exposure risks are equally significant. Active Directory may be the largest attack surface, but the majority of exposures affecting critical assets are traced back to cloud platforms. Over half of these exposures in the cloud present a significant threat, as attackers can effortlessly transition between on-premises and cloud environments. This fluidity allows them to compromise critical cloud-based assets with minimal resistance.

Sector-specific analysis reveals varied exposure risks. Industries like Energy and Manufacturing exhibit a higher proportion of internet-exposed critical assets compared to Financial Services, despite the latter’s larger digital footprint. Healthcare providers, facing unique challenges in risk minimisation, contend with a median number of exposures five times higher than the Energy and Utilities sector, emphasising the need for customised exposure management strategies.

To address these challenges, organisations must adopt a holistic and ongoing Exposure Management approach that transcends traditional vulnerability and CVE management. This approach should incorporate attack path modelling to identify and resolve infrastructure weak points. Emphasis should be placed on addressing identity issues, Active Directory exposures, and cloud cyber hygiene. Tailored solutions according to industry and organisational scale are crucial for effective risk mitigation.

Ultimately, identity and credential misconfigurations represent a significant and pervasive threat to organisational security. The findings from industry researchers illuminate the urgent need for comprehensive exposure management strategies. By addressing the multifaceted vulnerabilities within Active Directory and cloud environments, organisations can better protect their critical assets from increasingly sophisticated adversaries.

Source: XM Cyber and the Cyentia Institute Report - https://info.xmcyber.com/research-report-2024-state-of-exposure-management