Over the course of the long, slow evolution of cyberdefenses, we’ve lost focus on what the attacker really wants: access to your data via an identity.
Historically, cybersecurity has focused on external attackers. In the early days, attackers lacked stealth. They used crude methodology and made weak, half-hearted attempts at covering their tracks. As they gained sophistication and specialization, the cyberdefense industry responded in kind, developing more specialized controls — such as antivirus, network firewalls and threat intelligence, among others.
The cyberdefense industry grew in lockstep with the IT environment, increasing in complexity and sophistication with the addition of multiple device types, networks, virtualization and clouds. Eventually, cybersecurity specialization spawned a set of mini cyberdefense industry verticals: network security, endpoint security, cloud security, the security operations center and more.
Challenges of the cyberdefense evolution
Over the course of this evolution, the tools have shifted focus from defending against the external attacker to becoming a control point. The goal of the tool has become securing the network, securing the cloud, securing the endpoint or having the best threat intelligence or the best analytics engine to process the overwhelming volume of logs and metadata.
What’s the problem with that? Consider the following counterpoints:
- For many attackers — which probably means most attackers — the goal isn’t the network, the endpoint or the cloud. It’s an organization’s data. Indeed, the Mitre ATT&CK Matrix for Enterprise maps out the 14 phases of the attack path, with the penultimate phase being nine different techniques for data exfiltration. Six of the 13 techniques of the final impact phase involve data. Ultimately, attackers want your data.
- Attackers don’t care what type of tools you deploy, what category they fit into or what you call them. They don’t care whether cloud security posture management is a standalone tool or part of a cloud-native application protection platform. They don’t care whether your firewall is last-gen or next-gen. They don’t care whether extended detection and response is a superset or a subset of SIEM. They want your data.
- Attackers always take the easy path when they can. Developing an esoteric zero-day exploit to bypass your firewall is hard compared to phishing a naive employee into giving up their username and password. Attackers develop zero-day attacks when they can’t use an identity because developing a zero-day exploit isn’t their goal. Attackers want your data.
- The relentless focus on the control point means cyberdefense professionals and their tool suites miss the internal attackers — malicious employees, third parties and those non-malicious employees who inadvertently access sensitive information. This is why, according to the 2023 “Data Breach Investigations Report” from Verizon, 74% of breaches involved a human element — errors, privilege misuse, use of stolen credentials or social engineering. Eighty-three percent of breaches involved external actors, which means 17% of breaches involved internal actors. External or internal, these actors want your data.
- Once external attackers compromise a credential, they become indistinguishable from an insider. Whether it’s cloud, network or endpoint security, any security tool that focuses on the control point and the external attacker may miss the internal attacker or the external attacker masquerading as an internal authorized user.
A call to arms for security pros
Given this long-term evolution of the cyberdefense industry, what should CISOs, cybersecurity analysts and cyber-defenders do?
It is imperative that defenders — and the cyberdefense industry — switch perspectives from control points to attacker behavior and attack paths. Defenders need to recognize that the goal of attackers is your data. Defenders need to understand how attackers behave. For attackers, your network, your cloud and your endpoints are a means to an end: data. Understand that most attack paths involve using identities to access your data.
Attackers have long known that every single entity — every human, every workload, every application and every device, whether physical or virtual, whether on an endpoint, in the cloud or on premises — has an identity. And often more than one identity.
Just as red teams — designed to test the efficacy of cyberdefenses — have taken on the perspectives and techniques of the attackers, so too should defenders.
Some in the cyberdefense industry have already made this shift in perspective. For example, SpecterOps, which created the open source BloodHound red team tool that maps attack paths in Microsoft Active Directory and Azure AD — recently retitled Microsoft Entra ID — has created a blue team tool called BloodHound Enterprise, which helps defenders manage and secure these identity attack paths.
Another example is Permiso, which maps identities to events, providing attribution and information for defenders about the identities used and actions taken by attackers trying to penetrate their environment.
The identity industry itself has been rapidly shifting from the IT operational aspects of managing identities to identity security, with established and startup vendors alike creating tools with the goal of securing all identities in the environment.
But that’s just not enough.
It’s time for a revolution in cyberdefense. It’s time for CISOs, cybersecurity analysts, defenders and the cyberdefense industry to make identity security the foundational component of the cybersecurity stack. We must incorporate securing identities into every aspect of cybersecurity strategy, every aspect of cybersecurity tactics and every cybersecurity tool.