Comprehensive software reviews to make better IT decisions
Securing the Digital Identity: The Critical Role of Proofpoint's ITDR in Modern Cybersecurity
It certainly feels like nowadays digital identities are constantly under siege, and the statistics are alarming: one in six endpoints harbor exposed privileged credentials, 87% of local administrators remain unprotected by Local Administrator Password Solutions (LAPS) or Privileged Access Management (PAM), and every organization faces risks from service accounts. This vulnerability landscape underscores the urgent need for advanced identity protection solutions. Proofpoint's Identity Threat Detection and Response (ITDR) solution, known as Identity Threat Defense (ITD), emerges as a beacon of security, offering not just a shield but a proactive platform against identity-based threats and attempted account takeovers. A pervasive attack, account takeover (ATO) refers to the unauthorized access and control of a user's account by an attacker or hacker.
Source: Proofpoint ITDR Briefing Deck (2024)
The Imperative of Identity Threat Detection and Response (ITDR)
ITDR represents a new frontier in cybersecurity, focusing explicitly on protecting user identities and the systems managing them. Unlike traditional security measures that normally overlook identity-specific vulnerabilities, ITDR dives deep into the identity infrastructure, aiming to discover, detect, respond to, and remediate identity-related risks and threats in real-time as opposed to anomaly based detective controls like your typical user and entity behavior analytics (UEBA) solutions. These UEBA solutions monitor user and entity activities within an IT environment to identify deviations from normal behavior patterns. They flag behavior when they detect anomalies such as unusual access patterns, abnormal transaction volumes, or activities at odd times, suggesting potential insider threats or account compromises. ITDR is crucial and much needed in support of zero trust architectures as attackers increasingly exploit identities to breach systems, with studies indicating that over 90% of organizations experienced an identity-related attack in 2023. The reality about what your typical hybrid environment looks like to you and what attackers think about it, are best summarized in the two images below.
Source: Proofpoint ITDR Briefing Deck (2024)
Source: Proofpoint ITDR Briefing Deck (2024)
Proofpoint's Identity Threat Defense: A Comprehensive Approach
Let us dive in and take a closer look at Proofpoint's ITDR solution, Identity Threat Defense (ITD). This ITDR solution integrates several innovative features:
- Continuous Discovery and Remediation. By continuously scanning environments like Active Directory (AD), cloud services, PAMs, and endpoints, Proofpoint identifies vulnerabilities and misconfigurations that could lead to unauthorized access, lateral movement, and privilege escalations. The ITD product also look for signs of "shadow admins" by identifying users with excessive or unexpected administrative privileges, accounts with out-of-policy passwords that might not comply with security standards, and misconfigurations such as service accounts enabled for interactive login or accounts with service principal names (SPNs) that could be exploited for DCSync attacks (a type of cyber-attack where an attacker impersonates a domain controller (DC) to replicate or synchronize account data from AD), thereby enhancing security posture by highlighting these potential vulnerabilities. This continuous risk discovery helps in maintaining clean identity hygiene. I left attack path management off this bullet on purpose – Proofpoint does so much with this, we will discuss it later.
- Deception Technology and an Agentless Approach. Utilizing "dissolving binaries" for endpoint scanning without an agent and deploying deceptions enterprise wide, Proofpoint not only detects but also misleads and confuses attackers. In addition, ITD provides insights into their tactics and movements within the network. The ITD component Shadow uses deceptive elements like decoy credentials, fake data, and false network services to create a virtual environment that attackers will interact with, thinking they are navigating through legitimate parts of your network. This approach helps in identifying attackers by their interaction with these deceptive elements, which are designed to mimic real assets but are traps set for intruders to “step” on. When attackers engage with these deceptive elements, whether by attempting to access decoy files, use fake credentials, etc. Proofpoint's solution detects these interactions, and since these elements are only of interest to an attacker, they are immediately flagged as a likely active threat. After the alert is generated in depth forensic information from the endpoint in question is collected and delivered to the security analyst. I feel this is a great idea since today honeypots have little adoption across SMB’s and come as point solutions that rarely entice security teams or threat actors for that matter.
- Automated Response and Prioritization. Upon the detection of an active threat, Proofpoint's system can function as part of a preventive control, automatically initiating responses like blocking access or alerting security teams, prioritizing threats based on their severity and potential impact.
- Integration With Security Ecosystems. Proofpoint's solution integrates seamlessly with existing security tools like PAM and email security systems, enhancing its ability to correlate identity risks and threats across different vectors, thereby offering a more comprehensive defense. Integrating with Proofpoint’s email security solution allows you to link identity vulnerabilities to in-process account takeovers (ATO) and link identity vulnerabilities to very attacked persons (VAPs) in the Proofpoint Targeted Attack Protection (TAP) dashboard. It's also important to mention that Proofpoint offers non-privileged risk evaluation (NPRE); this is a feature that aggregates data from various security products to generate a risk score for individuals within an organization. This score helps senior security personnel identify users or groups that pose a higher risk based on factors such as the number of vulnerabilities, user activity, and performance in security awareness training. This risk score is weighted and can be enhanced by integrating additional security products.
Detecting Threats and Responding to Attacks
Proofpoint's ITDR excels in real-time threat detection by monitoring for unusual activity, credential misuse, and attempts at lateral movement and privilege escalation. The system's ability to recognize and respond to these threats quickly is critical in preventing attackers from getting to critical IT assets within the network. ITD’s capabilities uncover hidden identity vulnerabilities, such as unmanaged privileged accounts, cached credentials on endpoints, and misconfigured settings in Active Directory, which often go unnoticed in traditional security audits. By revealing these exposures organizations can address weaknesses before they are exploited. Proofpoint's system not only identifies risks but also prioritizes them based on their potential impact, allowing security teams to focus on high-value issues first. The remediation automation, like removing cached credentials, resetting passwords or adjusting access rights, reduces the window of vulnerability, enhancing overall security posture.
Source: Proofpoint ITDR Briefing Deck (2024)
Attack Path Management and Visualization
Proofpoint's Identity Threat Defense incorporates sophisticated attack path management (APM) capabilities, which are necessary for understanding how attackers might escalate privileges within an organization's network. This feature is designed to emulate and surpass similar functionalities in BloodHound, a tool well-known among red teams for mapping attack paths in Active Directory environments. Among other advantages, Attack Path Management in Proofpoint’s tool enables remediation directly from the interface.
- Comprehensive Path Discovery. Proofpoint's solution continuously scans and maps the entire identity landscape, including on-premises Active Director and endpoints (Entra ID is currently in development). This comprehensive approach ensures that no potential attack vector is left unexamined, providing a full spectrum view of how identities and hosts are interconnected.
- Privilege Escalation Visualization. By visualizing these paths, Proofpoint allows security teams to see exactly how an attacker might navigate from a compromised low-privilege account to highly sensitive ones. This visualization includes not just direct paths but also indirect ones where multiple steps or hops might be required, showcasing the complexity of modern attack chains.
- Risk Prioritization. The solution doesn't just map these paths; it also prioritizes them based on risk. Paths that lead to critical assets or involve multiple high-risk steps are highlighted, enabling security teams to focus on the most dangerous vulnerabilities first. This prioritization is based on a combination of factors like the sensitivity of the target, the number of steps required for escalation, and the historical data on attack patterns.
- Real-Time Updates and Alerts. As the identity landscape changes, so do potential attack paths. Proofpoint's ITDR solution continuously updates these visualizations in alerting security teams to new or altered paths that could facilitate privilege escalation. This dynamic mapping ensures that the security posture is always current against evolving threats.
- Integration With Response Mechanisms. Beyond visualization, Proofpoint's solution can directly remove endpoint-based vulnerabilities and integrates with response management tools, allowing for immediate action upon detection of risky paths. Mitigations could mean automatically applying additional security measures like multi-factor authentication or even blocking certain paths through policy enforcement.
- Educational and Training Tool. For organizations, this visualization serves not only as a security tool but also as an educational resource. By seeing the attack paths, IT and security personnel can better understand the risks associated with identity management, fostering a culture of security awareness and proactive defense.
I saved this capability for last because I feel it is a true differentiator. Often, organizations will need to purchase multiple solutions to support APM and ITDR. Proofpoint's ITDR solution transforms the abstract concept of attack paths into tangible, actionable intelligence, empowering organizations to not only detect but also predict and prevent identity-based threats with precision.
Source: Proofpoint provided image (2024)
Sources:
Proofpoint, ITDR Analyst Briefing, 8/29/24 delivered by Matthew Gardiner
Proofpoint, ITDR Briefing Deck (2024)
https://www.proofpoint.com/us/resources/solution-briefs/identity-threat-defense-platform
Targeted Attack Protection - Protect & Prevent Ransomware | Proofpoint US
Our Take
Identity is the new security perimeter, and we are in a time where digital identities are prime targets for cyber attackers. Proofpoint's Identity Threat Defense stands out as a useful tool for organizations aiming to secure their user identities and their identity infrastructure. It is a fact that many organizations continue to adopt remote work and flexible operations, inadvertently expanding their attack surface. This shift has been paralleled by an evolution in cyber threats, where attackers quickly exploit these new vulnerabilities. Multi-Factor Authentication (MFA), once a bastion of strong security, is now frequently bypassed through various sophisticated methods like social engineering, phishing, and direct exploitation of authentication systems. Moreover, the prevalence of human-targeted malware, delivered through deceptive means like disguised files or links, underscores the ongoing challenge of initial access breaches. Once inside, attackers often target Active Directory for privilege escalation, facilitated by the complexity and frequent changes within these systems, making them a target of choice for exploitation.
The crux of the modern cybersecurity challenge lies in the realm of identity management. Defenders must adopt a holistic approach that goes beyond individual security systems or environments. The focus needs to shift toward comprehensive visibility and management of identity-centric risks across all digital touchpoints. This involves not only preventing initial compromises but also detecting and halting lateral movement early in the attack chain. By addressing the interconnected nature of identity threats, organizations can better safeguard against the sophisticated, identity-focused attacks that characterize today's cyber threat landscape.
Source: Proofpoint ITDR Briefing Deck (2024)
Want to Know More?
Mature Your Identity and Access Management Program | Info-Tech Research Group (infotech.com)
Modernize Your Identity Authentication Practices | Info-Tech Research Group (infotech.com)
Threat Preparedness Using MITRE ATT&CK® | Info-Tech Research Group (infotech.com)