Silverfort Uncovers Critical Identity Security Gaps in New “Identity Underground” Report

Silverfort released their first “Identity Underground” report based on data from hundreds of production environments. The report exposes the prevalence of Identity Threat Exposures (ITEs) – security weaknesses like misconfigurations, legacy settings, and insecure features that enable attackers to steal credentials, escalate privileges, and move laterally undetected.

KEY FINDINGS:

  • 67% of organizations sync on-prem AD passwords to the cloud, exposing SaaS apps
  • 37% of admins use weakly encrypted NTLM authentication
  • A single AD misconfiguration creates an average of 109 “shadow admin” accounts
  • 31% of all accounts are unmonitored service accounts with high privileges

The common practice of syncing AD to cloud identity providers allows on-prem exposures to directly impact SaaS security. Silverfort categorized ITEs into Password Exposers, Privilege Escalators, Lateral Movers, and Protection Dodgers to help organizations understand and prioritize fixing these critical gaps.

KEYWORDS: Silverfort, Identity Underground report, identity security, Identity Threat Exposures (ITEs), Active Directory (AD), cloud identity, password sync, NTLM, shadow admins, service accounts

INTERESTING POINTS:

  • Legacy NTLMv1 protocol, used by 7% of admins, makes it trivial to crack password hashes
  • A single AD misconfiguration caused a “shadow admin burst” of 1000 new admins in one case
  • 13% of accounts are inactive “stale accounts” that attackers can compromise undetected
  • Prolific user accounts have admin-level access without being in admin groups

FULL STORY:

Cybersecurity company Silverfort published a first-of-its-kind “Identity Underground” report that reveals alarming statistics about identity security weaknesses across enterprise environments. By analyzing data from hundreds of networks, the report found that 67% of organizations routinely sync their on-premises Active Directory (AD) user passwords to the cloud. This inadvertently migrates on-prem security gaps to cloud apps and identities.

Silverfort coined the term “Identity Threat Exposures” (ITEs) to describe misconfigurations, legacy settings, forgotten accounts, and insecure features that allow attackers to compromise credentials, gain unauthorized privileges, and move laterally without being detected by existing security controls.

The report categorized ITEs into four classes:

  1. Password Exposers – enable attackers to obtain cleartext passwords
  2. Privilege Escalators – allow attackers to gain higher privileges
  3. Lateral Movers – facilitate undetected lateral movement
  4. Protection Dodgers – make security monitoring less effective

Specific examples of ITEs uncovered include:

  • 37% of admins authenticate using the legacy NTLM protocol, exposing their passwords
  • 7% still use the even weaker NTLMv1 protocol, making offline password cracking trivial
  • A single AD misconfiguration creates an average of 109 “shadow admin” accounts that can reset real admin passwords. In one case, a misconfiguration spawned 1000 shadow admins.
  • 31% of all accounts are over-privileged service accounts with little visibility or protection
  • 13% are inactive “stale accounts” that attackers can takeover without anyone noticing
  • Some normal users have admin-level access to many systems without being in any admin groups

Silverfort emphasized that the common practice of synchronizing AD accounts to cloud identity providers like Azure AD allows on-prem ITEs to directly impact the security of SaaS applications. For example, an attacker who cracks an admin’s NTLM password hash could use those same credentials to access sensitive cloud apps and data.

The report aims to establish a framework for discussing and prioritizing ITEs so that identity and security teams can work together to eliminate them. Recommendations include gaining visibility into ITEs, removing risks where possible, closely monitoring service and privileged accounts, and implementing preventative measures like MFA and identity segmentation.

SOURCES

  1. The Identity Underground Report
    https://www.silverfort.com/resources/report/the-identity-underground-report/
  2. Silverfort Research Finds Two-Thirds of Businesses Sync On-prem Passwords to Cloud Environments, Opening Their Cloud to Cyberattack
    https://www.prnewswire.com/news-releases/silverfort-research-finds-two-thirds-of-businesses-sync-on-prem-passwords-to-cloud-environments-opening-their-cloud-to-cyberattack-302098639.html
  3. Insights into The Most Critical Identity Security Gaps – Silverfort
    https://www.silverfort.com/blog/the-identity-underground-report-deep-insight-into-the-most-critical-identity-security-gaps/
  4. Unearthing Identity Threat Exposures – TechSpective
    https://techspective.net/2024/04/01/unearthing-identity-threat-exposures/
  5. Silverfort Raises $116M to Deliver a Unified Layer of Identity Security Across All Enterprise Resources, Including Previously Unprotectable Ones
    https://www.prnewswire.com/news-releases/silverfort-raises-116m-to-deliver-a-unified-layer-of-identity-security-across-all-enterprise-resources-including-previously-unprotectable-ones-302039634.html
  6. Study Finds Most Businesses Sync On-premises Passwords to Cloud Environments
    https://tdwi.org/articles/2024/03/26/silverfort-study-password-sync.aspx
  7. Silverfort finds businesses opening cloud to cyberattacks
    https://www.silverliningsinfo.com/newswire/silverfort-finds-businesses-opening-cloud-cyberattacks
  8. Silverfort Unified Identity Protection Platform
    https://www.silverfort.com

Share post: