Mitigating the Hidden Risks of Identity Threat Exposures (ITEs) in Hybrid Environments

Posted April 23, 2024

The cloud revolution is well underway with cloud based services extending into nearly every digital realm as businesses transition their applications, data, infrastructure, and even firewalls to the cloud. This transition creates hybrid enterprise environments, where on-premises infrastructure is often synchronized with cloud-based services for ease of user authentication and access. With his synchronization, a new class of security risk known as Identity Threat Exposures (ITEs) has emerged. ITEs are weaknesses in an organization’s identity and access management (IAM) systems that can be exploited by attackers to steal credentials, escalate privileges, and move laterally within networks. The threat is so widespread that Microsoft lists broken security barriers between on-premises and cloud environments as one of the most prevalent gaps found during reactive incident reporting.

Let’s explore some of the most critical ITEs and provide recommendations for mitigating these risks.

NTLM Exposing Passwords

One of the most prevalent ITEs is the use of the outdated NTLM authentication protocol. NTLM, which stands for NT LAN Manager, is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. It is used primarily in Windows-based networks for authentication and is known for its unique challenge/response format. NTLM, and its even less secure predecessor NTLMv1, are still widely used in many organizations despite their well-known vulnerabilities. When a user authenticates using NTLM, their password hash is exposed, which can be easily cracked by attackers to obtain cleartext passwords. According to the Identity Underground Report by Silverfort, a staggering 64% of user accounts regularly authenticate using NTLM, putting their credentials at risk.

Risk of Stale User Accounts

Another significant ITE is the presence of stale user accounts – accounts that are no longer active but remain valid and can be used to access resources. These accounts are often overlooked by security teams and can be missed by regular monitoring or protection measures like multi-factor authentication (MFA) initiatives. Attackers who gain control of these accounts can use them to access sensitive data and systems without being detected. Allowing attackers to move laterally within a system, potentially escalate privileges.

ITE Risk from On-Premise to Cloud

The risk posed by these ITEs is amplified by the common practice of synchronizing on-premises Active Directory (AD) accounts to cloud-based identity providers like Azure AD or Okta. While this synchronization enables single sign-on (SSO) and simplifies user management, it also means that if an attacker compromises an on-premises account, they can potentially gain access to connected cloud services and SaaS applications.

How to Mitigate the ITE Risks

To mitigate the risks associated with ITEs, organizations should take a proactive approach to identity security. This includes:

Gaining visibility into the ITEs present in their environment, including the use of insecure authentication protocols, stale accounts, and other high-risk configurations.
Eliminating risks where possible by disabling outdated protocols like NTLM, removing or disabling stale accounts, and enforcing strong password policies, MFA, passkeys, and FIDO2 hardware tokens.
Monitoring high-risk accounts and activities, such as service accounts with elevated privileges or accounts exhibiting unusual behavior.
Implementing preventive measures like Network Detection and Response (NDR), identity segmentation, and conditional access policies to limit the potential impact of compromised accounts.
Fostering collaboration between identity and security teams to ensure a comprehensive and coordinated approach to identity protection.

By understanding the risks posed by ITEs and taking steps to address them, organizations can significantly reduce their attack surface and improve their overall security posture. As the adoption of cloud services continues to grow and hybrid environments become the norm, prioritizing identity security and closing these hidden gaps is more critical than ever. Contact us today to ensure your hybrid environment is secure.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.