Classic security measures such as multi-factor authentication or anti-virus programs are not sufficient for comprehensive cyber security. Companies must therefore pursue a defense-in-depth approach and focus primarily on securing identities and privileged access, says security expert CyberArk.
In most attacks, regardless of who is behind them, the identity layer is the first point of entry into an organization's network. In many cases, it has been shown that attackers are able to maintain persistent, undetected and long-term access in compromised environments by using legitimate credentials, among other things.
MFA, EDR, AntiVirus - everything counts
For more cyber security on end devices, a company should, on the one hand, fall back on proven practices. It concerns, for example, the implementation of MFA (multi-factor authentication), the introduction of EDR (endpoint detection and response) and AV (anti-virus) solutions, the use of a firewall, the regular installation of patches and - if necessary – the use of secure passwords.
On the other hand, however, additional steps are required to increase cyber security as part of a defense-in-depth approach. This includes the following measures:
- Use of solutions for application control: Organizations must block unknown EXE files from running because they may contain potentially dangerous commands. The reloading of malicious code and its execution on the compromised end device is part of an attack in almost all break-ins into IT systems.
- Restriction of access rights: The consistent implementation of a least privilege concept and the deactivation of accounts that are not required are indispensable. Limiting privileges is critical because credential theft allows attackers to access critical information. A just-in-time extension of authorizations should also be supported. This means: If a user needs elevated or highest rights to work on the system or to carry out certain work steps, these rights may only be assigned temporarily and purpose-related - to the binary or the action. Threat detection functions can accelerate the detection and prevention of attack attempts.
- Shadow admin detection: Shadow admins are often equipped with sensitive permissions that give them the ability to escalate privileges in cloud environments. These identities, often created from misconfigurations or lack of awareness, can be targeted by attackers, leaving the entire environment at risk. There are various solutions for detecting shadow admins, such as the open source tool zbang.
- Backing up backups: Enterprises should reliably back up domain controllers, as attackers could attempt to access or create a copy of the Active Directory domain database to steal credentials or other device, user, or access rights information. Tools with threat detection functions that protect the NTDS file in which sensitive Active Directory data is stored can be considered for the backup.
- Using AES Kerberos encryption: Using AES Kerberos encryption instead of RC4 can prevent an attacker from misusing a valid Kerberos ticket-granting ticket (TGT) or spying on network traffic to access a ticket-granting service (TGS). received, which could be vulnerable by brute force methods. For example, the RiskySPN module of thezBang tool can be used to detect Kerberoasting.
- Protection of Credential Certificates: Saved user certificates for logging on to target systems must be reliably secured in order to prevent attackers from attempting to sign certificates with tokens. This can also be used to mitigate threats such as a Golden SAML attack, in which attackers receive a valid SAML token, i.e. a fake authentication element. This gives them almost any authorization for almost all services of a company - depending on which services use SAML as an authentication protocol.
Cyber security: multi-level security measures protect
“Isolated security measures are no longer sufficient in an era of escalating cybercrime. The order of the day is: Defense-in-Depth – now. This means that a company must take multi-layered security measures to protect confidential systems, applications and data and to minimize the possible negative effects of an attack," explains Christian Götz, Solutions Engineering Director DACH at CyberArk. "A good starting point for this is an identity-based security approach, i.e. a security concept that classifies identity as the central line of defense of a company - regardless of whether it is a person, an application or a machine."
More at Cyberark.com
About CyberArk
CyberArk is the global leader in identity security. With Privileged Access Management as a core component, CyberArk provides comprehensive security for any identity - human or non-human - across business applications, distributed work environments, hybrid cloud workloads and DevOps lifecycles. The world's leading companies rely on CyberArk to secure their most critical data, infrastructure and applications. Around a third of the DAX 30 and 20 of the Euro Stoxx 50 companies use CyberArk's solutions.