Identity, cyber kill chain and all that…

This is a call to action.

By now it’s common knowledge that identity is the weakest link in any network. But identity is also the weakest link in almost any security framework — because it’s missing from most, and under-represented in the rest.

Unless rigorous and comprehensive identity protection is natively incorporated and tightly integrated into the mainstream security layers and applications, data breaches and mega-hacks will continue to occur en-mass, regardless of how much has been invested in security.

Malware History in Perspective

“In the beginning there was the Computer Virus. IT was formless and empty, darkness was over the surface of the deep. Then came the Malware (network-aware). Then came the APT (identity-aware)…”

The early-days virus had been kind of a naive bubble-boy — it attacked singularly only the machines it directly infected, and caused mild local damage (deleting info or on rare occasions portions of the hard-disk etc.).

The 2nd generation, which came to be generically known as malware, was qualitatively different — it was a “network-aware” malware. Not only did it carry its attacks through the network, it also used network-based attacks as part of its malicious activity. This is still the most common form of malware.

The 3rd generation, commonly known as APT and/or targeted attack, is again qualitatively different than the 2nd generation malware — it is “identity-aware” malware, on top of all of its other sophisticated, sorry — “advanced” — properties. It doesn’t really matter whether the malware itself is identity-aware or the campaign it’s part of. The effect is the same.

Targeted Attacks Not Only Exploit Identity — They Depend on Identity

Today’s main target of attacks are users, not only in the sense of end-points or network-nodes — the identity itself is being attacked. This is starkly different than previous generation malware, where every user who happened to come across the malware got infected.

All of the recent mega data breaches used targeted individuals and specific identities in order to penetrate the target networks and carry on the attacks. These attacks begin with either an identified user (this is the “targeted” part), or a virtual place where “users of interest” go to — typically a website — in order to trap a relevant user (this is the less-targeted approach, aka “watering hole”).

Thereafter the user is:

  • Infected with the malicious payload which takes over his/hers machine.
  • Has his/hers identity stolen, by means of stealing the relevant security & access credentials and impersonating that user to access the coveted resources as well as help cover-up traces of attack.

This is the identity perspective of the cyber kill chain. Targeted attack is a head-on attack on identity.

As long as the user’s identity keeps being compromised, the attack continues (unless detected, always AFTER the fact, through other attack properties — this is where malware detection, network security and threat intelligence kick in).

Identity is a centerpiece in modern advanced malware. Every targeted attack attacks identity, and is DEPENDED on a compromised user and exploited identity in order to be carried out.

The Missing Link

Yet identity protection, in its deepest and broadest sense, is alarmingly missing from mainstream security means and applications. Security vendors do not seem to rush to deal with it. Endpoint security is not identity-aware at all. Heavier-weight security layers (gateways, servers, threat intelligence, “correlation engines” etc.) at best merely inherit the trivial policies from the organization’s directory.

Similarly, identity is hardly mentioned in the voluminous mountains of security literature/blogosphere/media. Yes, lip-service is paid every now and then, but there hasn’t been any serious discussion, analysis or call to action to add identity, in its deepest sense, to the mainstream security applications/technologies.

If identity protection enjoyed the attention given to APTs and targeted attacks, the public awareness and efforts to mitigate the “identity crisis” would be at a completely different level.

A case in point: Looking at the dissected-to-death “cyber kill-chain”, the one amazing and glaring missing link is identity. The parts of identity that are exploited and attacked are referred to in an off-hand technical manner: “Target-environment”, “victim’s system” and “vector of attack” (e.g. the user’s machine), “harvested mail address” (e.g. part of the user’s credentials) etc. As a matter of fact, Lockheed-Martin’s original paper laying down the principles of the cyber kill-chain, doesn’t even mention the word “identity”…

So in a manner of speaking, the weakest link is the one that’s not even there: Identity.

How many more mega-attacks should occur before identity will be added to the DNA of network security, malware detection/protection and security mindset? An industry-wide effort to fix this glaring flaw must be undertaken, with a great sense of urgency.

P.S.:

  1. At the same token, it’s time Identity protection adopts a much broader approach than its by-now-incredibly-obsolete narrow and binary approach to IAM.
  2. As to what exactly is “identity” — we’ll deal with that another time…