ITDR keys: how to detect privilege escalation paths and shadow admins

Identity threat detection and response (ITDR) are major challenges in any cybersecurity strategy, but they can become real headaches for CISOs when those identities carry privileges and, even more so, when those privileges are integrated into escalation paths or are hidden.

Identity privileges are necessary to ensure the operational effectiveness of organizations while limiting access to their critical assets, but they carry risks of particularly damaging attacks. It is essential to implement systems that enable these risks to be identified and monitored, as well as to act immediately and effectively in response to threats that jeopardize the most sensitive data and the integrity of systems.

 

This is a complex task that we at Soffid IAM have managed to simplify through SOFFID ITDR, a comprehensive solution for monitoring privileged identities by mapping and monitoring access in real time and automating effective responses to threats, among other features.

Privilege escalation

There are several types of critical accounts depending on the privileges granted to them, although we could talk about four main categories: privileged domain accounts, local accounts, application and service accounts, and corporate or business accounts. Any cybersecurity professional is aware of the importance of protecting privileged accounts from unauthorized access, due to the enormous potential damage they could cause..

Sometimes, mainly due to configuration errors or abuse of trust, privilege escalation occurs, meaning that a less privileged account obtains greater privileges. Privilege escalations occur vertically—promotion to a role that requires more privileges—or horizontally—obtaining a role with similar privileges, but with which it is possible to “escalate.”

Privilege paths reflect some of the permissions, configurations, accounts, and identities that an identity has access to through a specific sequence of steps. Being able to identify and visualize these paths makes it possible to understand and control the relationships that allow privilege escalation, which can be a major threat to the organization if that control falls into the wrong hands.

SOFFID ITDR simplifies the visibility of these paths through real-time mapping and automation of threat detection and response processes, making it a useful tool for the CISO to manage these risks effectively and agilely.

Risks of privilege escalation

It is increasingly common to use privilege escalation to carry out cyberattacks; based on stolen or leaked credentials, attackers escalate to higher-level permissions or system privileges.

These attacks pose significant risks to companies and other organizations; preventing them is essential in order to, among other things:

• Protect sensitive data.
• Maintaining system integrity.
• Preventing unauthorized actions.
• Complying with legal and regulatory obligations.
• Ensuring business continuity and viability.

How to detect privilege escalation paths

Attackers exploit privilege paths to access high-value assets; they look for connections between domains and hidden sequences that connect accounts—even those with fewer privileges—to systems and resources that the organization may have in the cloud.

Many of the tactics they use to carry out these attacks are related to credential theft or identity theft (human and non-human), or to excessive or inactive privileges that become weak points and unnecessary attack vectors.  

These vulnerabilities are minimized with effective identity and access management (IAM), which is reinforced by a system that responds automatically when threats are detected. At Soffid IAM, we firmly believe that this management cannot hinder operations in any way; the work of the CISO must be integrated into the organization’s usual processes, which is why we develop solutions that not only do not generate friction, but also promote operational efficiency.

ITDR tools allow you to: 

• Monitor routes between account domains, applications, and infrastructures in real time.
• Identify risky configurations and accounts with unnecessary or inactive privileges.
• Highlight privilege escalation routes that may be hidden or indirect.

It also audits these routes and access points to assess risk, detect vulnerabilities, and thus make better decisions for implementing more effective security strategies. With Soffid, all a CISO has to do is decide; SOFFID ITDR takes care of the technical side and gathers information so that these decisions are reasoned and informed.

“Shadow admins”: hidden administrators

In addition to the risk of privilege escalation, there is also the risk posed by shadow administrators. These are administrators who have unauthorized access to critical assets, systems, or networks.

Shadow admins can be extremely dangerous, as they are capable of performing administrative actions on AD (Active Directory) objects without authorization, from creating or closing accounts to allowing access to certain resources.

Riesgos de los “shadow admins”

In principle, shadow admins do not usually have bad intentions, but they can expose organizations to risks such as those presented by privilege escalation: system security vulnerabilities, unauthorized access and data leaks, regulatory non-compliance, operational inefficiency, etc. 

In addition, cybercriminals can exploit these hidden privileged accounts to attack, making it more difficult to detect and respond to security threats. An entire shadow system (shadow IT) can be created, posing a major threat and an overload of work for legitimate IT administrators.

How to detect hidden privileges

Detecting shadow admins is complex because they include accounts with administrative privileges within the system that are not affiliated with the organization’s administration.

Fortunately, SOFFID ITDR allows you to perform various actions that serve to “unmask” these hidden privileges:

• Identification and monitoring of shadow systems and associated shadow admins.
• Monitoring system logs to detect unusual activity patterns.
• Analysis of ACLs (Access Control Lists), which are generated with management tools (AM).
• Implementation of privileged access management (PAM) solutions that restrict the number of privileged accounts.
• Recurring audits, application of zero-trust policies, and registration of administrator accounts.

SOFFID ITDR: real-time mapping and monitoring of privilege paths

Soffid Identity Threat Detection and Response (ITDR) provides visibility and thus enables the detection of privilege escalation paths and shadow admins. It creates an additional layer of protection on top of our identity and access management solutions by integrating with other modules such as SOFFID AM, PAM, the password manager (PM), or the identity governance and administration (IGA) solution. 

These IAM solutions converge in a single management platform with an intuitive interface that increases operational efficiency and reduces administrative burden. Soffid offers several solutions in one, allowing you to manage from a single panel what is normally scattered. This not only makes the work of CISOs easier, but also reduces costs; Soffid saves time, effort, and money.

SOFFID ITDR monitors identity and access management with real-time processing and automatic response to threats. The flexibility of this solution allows you to analyze the behavior of privileged accounts, employees, third parties, bots, or other types of identities in both on-premise and cloud systems.

Benefits of SOFFID ITDR for CISOs

• Automated and effective responses from security teams.
• Strengthened identity protection in complex environments.
• Continuous visibility in multi-cloud environments.
• Agile incident management.
• Regulatory compliance.
• More effective security strategies.

Discover this and other advantages of SOFFID ITDR and how it adapts to the specific needs of your organization. Request a free trial of Soffid with a customized solution.