Just last talks of the day before the closing keynote, we have very interesting lineup of two speakers for you. We have Darren rolls from sale point to talk about the anatomy of your next cyber attack, pitfalls and protections in identity management. And this is a part of a session we called. I am takeaways and homework, but the good news is no homework. You can enjoy the weekend. And with that, I'll turn it over to Darren to kind of talk about the cybersecurity identity, aware cybersecurity takeaways.
Okay. I've got B. Great. Well, thanks everybody. Good to see you all still here. I like people that hang on till the end. Obviously having Kim being my lead into Kim is a good thing. I think he's got some interesting things to say, so I will definitely wait for that too. I am the CTO and CS and CSSO at SalePoint technologies. We are seen by many as the market leader in I identity governance and administration. So that's really that governance role mixed with provisioning. And what I wanna talk about today is where we see IAM protections sitting within an attack lifecycle. So this jumps straight into it. I think, you know, everybody is aware of the multitude of threats, vulnerabilities, and breaches that are before us today. Everyone is a potential attack, right? I mean, whether they be a nation state or a script kitty as they call it, those actors are many.
The vulnerabilities appear to be everywhere from an a P T to a simple weak password. These things are well known and well understood by the attacker and are very present in many, many of our businesses and then prevention. And more importantly, detection turns out to be very hard to do the fundamental Institute estimates that the average breach detection is 206 Hayes. So the bad guys are inside the network for 206 days. That's pretty darn scaring. And it is, you know, one of the reasons why there is so much fear, uncertainty and doubt around our businesses today. Now, if you look inside forensics, I myself study wherever there is a forensic report available, I will read it. And you look inside those reports. Identity really is a common point of weakness. It's quite surprising how often and how obvious it is that these are our points of weakness, but yet we are still seeing them in recurring breaches, entitlements, and access.
It is the attack vector. The access control model is security. And I think in the worlds of the perimeter per perimeter list network, we've kind of retreated to the access control model and the entitlement as the last breach for us to hold and IAM processes seem to be rather weak. As we look across the cyber kill chain, things like poor account management week passwords, I mean orphan accounts. This is such a huge one that we see where the breach report is available. Go read it. There's always an orphan account being created that wasn't detected and that week inventory and cataloging. So often, if we look at the Sony breach, for example, they didn't know what was stolen until it appeared on pace bin, very unfortunate situation and cataloging and inventory is not just so as we know what is stolen, it helps us understand where our weaknesses are and where we need to ensure up our defenses and simple things like over entitlement.
Again, look at how escalation of privilege is used. And we'll, we'll look at that here in a moment. So has everybody heard of the cyber kill chain before? Very well read and well publicized piece of research and really marketing by Lockheed Martin. It's a very sort of militaristic sort of sun Sue view of the attack cycle that we are using as a educational basis to learn the defense. And it plots out the paths that we usually see through a classic attack. It is useful. It's a kind of an interesting exercise. It is a little limited, but when you look beyond it, the phases of attack are absolutely correct. Reconnaissance, penetration, and persistence, exploitation, and escalation, and then exfiltration and exit. Sometimes this exit is not good in Sony's case, the exit was literally burned the house down. So sometimes that is almost justified as a, a, a step on its own, but really those four phases are very interesting.
And what I'd like to do is introduce perhaps a new thought, which is an IAM kill chain. This is introduced by me today. I made it up before I got here, and it really just takes, you know, based on that kill chain flow and thinking. And it's really designed to, to have us focus on where within that cycle from recon to exfiltration identity management has a part to play. It is defense, but I really want you to look at that it's offensive as well. I believe there are things that we can and should do in IAM to create sensor networks, to create an offensive view, to put ourselves on rather than pure defensive to start fighting back a little bit. So let's look at this across an anatomy of a breach. Let's take a completely fictional cyber attack if this bears any resemblance to a real event that is by accident, cuz that would be potentially a liable issue.
Our victim is a market leading manufacturer that has very, very strong IP and a very strong online presence. They're very prevalent in selling devices and selling things to the public. So they have a strong B2C and then it could be any attacker. Of course he's wearing a hoodie don't they always wear hoodies, but it's some known organized crime syndicate in China. And the important part is they have the money. They have the time and they have the resources to execute this attack. They have patience basically. And when we look across the kill chain, that becomes very obvious. And so let's look at our sort of fictional anatomy breach timeline. It spans from January of 2014 through January of 2016. So that's a pretty long cycle, right? And it involves those places of reconnaissance, infiltration, exploitation, and, and exfiltration. And so that's kind of step our way through each of those phases and see what basically happened.
Obviously this is somewhat contrived as an example, designed to point out where the IAM pieces were. But first of all, some external webinar network scanning went on that always happens looking for direct attacks and vulnerabilities in anything that's externally facing that happens to every business. It happens to every home network as well. So it kind of goes without saying a lot of research went on for the executives, the employees, the contractors, and the suppliers. So we look at target, the door was opened via an H V a C supplier. The right. So it's always important that the attack surface is not just us. It's our business partners and people that have access to our systems outside of our business. And some blanket fishing. I mean, who, who gets fishing attacks fairly regularly? I mean, everybody, I think if you're not, you're either invisible on the internet or you've got some secret that you need to share with the rest of us, but you know, trying to do some targeted reconnaissance on the business to find out what the surface is.
So reconnaissance happened was successful. A good picture was drawn of the people and the resources. And then, then some basic targeted spear fishing on an executive. They're the first people to attack. They have the highest level of access and they tend to be the most ignorant of the issues. They have an administrator that has an admin that has access to their system and their resources to attack vectors for one account, very desirable. Some drive by download was executed and local, local admin. They had local administration on the laptop. Let's not do that. I hope all of you don't have a windows adminis, local windows administration account that you log into on a regular basis. Unfortunately, our executive did and was exploited from that. They were able to do lateral movement across several windows servers in the test environment that had default accounts and passwords, just go and inventory that it's shocking how often misconfiguration of basic default accounts is, is, is at fault.
And then some extensive inventory and scanning was done. And then very importantly, they identified that there was a, a privileged administration tool in deployment. Gee, that is one place to focus your protection on. We've put the keys to the kingdom for our administration into those accounts. And so it's important. We get them out exploration, brute force, brute force, password attack on the ad domain and some of the local apps and some of the SAS services, if you track those metrics and Kim may talk about this. If you look at attacks across SAS applications, they're coordinated often very interesting point. They scraped the company SharePoint Porwal. They had readonly access to world from the network, right? So gee, what's on your company. Porwal everything I need to know about your company. It's amazing how many people do that. And then app and DB access to the main line of business application was put in place.
So they were able to get access to the database and the app server, they were able to escalate some active directory groups and they were able to create a domain account. And then during the exploration, they downloaded passwords and hashes for all the internal systems. They pulled customer and sales data from Salesforce. Like I say, some of this may be very resemblant of a real world activity. That's happened for an unfortunate company. And then basically they pulled everything from the file shares, including financials, clients, employee data, and then burned the house down, right. It's kind of, you know, what happens. So very, very unfortunate, big damage company financials, exposed partners and supplier lists were shared with competitors. Employee data was sold on the dark web. A company in China popped up literally a month later selling a product that looked just the same. How could that be?
GDPR investigation was kicked off with potential resulting fines, reputational damage, loss of partners, employee dispatch, next satisfaction. And then the bit that hurts me the most, the resignation of the C S O. Okay. So fortunately this was not sale point. Let me just say that again. This was not sail point, so not good stuff was wrong, right? Somebody got something wrong here. There were a bunch of basic protections that weren't in place. And then more interestingly, there were some true detections that weren't there as well. Some offensive detection that could have been in place to help mitigate this. Let's look very quickly at what these are. I build them out, cuz I'm gonna go through each very quickly inventory and visibility, strong authentication, password controls, lifecycle management, privileged administration governance. That's a huge one request, controls data, access governance, and integrated I am or where security.
I'm gonna very quickly go back over this. The, these slides will be available. I looking at the time, I, I want to make sure we've got plenty of time for Q and a afterwards, but let's just now just walk through what they got wrong. Unfortunately, there wasn't a lot that could be done here in the true reconnaissance phase. You're lucky if you can really detect anything or prevent anything, you can encourage your employees to use strong passwords on what appear to be benign social media sites. That's something that we enforce by using products like ours. You can actually make sure that when some, someone uses a LinkedIn account, that that password is long and strong. So that's about it. All I can see, but they missed visibility in inventory, right? They didn't know where their default accounts were. They didn't know their orphan accounts when they were being created.
So they created an orphan account. They created an ad account outside of our lifecycle control. Wasn't detected, wasn't prevented and no event alerts went off and recertification window was too long, right? It started the attack really started in April. They did an access review in January. Everything looked good. They didn't behavior could have been in play all the way across many of these phases. They had very weak password controls. So evidently some of the passwords were easy to hack, easy to attack, strong password policies, life cycle enforcement and things like change detection. We, this is such easy technology. Now we can send an alert whenever a password changes in a native system that tells us something right. We can correlate that back with an action and see if it was done locally at the command shell or done through our IAM layer. And so again, simple things, lifecycle management wasn't in place.
There were no known join a move, a leave estate transitions when escalation was happening and lateral movement was happening, changes were happening in the IAM infrastructure and no alerts went off, nothing got changed. Nothing got triggered, embedded data triggers basically, which is something that we in identity governance administration. Now that's just what we do. Right? We observe something changing and we create an event. We create an a workflow. We notify somebody with a watcher. If you like, and then no, Pam governance, gee, how many times I see this people go, it's happening in federal, in the us at the moment everybody's deploying privileged administration like crazy and they're not governing it. They don't look for separation of duty and escalation of privilege. They don't govern privileged administration, just like any other source of authorization. It's just like rack air four ad. It's a super concentrated piece of authorization technology and it needs to be governed.
And they had no preventive and detective controls, access request management. Gee, the guy was actually, and this does come from a real story, was able to base on a test account, use that account to request access to one of the SAS applications, went through their internal request. Porwal and you know what? Somebody did click approve, gave them access to a SAS app. They pulled data from it. They believe it or not data access governance. I mean big detection point. Somebody was moving around the file system and someone with an administration right, was pulling financials information that should have raised a trigger, right? And that's what data access governance is here for to effectively at model people's access to do classification and categorization and do file based alerts. And then finally I integrated identity aware security, nothing was integrated, nothing was identity aware, nothing was able to talk to each other.
And so the IAM security, IAM and security weren't one strategy. They were just things. We were just chatting about that before we came in, they were not seen as part of the, a single defensive strategy. And so, you know, we see what happened. So those IAM and protections were not really in place and they really are quite a simple process. Now there's one more in my last two minutes that I want to discuss. And that's this notion of IAM sensors. So surely with all this infrastructure, we can do something we can detect. We can put a trap in place and anyone that's dealt with network security and honey pots is very simple concept, right? So there's some simple things we can do here. What about an account honey pot? What about creating a fake account? That if you log into it, it's gonna create an alert.
It's gonna note no one should log into this. It's called big fat juicy administrator, or it's called, I've got a weak password. I mean, it sounds trite, but it's, it can be very, very meaningful things that have deliberately weak passwords password. 1, 2, 3 is still the most common password used on the planet. It's the first thing that they won't even put in place a cracking tool. They'll try that by hand because it's so often available and we can spread these across the infrastructure and create a sensor network out of basic accounts. We can also do things that we rather silly called file and file file and folder targets. First thing we're gonna do is scan our file system. Look for accounting files, look for files that are suspiciously attractive by name or by access permission. And do you know what they are they're fake and do you know what they do?
They notify us that somebody's doing something they shouldn't. So if someone reads that document, someone takes that document, an alarm goes off and these are the sorts of things that we can use our IAM infrastructure to automate for us. It's very easy to do, to create, as I say, an automated provisioning policy would help govern this. So the key takeaways I would leave you with are it's really business as usual, but thinking about those, I am often compliance controls as an integral part of prevention and detection and put those together into a single infrastructure and help identity enable the security system it large. And so is that we stand a chance of, of preventing that attack. And that's it. Any questions? Thank you, Darren. What do we do questions at the end?
We'll do a few
Now. Yeah. I wanna make sure that Kim gets up here on time cuz I wanna listen to what he has to say
Questions.
Well, pretty obvious, right?
Well, I, I had one Darren while we're waiting and that was you. You used the term offense and where you referring to the deception, the honey pot and
The tar. Exactly. Okay.
I would call that deception.
Yeah. I think this is actually part of a, a broader presentation that that is with a theme of which is, you know, be, be an internal hacker and that's why that term was used, but okay. But these are the sorts of things that, that we, it's kind of a different way of thinking about I am, right. I mean, does anybody do anything like this today? The sensor network element of it? I think you're gonna see products delivering this products like ours, prepackage it as a configuration. You can just press a button and it'll push out a bunch of fake accounts for you. I think it's gonna be a much more prevalent. Just a bit. Yeah, sure. Of course I do that. It's sort of gonna be made easy by the infrastructure.
Cool. All
Right, right on.
Thank you Derek. Thank
You.
