Unmanaged endpoints are a prime target for identity-driven attacks
In cybersecurity, unmanaged endpoints represent a significant vulnerability within even the most meticulously planned defense strategies. These unprotected access points are attractive targets for identity-driven attacks. Organizations are unable to gain coverage for all the endpoints with endpoint security and detection tools; even those maintaining the highest levels of vigilance might only achieve around 80% endpoint security coverage. This leaves a consequential proportion of endpoints – about 20% – unmanaged and susceptible. In addition, there are a large number of peripherals and IoT devices, such as printers, cameras that are not compatible with endpoint security solutions and add to the pool of the unmanaged endpoints.
These exposed endpoints, linked with the network and Active Directory (AD), offer an easy entry point for attackers to compromise the system, gain access to privileged credentials, and cause substantial damage. Recent research indicates over 25% of modern attacks originate from an unmanaged endpoint.
Organizations have a significant set of unmanaged endpoints
Understanding the potential vulnerability that unmanaged endpoints pose to organizations’ cybersecurity is critical. IT equipment that represent contractor laptops, Bring Your Own Device (BYOD) devices and legacy workstations in lab environments are all representative of unmanaged endpoints. Seemingly harmless devices like printers and cameras are also exploited for identity-driven attacks. Moreover, servers running a custom OS that are not supported by endpoint security also fall into the category of unmanaged endpoints. The legacy OS versions and custom form factors often make patching and hardening also challenging. With limited prevention based defense and no endpoint detection capabilities, the unmanaged endpoints represent a significant security risk to organizations.
Unmanaged devices include:
- Contractor laptops that are connected to the enterprise on a temporary basis
- Workstations and servers running legacy IT equipment, such as equipment in labs and test environments
- Printers, cameras – IoT equipment that is connected to the enterprise
- Servers running on OS versions that are not supported by endpoint security tools
Unmanaged endpoints are typically members of the AD domain. IT teams join these endpoints to the domain to enable IT policies to be applied and to allow administrators to login to the devices using domain credentials.
Attackers target identity stores from unmanaged endpoints
Attackers target unmanaged endpoints to gain unauthorized access to domain account credentials. These endpoints have no endpoint detection in place and are often running legacy operating system versions with known vulnerabilities that are exploited by attackers. Attackers can exploit these vulnerabilities to gain access to these endpoints.
Attackers take advantage of the lack of endpoint detection on the unmanaged endpoint to download and execute credential stealing malware that targets AD. This enables attackers to gain access to domain credentials, including privileged domain accounts such as domain admin accounts or important service accounts. Attackers leveraged the trusted credentials for lateral movement to critical systems and to obtain access to sensitive data, resulting in breaches with significant financial and reputational impact to the organization.
Organizations need a solution to stop breaches that originate from unmanaged endpoints.
Honeytokens to defend against identity-driven attacks from unmanaged endpoints
Deception technology is a proven approach for identity threat defense. Honey accounts are deceptive user accounts and service accounts added to the identity store, such as AD. Honey accounts are personalized for the AD domain and are made attractive for attackers to exploit.
Attackers that gain access to unmanaged endpoints and attempt to target identity stores to gain access to identities will find the honey accounts. Any usage of the honey account results in a high-fidelity threat detection. Defense teams are able to detect identity-driven attacks that originate from unmanaged endpoints.
Organizations gain the ability to stop identity-driven attacks that originate from unmanaged endpoints.
More information on honeytokens can be found at : /products/identity-protection/
Authors
Suril is VP Engineering at Acalvio Technologies. Suril has led engineering for industry leading cybersecurity offerings. Suril has deep domain expertise in cybersecurity and holds multiple patents.
