Watching the Watchmen: Securing Identity Administrators
Administrators of identity tools hold the skeleton keys to the kingdom now that identity is the new perimeter. To be clear, all administrator accounts — regardless of use case — represent accounts with elevated levels of power and access and should be a focus of heightened security controls. However, in recent months, administrators of identity infrastructure and tooling have come under specific attack.
Therefore, understanding who your identity administrators are, what they do, and how to monitor their activities is crucial for maintaining a secure environment. In this blog, we will explore the importance of securing identity admins, highlight the risks of poorly managed admin accounts and provide best practices to mitigate these risks.
What is an identity administrator?
Identity administrator accounts have elevated permissions to deploy, configure, and modify relevant identity systems. In many enterprises, this includes administrators for tools like on-premises and cloud directories, single sign-on (SSO) solutions and multi-factor authentication (MFA) providers.
These administrators are essential for configuring key workflows for identity and access management (IAM) within organizations. For example, they often define and configure the lifecycle of employee identity accounts, provision application access for user groups, set access policies for these groups, and determine authentication requirements for various policies. Identity admins play a large role in defining and setting access policy and requirements, making these accounts attractive targets for cyber attackers.
The risks of poorly managed administrator accounts
Poorly managed identity administrator accounts can lead to significant security risks. Excessive privileges, lack of visibility, and undetected anomalous activity can all contribute to security breaches. To illustrate the risk, let’s use the notable example of the Scattered Spider attacker group, which has been known to exploit administrator accounts to gain control of identity systems.
Case study: Scattered Spider
Scattered Spider is the name of an attacker group associated with several major identity-based breaches. Their techniques have been outlined in this helpful briefing from CISA. They famously use a variety of social engineering techniques (e.g., calling the help desk and asking for password and MFA resets) to gain initial access to environments.
Once they obtain initial compromise of a user's account, Scattered Spider threat actors register their own MFA tokens to establish persistence. This is where they begin targeting and performing identity administrator accounts and administrative actions. They will change the access policy so that it no longer requires MFA or even go so far as to create and link new identity provider instances.
For example, they have been documented adding a federated identity provider to the victim's SSO tenant and activating automatic account linking, enabling them to sign into any account using a matching SSO account attribute. This allows them to perform privilege escalation and maintain access even when passwords are changed.
The key takeaway is that gaining administrative control of identity systems can have devastating consequences. However, with the right tools and practices, organizations can detect and respond to such activities early, reducing the potential impact.
Monitoring identity administrators with Cisco Identity Intelligence
Cisco Identity Intelligence offers powerful capabilities to evaluate and monitor administrator accounts and activities. By providing necessary visibility into the number of identity admins and their interactions with the environment, Cisco Identity Intelligence helps ensure proper use of privileges and alerts on anomalous activity.
Key features of Cisco Identity Intelligence for Administrator Security
Dashboards:
Administrators per source
Administrator logins
Checks:
Admin filter on weak or no MFA
Admin activity anomaly
Admin role assigned to user
Login to admin console
Admin impersonation
New IdP created
These features enable organizations to detect and respond to risky admin activity, reducing the likelihood of security breaches.
Best practices for securing identity administrators
To enhance the security of identity admins, organizations should implement the following best practices:
1. Limit the number of admins
Restrict the number of admin accounts to the minimum needed to function effectively. This reduces the attack surface and makes it easier to monitor and manage these accounts.
2. Limit privileges and access
Grant admin accounts only the privileges and access necessary for their roles. Implement the principle of least privilege to minimize the potential impact of a compromised account.
3. Enforce strong multi-factor authentication (MFA)
Require strong forms of MFA for admin access. When we say strong MFA, we mean disabling weaker forms of MFA like SMS and requiring phishing-resistant MFA via passwordless or combining traditional MFA with a trusted device requirement.
4. Implement monitoring and detection
Continuously monitor admin accounts and implement detection logic for high-risk activity. Use tools like Cisco Identity Intelligence to gain visibility into admin activities and detect risky activity.
5. Establish a response workflow
Develop and implement a response workflow for various levels of administrator risk. This ensures that your security team can quickly and effectively respond to potential threats.
Keep an eye on your identity watchmen
If we revisit the case of Scattered Spider after having implemented these controls, the picture is much rosier. It’s unfair and unwise to say that all breaches would be prevented or detected. But by proactively limiting the attack surface and putting in place detection logic to alert on strange admin activity (e.g., creating a new tenant or connecting a new SSO), organizations will be much better off.
To assess the security of your identity administrator accounts, consider the asking the following questions of your own environment:
How many identity administrators do you have in your environment?
Is strong MFA required for all identity administrators in every case?
Do you have good visibility into normal admin activity?
How do you detect anomalous admin activity?
What is the response workflow when risky admin activity is detected?
If you’re interested to learn more about building a robust Identity Security program to handle identity admin security and much more, check out our ebook: Building an Identity Security Program. Talk with someone about how Cisco Identity Intelligence and Duo can help bolster your organization’s identity defenses by contacting us.