Strengthening cyber: Best IAM practices to combat threats

The 2024 UK government Cyber Security Breaches Survey makes sober reading with 70% and 74% respectively of medium and large businesses reporting some form of cyber incident within the previous 12 months. 

With phishing accounting for 84% of these attacks and AI enabling the launch of increasingly sophisticated cyber campaigns, organisations need to defend themselves against attacks targeting two key vulnerabilities in their defences: insecure user accounts and human error. IAM needs to be a key part of an organisation’s security posture against these threats. 

Unfortunately, many organisations have inadequate IAM and lack effective control and visibility of who has access to their resources. This creates a vulnerability that is targeted and exploited. 

Organisations should combat this threat by establishing an identity-centric security approach that moves the security perimeter from the edge of the corporate network to the individual user. It reduces the risk of an attacker exploiting insecure identities by enforcing verification and authorisation of all entities prior to allowing any access and then only permits authorised activity.  

Identity-centric security needs to be at the core of an organisation’s cyber security posture. It is delivered through effective IAM governance, strong but proportionate access controls, user education, and proactive detection and response capabilities designed to rapidly identify and repel any breach. 

Reduce the ability of attackers to exploit accounts through effective IAM governance

An effective IAM governance framework for managing the end-to-end identity lifecycle is a key element in reducing the ability of attackers successfully exploiting an account to infiltrate an organisation’s resources.   

The first step is getting the basics right. At a minimum, regular re–certification reviews should be performed to see who has access to what resources and their entitlements. It should then remove any account and/or access right that is not required.  This should be coupled with the enforcement of effective joiners, movers and leavers, and ‘access request’ processes designed to only provide users with appropriate access to resources they need to perform their roles.    

This reduces the exploitable attack surface by, for example, removing dormant or duplicate accounts and unnecessary access to resources. It should also deliver a single traceable view of who has access to which resources and enable unauthorised access to be more effectively identified. 

As an organisation’s users and their accounts will be actively targeted, it is necessary to enforce access controls that not only reduce the risk of breach, but if an attacker does succeed, minimises their ability to exploit this access. 

Organisations need to apply proportionally stronger controls according to risk. At a minimum, organisations should use Multi-Factor-Authentication (MFA) tools and techniques. These include mobile authenticator apps leveraging One-Time Passwords or biometrics combined with controls using contextual signals such as a user’s location or the status of their device. Such mechanisms provide an additional layer of defence in the event a user falls for a phishing email and provides an attacker with their credentials. 

In the event these defences are breached, the enforcement of a least privilege model, where users are only provided with the minimum entitlements required for their jobs will limit the ability to exploit this.  Building upon this, privileged accounts used for higher-level administrative activities must be kept separate and not used for daily business–as–usual work. Such controls impede an attacker’s ability to move laterally across the network and reduces their ability to compromise an organisation’s systems and data or deploy system corrupting ransomware. 

Cyber attackers exploit ignorance and muscle memory with techniques such as MFA bombing (where attackers repeatedly spam the user with MFA requests until they accept) which is used to compromise credentials. 

Education of these threats needs to be part of an organisation’s defences. Measures include awareness campaigns on how to identify and respond to phishing emails, best practice, and steps to take if they feel they may have been compromised. This helps the workforce take pride in good cyber security and empowers them to do the right thing. 

Although effective IAM should be at the heart of the defence against cyber phishing and ransomware attacks, it essentially provides a static defensive perimeter. Organisations must assume this will be breached and use their wider security operations capability to proactively deliver threat detection and response, including approaches such as Zero Trust.  

Organisations should develop capabilities to detect and analyse signals that could be an indicator of attempted or existing compromise. Trend analysis on usage and breaches can be used to identify and close vulnerabilities.  Threat detection tools (e.g. a SIEM capturing IAM and PAM logs) combined with established playbooks can, for example, reduce the impact of a successful phishing campaign by detecting and responding to anomalous activities such as seeking escalation of rights. 

A coherent identity-centric security approach needs to be a core part of an organisation’s defences if it is to successfully combat cyber, phishing and ransomware attacks. The combination of the use of high quality identity data and technology services to control access to its resources, with proactive threat detection and response capabilities, and user education, is vital for a security posture designed to meet rapidly evolving cyber attacks.