EPISODE SUMMARY
Subscribe or listen now: 
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast, brought to you by Delinea. I'm the host of the episode, Joe Carson, Chief Security Scientist and Advisory CISO. It's a pleasure to be here with you, always bringing thought leadership, educational topics to really keep you ahead of today's threats that target organizations, and even your family and your social sphere as well.
So I'm always looking for a really intelligent, really smart guest, and I've got an awesome guest for you today. So Gal, welcome to the podcast and episode for today. You want to give the audience a little bit of a background about yourself, how you got into the industry, what you do, and some interesting things about yourself?
Gal Diskin:
Of course. Thank you for having me. Let's see, how I got into the industry. So back when we were still using modems and VBSes, I got into hacking and things like that. And one thing led to another, I started being one of those kids that ... in the '90s to work at software companies. And this is how I got into the industry, and kept doing that for many years. I founded four startups, three of those I sold, the last one to Delinea, which is how we got to work together, which is great.
Joseph Carson:
Absolutely, which is great. That's always great that acquisitions bring people together.
Gal Diskin:
Yeah. And my previous startups, one went to the area of cyber and FinTech, and the other became part of Palo Alto Networks, while I ran the endpoint products and things that later became known as XDR. So, lots of fun. I did also a lot of research for Intel in the areas of... research and AI a little bit, also in Palo. And so my expertise is broken up between AI research and cyber security research.
Joseph Carson:
One of the big topics we're here to talk about today is around the identity threat landscape. It's evolving so fast, it's becoming a major challenge for organizations to make sure they're able to have visibility, to manage identities, to put the right security practices in place. I think it's one of the most sometimes... not prioritized high enough for many organizations, and when they do it, then it's a long journey to really get the right success and best practices.
One of the things is, where did identity threat landscape... What did identity threats really start off with? When it comes to my mind, it really comes down to, I think really in the '90s, a lot of it came around about stealing and compromising passwords. Where did it really start for you, when it comes to identity theft and identity threats?
Gal Diskin:
So I think that what you say is a very good way to look at it. I would also think about Active Directory threats, and... hose started, even LDAP earlier in certain senses, and how we saw different threats and attempts to manipulate those directories and those users in order to take over accounts, or later move between accounts, across those environments.
Joseph Carson:
Absolutely. So one of the things I've seen, I'm doing a lot of incident response and looking at uncovering incidents, and really understanding it by, let's say, the attack path and initial attack vectors, a lot of it comes down to compromising identities. If we look at the Verizon Data Breach Investigations Report, which I analyze every year, a large portion of most of the incidents have some type of identity compromised.
And to your point, I think one of the things when I look at those attack paths, you always see some type of Active Directory, directory services compromised, whether it being stealing an existing user's identity and using that to do reconnaissance and find out what's on the network and find out what types of solutions and products and tools they're using or ways to elevate, ways to laterally move, or they're adding their own users, and sometimes just getting that persistence, because sometimes they have the fear that the user that they've compromised, that maybe at some point they might change the password or they might change the security. So they're always looking ways to make sure they've got a foothold and gaining access.
What's some of the common techniques that you find attackers using to compromise identities? What's some of the most common that you see?
Gal Diskin:
So we've actually, in Delinea labs, we've started researching in depth these type of situations. We've found that there is a certain shift, so increase in a trend that was existing before, of attackers starting to look more for ways to steal identities that bypass MFA. So usually, up to today it was fairly easy. You would go with a credential staffing, I got to use... password, but that's no longer enough in a lot of cases, right? Because organizations have become more and more aware of MFA, and the prime targets usually have MFA in a lot of places. Now, this is not always the situation, as was with the recent Snowflake hacks, but what we've seen is, as the attackers shift in that direction, we see in criminal underground forums discussions about attacker in the middle tactics, browser in the middle tactics, and another one is infostealers, but a lot of infostealers started publishing ... focusing on extracting live session cookies for common identity services. So again, the targeting is, how do I get into your identity system as one of your users, as you've said earlier.
Joseph Carson:
Absolutely. And once they get the initial foothold of that initial patient zero, or account zero, it really allows them to understand more about your internal workings of an organization, about who that person's connected to, what services and what applications that the organization is using, what security controls are in place. Sometimes, unfortunately for many organizations, when they get past that initial front door security, there is no more security inside. And that's one of the things that organizations are starting to look at how to make sure that you've got security at every interaction and defense in depth scenarios, the layered approach.
What's some of the things that you find the best practices that makes it difficult? Let's say... You talked about MFA as well. I've seen a lot of attackers using things like social engineering, or even using generative AI to have a conversation to try and bypass a lot of those controls, improving phishing techniques. So what works, what's the best practices to make it as difficult as possible?
Gal Diskin:
So I think it's a long list to go through all ... but it starts from getting the right MFA solution. So not all MFA solutions are born equal, and I think a lot of people don't think about that, but not all MFA solutions were born equal. So if you have a phone or SMS-based solution, those are not good enough. What you need, you need to go with MFA solutions that are strong and resilient to phishing. So... compliant type of keys, but not necessarily keys, and phishing-resistant MFA is really important to put in place, because it reduces a lot of the threats that we were talking about earlier, and also phishing and social engineering threats that were just discussed.
Second is actually figuring out that you have everybody under MFA, because it's always everybody except the CEO and the IT admin, but those are the guys that really need it. Another funny anecdote that we had is, we got to a company where the CEO really wanted to have all possible factors applied in his Okta, on his account. Now, what it ended with, they had a policy that he needed two factors to log in, but he had both SMS and phone ... enabled. So basically, if you stole his number by doing line-jacking, you could literally log into his account without any password or username required.
Joseph Carson:
So simply the two methods that require used are simply just cloning the phone... cloning the number would allow you to get access, because both of those factors go the same destination.
Gal Diskin:
Yeah. So it's funny to think about it, but with the good intent, you got the wrong result, right? So it's very important to think about that and to make sure that you have at least one FIDO compliant MFA. But enough about MFA, I guess, there are also other very important best fight.
So one is... There are two main levels to this. One is controlling access to your privileged identities. And this sounds simple, but it's actually hard. You need to understand who are these privileged identities. You need to continuously monitor when there are new ones, and you need to control access to them and ensure that it's done in a safe and managed way. So this is one level.
And then the next level that is really critical to actually protect yourself from identity threats is that you have to monitor all of those. So you have to monitor your identity environment, your identity configuration, changes to the identity configuration, attacks on identities.
And I'll give you an example. For example, there was a successful credential stuffing attack on one of the MGM employees, IoT employees. It was blocked by MFA in the MGM attack that literally suspended the entire... After that attack was successful, nobody was actually monitoring this. So nobody knew that somebody actually did a credential stuffing attack, successfully logged in into one of the accounts, and got blocked by MFA, and the attackers had weeks to learn about this guy and then do social engineering attack to get the IT support to disable his MFA.
So monitoring is really critical. If you are not aware of a threat, you'll never be able to prevent it. And this is where identity threat detection comes in. And I know I'm talking about what my company used to do, and still does out of Delinea, but this is effectively something that if you don't do, if you don't see, you can't actually protect yourself from anything.
Joseph Carson:
Absolutely. That's one of the things I'm always saying is that we want to make it as difficult as we can for attackers, but we also want to have the visibility of when attackers are actually using techniques. And if you can see the techniques, I would say it's like looking at a lake, and that lake basically is clear, it's still, and you want to be able to see the ripples. And if you don't investigate what those ripples are, you're not going to be able to uncover those compromises attempts. And if they go unchecked and let's say unmonitored, what will happen is the attacker will then find another way. They will keep using the techniques that work, but they will look for ways to get around the controls that actually stop them in the first place.
And I think that's one of the important things is that... And sometimes it's... After every incident you can go back and you can look at the logs and you go, oh my goodness, there was so much noise, but just no-one was paying attention, no-one was trying to learn about these attacks and then put more controls in place or more visibility to make sure that, if they try it again, are we continuing to prevent the attack? Rather than just hoping the controls are working and not having the visibility.
So I agree, identity threat detection response, you need to make sure you're actively learning from the attacks that's targeting your organization, and making sure you're strengthening the controls and getting into more, I refer to as a bit more adaptive or dynamic types of access control. And that allows you to continually evolving, and not just hoping that the static controls you put in place six months ago or a year ago are still...
Gal Diskin:
Yeah. I am totally with you. One of the key points of having identity threat detection and response is the response part. And the response is, I detected something, I need to respond to it by actually shifting this knowledge about the threat, the current threat, into my active defenses. So I now have the ability to say, this is a source of attack, I will block even if they're successful. And then however great you are as an attacker, you will just not be able to log in even if you got the right username and password.
Joseph Carson:
Absolutely. And one of the things you find is that, when you've got enough deterrents in place, the attacker will basically... They will not want to waste their time and money and resources. For them, it's a business in many cases, and time for them is money. And if they're not being successful using the time they've got, they're going to look for another target and an alternative organization victim that may not have those controls in place. So that means putting more time and more cost to the actually attacker is definitely a big deterrent, because then they will look for alternative victims.
Gal Diskin:
Yeah. I sometimes joke that you don't need to be the fastest to survive being chased by... you just need not to be last.
Joseph Carson:
Yes. Sometimes, yeah, the bear story as well fits in. You just make sure you're just ahead of the next person. But it gets into... We talked a little bit about the attacks side of things. What types of attacks are we seeing? Is it personal identifiable information has been the most targeted? Is it credit card information, health information? Which are some of the highest target value assets that attackers are going after?
Gal Diskin:
So I think we've seen already, when we've talked about this earlier, monetization is always the prime motive for attacks, and we see different patterns emerging periodically as trends are changing. So for example, there was a period that bad people realized that stealing images from beauty clinics and plastic surgery clinics is a very good way to blackmail. That was a trend that we saw like eight, nine months ago I think, maybe... but now it's down because I guess it outlived its usefulness.
Joseph Carson:
Another type of extortion which... We're seeing extortion kind of even overtake traditional ransomware... becoming more of the top methods.
Gal Diskin:
And ransomware is always evolving, it always works. It's extortion of an organization with lots of money and lots of resources. So ransomware is never dying down. We've seen that RansomHub has really started taking a huge percentage of the ransom market. Market is a funny way to refer to it. I don't think people are buying it out of their own free will, but they still get it, the product. So those are some of the trends that we're seeing.
Other trends are reselling information. So even if you get a ransomware attack or something like that, it's not just ransomware. The PII, the information about usernames, passwords, everything is resellable, and it's being resold on the dark web. Basically, there are sites that allow you to... Currently actively on a malicious online forum, there is like credentials into company X, service Y. And you can literally click on it and say, "I want to try it." And you get to see a preview that the system logs in for you and checks the credential for you. So it's crazy the level of customer service that is offered by these malicious actors.
Joseph Carson:
Absolutely. You're right, it is a market, it's a criminal economy which is set up, of a supply chain economy, where you've got those who specialize in initial access. All they do is get credentials, validate them, sell them onwards to other criminals. And then you've got the ransomware creators, or even the malware creators, who are creating multi-headed, multi-threaded different techniques, whether it being credentials stealing, data stealing types of attacks, or even just being able to find back doors as well within... systems. So really looking at the creators of the malware. Then you've got the help desks, you've got those who just specialize in providing services to help the victims pay the cryptocurrency, or you've got to be able to restore the data from... recovering it.
So you've got this whole ecosystem that are all working together. And I've even seen even the latest evolution of ransomware and data extortion, where they've started using generative AI to analyze. Because in the past they got huge dumps of data, they didn't know what they had, and it might take them a long time to analyze how much can this organization pay? Are they doing anything potentially criminal? What type of value of the data do they have? And now they're using generative AI to analyze the data... extreme acceleration than they would've done. Even within minutes, they're able to understand, here's the value of the data, here's the type of access credentials we might have, here's the type of PI data, here's the value that can be made, here's the types of criminal activities you can do with that data. So the acceleration speed that you're able to analyze large amounts of data is kind of... It's really scary, to this point, how fast it can be monetized and then put on the dark web as a service, that they can actually see that these credentials work, and here's the type of privileges and entitlements that that credential has.
So we've been mostly talking about the threats. What about misconfigurations? Because that's another big area, because when I look at a lot of... Even I think about three, four years ago, one of the Verizon Data Breach Investigations Report had misconfigurations as one of the top causes. And we do say that a lot of that was the acceleration of digital transformation to cloud and so forth. And if we look at a lot of the recent data breaches, they were not from attackers, they were from misconfigurations of cloud storages. So what about that? How do we make sure organizations are finding those and discovering them, before... security resources or attackers find them, to make sure that that data's not been compromised? What's the best practices for finding and discovering misconfigurations?
Gal Diskin:
So I think nowadays we see three main categories of solutions that help you deal with misconfigurations. So there are CSPMs, which are now fairly common, that help you deal with cloud misconfigurations. There are SSPMs, DSPMs, in my opinion, they're both the same category, just arguing with each other.... in general and misconfigurations there. And there is identity security posture management, which I think is the most neglected, because everybody can easily claim that they do something like finding your stale accounts. It's relatively easy, even SSPMs and CSPMs can do it. But there are other misconfigurations that you can't find like this, misconfigurations related to your sample configuration, or SCIM configuration, or the way you set up the rules in your identity provider, and so on. And we see that pretty much no customer that we visit... 100% pass rate on the misconfiguration checks that we have built, for example, in our product ... even if we start with customers that usually have less than 50% pass rate.
And there are a lot of techniques around utilizing misconfigurations to attack. One of the things that is important to understand is, the entire identity system is like a router. It's a router that transfers identities from one node to the next node. And whatever the router before you tells you is the identity of that entity, the next node in the graph is trusting implicitly. So let's say you have an Active Directory that is connected to an Okta that is connected to Salesforce. Keep it simple, let's stop at three. So whatever the Active Directory tells Okta, Okta trusts. So if Active Directory tells Okta that I'm Gal, I'm Gal. Now, if somebody misconfigured the Okta and decided to tell Salesforce that I'm Joe, then I'm Joe in Salesforce. And for... purposes, Salesforce has no way to distinguish between me and you at that point. We will appear exactly the same in every log that will exist in Salesforce, except our IP. And even our IP, if we are slightly smarter, can look the same, right?
Joseph Carson:
Yeah. You can fake your IP address and MAC address quite easily.
Gal Diskin:
Yeah.
Joseph Carson:
Absolutely. I think that's one of the common things I've seen, especially in multi-cloud, in hybrid cloud and SaaS, is where organizations are becoming very heavily relying on APIs, and those APIs are what's basically allowing those systems to communicate. And to your point, if you're able to manipulate, or let's say poison or infiltrate one API communication, then the downward systems have no way of telling who the original source was, because they've already been able to bypass that initial vector. So I think it's one of the... At least from this year and last year, I've seen lots of talks at different conferences, talking about the multi-cloud and the API scenario and how critical it is, and we're seeing a lot of areas where organizations are looking to try minimize that where possible.
And discover the misconfigurations as well, because if you don't have a way of detecting it... And I've also seen where, especially in that multi-hybrid cloud, you might have one system where you're configuring the security controls and policies and entitlements here, and then you've got some SCIM or synchronization that's hoping it gets replicated here. Let's say somebody leaves the organization, and it gets configured here, but that synchronization doesn't happen. They still have access over here. That account is never ever de-provisioned. It's only a matter of time before an attacker it. And you might be looking over here at your dashboard and your configuration, and it might tell you that everything is correct, but you need to validate, you need to make sure that that account that you removed, that you de-provisioned, that has meant to be no longer active, has been properly decommissioned. I think that's one of the biggest challenges many organizations are facing, is getting that visibility of that continuous synchronization.
Gal Diskin:
I have an interesting story on what you just described. We got to a customer after it was breached, and they had their applications syncing from Okta to the downstream applications using SCIM, and attacker wanted to maintain access to a certain application. I won't say which one because of customer privacy, because it's really very specific. But the interesting thing is, the attacker wanted to maintain persistence. So they created a... privileged local account in the end system, and they disabled the SCIM sync between the Okta and that system. So that account would never be disabled, but nobody actually noticed because the regular login still worked. So when they thought they cleaned up everything, they didn't know that that account still existed as a local account that you could log in interactively, not through Okta, on that application.
Joseph Carson:
Yeah, I see that quite often. And sometimes it's the time as well that those things happen. Minimizing that window of opportunity as well, is one of the challenges.
Where's the future going? Where do you see... We've seen a lot of evolution and innovation around AI, both the defensive and offensive side of things. We've seen the advancements in things like deepfakes when it comes to stealing identities and impersonating, where people have Zoom backgrounds, we've got fake people walking around and doing business email compromise. For you, where do you see the future going in the identity threat landscape? Which technologies and solutions will help us, or which ones should we be worried about?
Gal Diskin:
I think it's always, technology is not good or bad. It's the way you apply it. I'm not blaming technology or AI, if we call it AI. I'd prefer calling it machine learning, but whatever.
Joseph Carson:
For me, I'm in the same, where I call it augmented intelligence, assisted intelligence, advanced intelligence, it's the different terminologies, but really what the value comes from is the large language models and the machine learning. So the natural language processing and understanding has probably changed the field significantly, though the terminology is always confusing because we put... Just like cyber, we put everything under this massive umbrella and we're doing the same with AI, even though when you uncover it, it's a scheduled task, or it's an algorithm that's basically not evolving, it's got a fixed data set. So it's always important to understand that people really get to understand what is behind the algorithm, what's really running the decision making.
Gal Diskin:
Yeah. So if we go back to what's going to happen, so I think in terms of AI in attacks, we already see AI used extensively in phishing. We see much more customized phishing written for this specific user or for this specific company, with publicly available information that was scraped about that person even. So all of these attacks are evolving, obviously.
The second area that you already mentioned is deepfakes, and we know at least about one deepfake attack that got a bank in Dubai to send $20 million out. We know... It is largely suspected that the social engineering attack in the MGM attack that we were talking about was done through a deepfake of the voice of that person. Arguably it could be a voice actor, but one of the two probably happened there, and we'll never know unless they will be caught and tell us the true story.
Joseph Carson:
Sounds like an episode of Darknet Theories in the future.
Gal Diskin:
And so this is one trend, and this is on the attack side. And we also will see more autonomous attack systems, so less a person trying to... to manage it, but more an LLM, AI agent, whatever we'll call it, working in the background and automating the responses, which means times will be cut shorter in terms of how much time we have to defend and respond to an event in most cases.
Joseph Carson:
So... myself and Mikko talked about this at the beginning of the year, it's the attack, the battle of algorithms.
Gal Diskin:
Yes.
Joseph Carson:
Who can process the fastest, the defense or the offensive? And that's what really will come down to being a victim or not.
Gal Diskin:
So I think it's the speed of processing, but it's also to a certain extent the intelligence and the quality of the models. And this is this battle that might have the defenders at some advantage finally in something in cyber. But it's a costly advantage, as we all know.
On the defense side, I think context is becoming the king. It always has been the king of everything. I say it more and more, you have to have identity context in your security decisions. If my antivirus is trying to decide if a PowerShell script makes sense or not, it doesn't know who I am, what I do in the organization, what's my endpoint supposed to be used for, and what is the context of my other tasks, what I've been doing... even the next-
Joseph Carson:
...governance. Yeah. The governance and entitlements is, well, have you been doing this in the past? Is it part of your job?
Gal Diskin:
Yes. Is it part of your job is one of the key elements, right?
Joseph Carson:
Absolutely.
Gal Diskin:
And we'll see this starting to come into solutions. We ourselves have started adding this in some of the ways we process data or analyze sessions. And this creates a huge advantage in the ability to actually defend, because the attacker has to do something abnormal for the user. If you understand the user and the role, you have a much better chance to say, "Hey, this PowerShell script doesn't make sense, because this guy is the CEO, and honestly, CEOs don't run PowerShell on their devices."
Joseph Carson:
What are they running command lines for, or opening up even terminals?
Gal Diskin:
Yeah.
Joseph Carson:
It's not a common practice. And you can go back... And of course, not every executive might behave the same. You might get some techies who, in looking back at their history and their analytics and governance and entitlements, you might find some that have been doing that. But if it's the first time, you might want to question and do more security control checks to verify.
Gal Diskin:
Yeah. And I think it's fine, if it's the first time they get disrupted, that they will have to-
Joseph Carson:
Yeah. Better learning and educating the model, so that it actually is more intelligent the next time it runs.
Gal Diskin:
Yeah. And obviously this is one of the nice things. Models can get also local context. So in my organization, my CEO really likes to log into AWS. It's silly, I don't recommend it, but if you work in this type of organization, you will be able to configure it, right?
Joseph Carson:
Yep. You can teach it and then make sure that the right controls, the context is being validated and verified, authentication and authorization is actually being properly processed and controlled. So this industry, it's always evolving, and even for myself, doing so much reading just to stay up to date. So conferences, talks, webinars, reading books, audiobooks, there's so much things coming in... to say how do you... What's the way that you stay up to date? What's some of the resources you use to help you stay educated?
Gal Diskin:
So I would say there is Twitter, and there is other networks that allow you to follow, I like InfoSec.Exchange on the Mastadon servers, which is a good one for staying up to date with the industry news. You have to follow also some news channels. Everybody finds their own, I think. And I also am really into Telegram recently, I've found there's quite a few useful Telegram channels, and more closed communities, which are generally better curated and with less noise. So Telegram and WhatsApp communities for that are really useful in my opinion.
Joseph Carson:
Absolutely. I think it really comes down to that. What I heavily use as well is the social sphere and community around me, and there's so many smart people out there that dedicate and specialize in certain areas, and they've been a huge value and resource to me over the years. So absolutely, the community is amazing, but it's getting out there and making sure you follow the right people, and finding out the things of interest.
So Gal, it's been fantastic having you on the show. I really look... hopefully we'll be able to... Every period of time, for the audience to give them a bit of an update into some of the threats that's happening, some of the most notable data breaches and incidents when it comes down to identity threats. So it's been fantastic having you on. If the audience or anyone wants to reach out, what's the best way to contact you, if they have any follow-up questions?
Gal Diskin:
Ping me on Twitter or LinkedIn. That's the best place-
Joseph Carson:
The best source. Okay. I'll make sure we get the links in the show notes. Gal, it's been fantastic, having you on. And for the audience, hopefully this has been educational and very informative, in that you've got a bit of an insights into some of the evolution of identity-based threats, some of the techniques attackers are using, best practices, solutions, ideas, some of the evolving techniques, as well as what to expect in the future.
So Gal, it's been fantastic having you on. And so for the audience, this is the 401 Access Denied podcast, brought to you by Delinea. Tune in every two weeks, where we bring you thought-provoking leadership ideas, educational episodes, to keep you safe and your organization safe from the threats out there. Thank you. Take care and stay safe.
Gal Diskin:
Thanks for having me.
Joseph Carson:
It's been a pleasure. Thank you.
