The Phantom Identity Menace: How to Detect Hidden Criminals on Your Network

A recent webinar delivered by cyber security firm, Centrify (The Phantom Identity Menace), clearly outlined the threats that modern companies and institutions face from attacks that use compromised identities. Of course, Centrify hopes to interest potential customers in their Centrify Identity Platform, but that’s part of the deal in giving these webinars. Why else would they have them? Nonetheless, in the process, they make a good case for why it’s important to know who exactly is using your network. Your users may not be who you think they are.

Presenters Eric Hanselman and Chris Webber first pointed out how most companies and institutions stay with outdated cyber defense tools simply because they are used to them. (Here, the US government comes to mind). These tools may serve some purpose, but they often cannot keep pace with the ever-evolving sophistication of modern attacks.

And what are the attacks that are causing the most problems? Attacks that begin with well-crafted phishing (or spear phishing) emails. Such emails fool network users into thinking they are in contact with someone they know (often a company executive or someone in authority) when they are really in contact with a criminal. Once these criminals have the user’s trust, they will convince them to open attachments (or perform other security compromising acts) that install the necessary malware to penetrate a network.

Most often, it is an endpoint on a network, such as a smartphone, that is compromised. Once the attacker gets control of an endpoint and installs the appropriate malware, for example, a keylogger, they can get passwords that will allow them to move throughout a network until they find a user with the most access to useful data. If they can get an administrator password, they are, in fact, an administrator, and most networks will be unable to detect that something is wrong. Hence, they become the ‘phantom identity menace’. In fact, Centrify points out that over 50% of breaches make use of such compromised credentials.

Here is the diagram Centrify gives to explain this attack metric.

Centrify end user

Enter identity validation and management. The presenters don’t believe having different passwords for accessing different parts of a network is the answer. It only causes user confusion. Besides, these passwords can be just as easily stolen by criminals. Multi-factor authentication helps but it is not 100% effective.

Centrify asserts that it is much better to have one complex main password (single sign on or SSO), multi-factor identification, plus identity validation. The idea is to identify the network behavior patterns for each user and then detect any variations from these patterns. Unusual use-variations will then trigger additional defense protocols. Good identification validation can detect variations from the norm in user location, user devices, and user time of use. Of course, the user could just be on vacation in another time zone. You wouldn’t want to deny them network access. In this case, the company would have to make them authenticate themselves. This could be done through an email or an SMS which they must respond to. The email could ask them for some other form of authentication. Of course, if it was a hacker that was being asked for this authentication, the company would have to hope that the hacker didn’t already possess this authenticating information because, if they did, they would then be free to access the network. It must be admitted that the criminal could have obtained such information in their previous movements around the network or from other sources.

There is little doubt that identity validation can put another obstacle in the way of potential attackers. However, as pointed out above, persistent attackers will almost certainly find a way around this impediment. It may even be possible for attackers to use the authenticating email/SMS as a phishing email to get a user’s authenticating data. That is, they could send users a realistic-looking email that asked them to prove their identity, and, if successful, they would obtain the information they would need to bypass any identity validation questions. In the end, the system seems highly dependent on user vigilance and, as is most often the case, user vigilance tends to be the weakest link in any corporate or institutional network.



Is your company or organization really concerned about protecting your network from compromised endpoints or is it all just talk? If you are serious about security, check out an architecture that separates endpoints into two operating systems at the hardware level; InZero System’s WorkPlay Technology.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s