In this chapter

  • Learn how identity governance can detect data breaches at different stages of the Lockheed-Martin Cyber Kill Chain®
  • Understand how identity governance can help prevent and mitigate data breaches

Our discussion so far about identity governance has been somewhat abstract. Now let’s look at exactly how identity governance can derail external and internal attacks.

Anatomy of a Data Breach

Lockheed-Martin’s Cyber Kill Chain® has provided a useful way of decomposing a complex cyberattack into stages. Although the original model included seven phases, from the perspective of identity governance we can concentrate on four main phases: reconnaissance, infiltration, exploitation, and exfiltration.

You can find the original Intrusion Kill Chain paper on the Lockheed-Martin website. Since the paper was published, experts have suggested a number of updates and revisions. You can see one example in a Network World article: Why the ‘cyber kill chain’ needs an upgrade. Another take on the model, tailored for identity governance, is provided by Darran Rolls, chief technology officer of SailPoint, in a white paper: The Anatomy of a Data Breach.


During the reconnaissance stage, attackers look for vulnerabilities that might give them a beachhead inside the organization’s network. They exploit technical weak points, such as web-facing servers with default administrative usernames and passwords, and software packages with known vulnerabilities. Reconnaissance also involves researching information that can be used in social engineering attacks: finding email addresses of employees and business partners, and scouring social media sites to find information about managers and executives for phishing and spear phishing campaigns.1


During the infiltration stage, attackers exploit the weaknesses they have discovered in order to penetrate the network. Infiltration involves tactics like gaining access to servers with default credentials, planting malware files on employee laptops and mobile devices, and scanning the organization’s systems to locate valuable data.


During the exploitation stage, attackers secure their position inside the network, acquire credentials, and work their way through to high-value targets. A typical sequence of actions might be to:

  • Use malware to download and install hacking tools on the devices
  • Locate servers on the network and test to see if any have default account names and passwords
  • Use malware on a hacked server to run brute force password attacks on Active Directory and on applications used by the organization
  • Locate orphan accounts and acquire their credentials
  • Acquire credentials from accounts belonging to system administrators and other users with extensive access, (privilege escalation)
  • Create new administrative accounts with access to key systems, applications, databases, and document repositories


During the exfiltration stage the attackers export the sensitive data and files they have located.

How Identity Governance Defends Against Data Breaches

In each phase of our attack model, identity governance can help mitigate the impact by detecting attacks early, impeding hackers’ progress, or even preventing the breach from happening. Figure 3-1 shows how identity governance capabilities come into play at each phase.


Good identity governance tools and practices will detect and change default administrative usernames and passwords on web-facing servers, eliminating one major type of weakness that attackers locate during the reconnaissance stage.


Two-factor authentication can prevent attackers from gaining access to applications, even if they have obtained user credentials. While two-factor authentication products fall outside identity governance (as mentioned in Chapter 1), identity governance solutions make them more effective. For example, an identity governance solution can tell the authentication tool: “When executives log on from smartphones outside the network, ‘step up’ authentication by asking for both a PIN and a fingerprint.”

Reconnaissance Infiltration Exploitation Exfiltration
Visibility & Inventory
  • Remediate default accounts and passwords
  • Orphan account management
  • Automated access recertification
Strong Authentication
  • Multi-factor authentication
  • Step-up authentication flows
  • Context & behavior aware login
Password Management
  • Strong password policies
  • Password lifecycle enforcement
  • Change detection & alerting
Lifecycle Management
  • Known state transitions
  • Embedded governance
  • Detective controls & policy
Access Request Management
  • Approvals & audit
  • Preventive policy evaluation
  • Access risk modeling
Data Access Governance
  • Effective access modeling
  • Classification & categorization
  • File access alerts
Integrated Identity-Aware Security
  • IAM & security – one strategy
  • Shared IAM context
  • Integrated IAM response actions

Table: How identity governance capabilities map to activities on the kill chain.

Identity governance solutions can also feed identity and policy data to SIEMs and security analytics products to help them detect and block suspicious access requests. This cooperation might generate alerts when, say, someone using a customer service rep’s credentials tries to access the engineering design database, or it appears that a sales manager based in Texas is trying to log on from Moldova.


Identity governance solutions can play a major role in pre.venting lateral movement by attackers during the exploitation stage of a complex attack.

One way is by detecting default usernames and passwords, as well as weak passwords, and helping to enforce strong pass.word policies. These methods make it much harder for attackers to crack passwords using lists of common passwords, dictionaries, and brute force attacks. This reduces the ability of attackers to expand their reach within the network. Also, forcing users to change passwords frequently shortens the window during which attackers can use passwords that have been compromised or purchased on the dark web.

Identity governance solutions can identify existing orphan accounts, and can prevent new ones from being created by revoking access for employees and contractors as soon as they leave the organization.

Certification processes and analyses can remove extraneous permissions, reducing the potential impact of a compromised account. This is particularly important for privileged users, because it can prevent the compromise of one system administrator from giving an attacker direct access to all the systems in the data center.

Identity governance solutions can also detect ongoing attacks by flagging anomalies such as logon attempts from orphan accounts, users who suddenly start creating new administrative accounts, and unusual spikes in activities like creating new accounts and changing passwords.


Identity governance solutions can also help SIEM, network monitoring, and security analytics products assess whether attackers are trying to exfiltrate data (e.g., by pinpointing large or frequent file exports that are out of character for a person in a given role or location).

Managing Identities Securely and Effectively

In Chapter 1, we referred to statistics from a Verizon report indicating that hackers often exploit legitimate credentials. Identity governance can reduce this risk by eliminating the most common vulnerabilities associated with user access.

Stopping entitlement creep

Identity governance can counteract entitlement creep, a phenomenon caused by practices such as:

  • Giving users more permissions than they need “just in case”
  • Failing to revoke permissions when users change roles
  • Giving everyone in a role new permissions when only one person requests them (i.e., treating one-off access requests as a norm rather than an exception)
  • Giving IT administrators and other privileged users access to all types of applications and servers, in all regions, even though they are responsible only for specific applications or servers in specific locations

Reducing the number of entitlements limits the opportunities of insiders to go rogue, and of cybercriminals and hackers to move laterally inside the data center.

Configure your provisioning system to revoke (or at least flag) orphan accounts when people change roles, as well as when they leave the organization. You can analyze accounts and users to find outliers who have more permissions than others with similar roles and responsibilities. You can also compare differ.ent departments, and different locations, to highlight groups that are granting privileges at higher rates than their peers.

Identifying Separation of Duties and other policy violations

Separation of duties and other policy violations can very difficult to detect. Identity governance solutions can help find subtle violations that involve:

  • Activities across multiple applications
  • Users who accumulate unusual combinations of privileges by belonging to many account groups or roles
  • Access rights obtained through nested groups (e.g., sales managers automatically obtain the access rights of “corporate managers” as well as of “sales department members”)

Controlling temporary insiders

Organizations are giving increasing amounts of access to temporary insiders: contractors, project workers on virtual teams, suppliers, and other types of business partners.

Unfortunately, access for these groups is often managed in a haphazard way. The IT press is full of reports of contractors who access internal systems months or years after ending their engagement, as well as attackers who use suppliers and business partners as an avenue into the networks of major enterprises.

Identity governance solutions can help model the permissions appropriate to different classes of temporary insiders, and also enforce the granting and revocation of accounts through authorized and monitored processes.

In addition, identity governance solutions can enforce mandatory access reviews for contractors every 60 or 90 days, and force re-certifications when contractors leave, to ensure that access is completely revoked.

Monitoring privileged users

Privileged users, particularly IT administrators, have extremely broad powers to perform acts such as creating user accounts and changing system configurations. Identity governance solutions can monitor these actions and flag indicators that privileged users are abusing their positions, or that their credentials have been captured and are being used as part of an attack.

Strengthening Security with Audits and Risk Modeling

We should also note that identity governance audits and risk modeling can play a role in preventing data breaches and ensuring ongoing compliance with regulations. They can:

  • Flag actions taken out of band (outside of authorized processes)
  • Identify trends and spikes in activity that might indicate malicious activity, such as increases in account creations, password changes, and use of privileged accounts
  • Highlight the areas of highest risk, such as users with the most access, so they can be monitored more intensively
  • Strengthen processes for requesting, approving, and certifying permissions, and for modeling roles and policies, thereby helping to eliminate weaknesses that can be exploited by attackers and rogue insiders
  1. For a classic example of an attacker doing effective research, see: Omaha’s Scoular Co. Loses $17 Million After Spearphishing Attack.

The Power of Identity Governance

Identity Governance and the Cloud

Find out how SailPoint can help your organization.

*required field