Whether you have implemented a formal tiered security structure or not – every environment has tier 0 assets.
Tier 0 accounts and groups are those that have the keys to the kingdom of your identity provider whether that is Active Directory, Entra ID, Okta, etc. For instance, in AD that would be the Domain Admins, Administrators, Enterprise Admins groups and the Administrator user account to begin with. But Tier 0 accounts expand to include other users and groups you put in those built-in group or where you assign equivalent permissions and rights. And any accounts that have permissions to change those accounts, and so on. Tier 0 inevitably ends up being bigger than what you would expect. Case in point: there are service and application accounts with Tier 0 access.
But – and this is important – Tier 0 isn’t just about users and groups; it also includes systems. Tier 0 systems are those systems that either
- Host the processes of the identity provider or store its directory data. In AD’s case that would be domain controllers. In cloud identity providers like Entra ID and Okta it is the cloud systems under the control of the vendor – the part that is the vendor’s job in the “shared responsibility” model.
- Host logon sessions by Tier 0 accounts – whether human or service/application accounts. Just a few examples include servers that perform privileged identity synchronization like Entra Connect or workstations used by administrators.
Needless to say, Tier 0 assets are a ticket to success for attackers and as such they need close surveillance and vigilance because they are such a target. And such vigilance pays off. We know this from real world security incidents like the Okta/Cloudflare incident which I’ll discuss in this session.
But before you can monitor Tier 0 assets you need to know who and where they are. In this real training for free event, I will show you a step by step process for finding each Tier 0 account, group and system.
Matthew Vinton will be joining me from Quest Software. Matthew brings valuable input to the table on this topic because for the past couple years he’s been focusing on Identity Threat Detection and Response – beginning with Tier 0 assets. Matthew has put a lot of thought into the reality of alert fatigue and what it takes to reduce all the noise. He says part of the answer requires capturing and leveraging knowledge of your particular environment in order to distinguish between benign and malicious change events associated with Tier 0 assets.
After our real training for free session Matthew will briefly show you a new product – Quest Security Guardian – and how it can help you not only automatically identify Tier 0, but also help disrupt attacks on Tier 0 by protecting those sensitive objects from malicious change.
Please join us for this real training for free session.