Hosted by JANUS Associates, this document was developed by The National Security Agency (NSA) and the Cybersecurity Infrastructure Security Agency (CISA). Recommended Best Practices for Administrators, Identity and Access Management sets forth the IAM best practices for administrators to implement to address highly likely and highly impactful threats. It also identifies mitigation areas most effective in reducing the impacts of these threats to IAM.

Identity and access management (IAM) is a framework of business processes, policies, and technologies that facilitate the management of digital identities to ensure that users only gain access to data when they have the appropriate credentials. Inventorying, auditing, and tracking all identities and their access is imperative to ensure that proper IAM, including permissions and active status, is executed regularly.

Nation-state-led cyber operations have successfully accessed protected data by targeting the trust established within networks or by exploiting vulnerabilities in IAM products and IAM implementations. 80% of web application attacks leveraged stolen credentials, a technique used by both basic cyber criminals and nation-state bad actors. Additionally, excluding breaches based on user error and insider misuse, 40% of breaches involved stolen credentials, and nearly 20% involved phishing.

Recent and notable attacks include:

• In 2021, compromised credentials were used to attack and shut down the Colonial National Gas Pipeline in the U.S.
• In another 2021 cyberattack, an unknown attacker manipulated computer systems in a Florida water treatment plant to increase the concentration of sodium hydroxide in the water supply by a factor of 100.
• In 2022, another attack targeted a water treatment plant in South Staffordshire, U.K.

This document focuses on identifying mitigations for the following techniques frequently used by bad actors:

• Creating new accounts to maintain persistence.
• Assuming control of accounts of former employees which were not suspended upon employee termination.
• Exploiting vulnerabilities to forge authentication assertions (e.g. Kerberos tickets, Security Assertion Markup Language (SAML) assertions, OAuth2).
• Utilizing or creating alternative access points to systems.
• Exploiting or utilizing users with legitimate access.
• Compromising passwords through a variety of tactics (e.g. phishing, multi-factor authentication (MFA) bypass, credential stuffing, password spraying, social engineering, brute force).
• Gaining system access and exploiting stored credentials.
• Exploiting default passwords in built-in or system accounts, exploiting active attacks to downgrade, and exploiting deprecated encryption, or plain-text protocols to access credentials.