Content index
Inactive and Ghost Accounts
Welcome
Project Management
Renaming your workspace
What’s The Difference Between A Manager, Team Member, And Collaborator?
Add A Tea m Member To Your Workspace
FAQs
Welcome
Basic ConceptsBasic Concepts
Identity Security Posture ManagementIdentity Security Posture Management
Identity Threat Detection & ResponseIdentity Threat Detection & Response
ConfigurationConfiguration
Inactive and Ghost Accounts
Recommendations

Inactive and Ghost Accounts

Overview

Sharelock's unique ability to connect with corporate IAM/IAG systems and analyze users' real-time behavior allows it to detect three types of accounts that are very important for identity hygiene and for reducing the user surface area—exposed attack:

- Inactive accounts: dormant, unused accounts that can be deleted without interrupting business continuity so as not to leave them exposed to attackers who could use them as an attack vector. In turn, the Inactive ones are divided into: 

  • IAM matched, those accounts that are registered in the company IAM systems and which, therefore, belong to a precise identity, and 
  • Known Accounts, those accounts that even if not registered in the IAM systems are still present in an AM ( Active Directory for example) and which are therefore still trusted
  • Ghost accounts: accounts not registered in any IAM/IAG system but whose activities are detected in the logs. These accounts are the worst because they escape the control of Identity Governance systems but are active and can be exploited as bridgeheads for insider attacks.

Cleaning up these accounts is a critical practice to reduce the attack surface and eliminate potential targets for account takeover that can lead to disastrous consequences.

Dashboard Insights

The importance of account monitoring in Sharelock is visible from the initial dashboard where we can find quantitative insights on various accounts types.

In the Active Threats Summary section, we can find the number of known accounts involved in threats detected by the system. This detail is essential to understanding how account hygiene is fundamental to reducing the attack surface and eliminating possible entry points that malicious actors could exploit to enter the company network. Inactive, poorly configured, or badly managed accounts must be brought to attention and remediated immediately for correct identity posture.

By clicking on Accounts Known, you directly access the list of accounts in question from which you can investigate their behavior and the level of their involvement in ongoing threats.

In the Accounts section, we can find a summary of the status of the various systems analyzed from the account point of view. First, the total population analyzed and a division of the total population on the multiple applications analyzed by Sharelock. 

You can access the list of corresponding accounts already filtered by the application by clicking on the individual entries.

Also, in the Accounts section, we can find the most crucial summary from the point of view of identity hygiene and reduction of the attack surface. For each workload analyzed, we can find three types of accounts to examine and clean up with great care:

- Inactive IAM Matched: accounts present in corporate IAM systems but which are inactive and should be reviewed in a certification campaign to analyze whether they are still useful or revocable;

- Inactive Known: accounts not present in corporate IAM systems but present in an Access Manager (Active Directory, for example): like and more than the previous ones, they should be reviewed and recertified;

- Active Ghost: the most dangerous account that exposes the company to possible infiltrations and attacks. These accounts, including Access Managers, are not present in any corporate identity system but are active when analyzing the corporate application logs. 

These accounts are not assigned to any identity, are not registered, and will never be included in any de-provisioning process or recertification campaign.

You can access the list of matching accounts already filtered by type and application by clicking on individual entries and review inactive or phantom accounts in the Account Insights view.

Inactive and Ghost Accounts

Cleaning corporate digital identities to reduce the attack surface.

Recommendations

Risk-based and access-based recommendations to ensure the principle of least privilege and trigger access recertification campaigns.

LOG IT ALL, DETECT ANYTHING AND RESPOND QUICKLY

Check our Website!