Privileged Identities

Privileged Identities

Learning what is at the core of online attacks

Over the last year, we have witnessed a series of staggering data breaches affecting some of the world’s leading businesses— with each breach seemingly worse than the last in terms of financial and reputational damage.

Following intrusions into Target, JP Morgan, Sony Pictures and others, many people are asking “has it reached the point where no system is ever fully protected from hackers?”

The unfortunate answer to this question is that if an intruder wants into your network—they will get in—no matter how many perimeter defenses you build around your IT infrastructure. It is vital for IT departments to anticipate that their systems will be breached, and their most sensitive data could be stolen and made public.

Therefore, the real question that corporate executives should be asking themselves is: what can be done to minimize the damage of a cyberattack on my organization?

The Keys to Your IT Kingdom, Privileged Identities

The lesson from the recent Sony Pictures hack is that organizations that do not have a security solution which can limit damage internally are taking remarkable risks and acting extraordinarily naive about the advanced capabilities of today’s cyber attackers.

That’s because one of the most common ways for cybercriminals to gain access to systems is through unsecured privileged accounts. Privileged accounts provide the access needed to view and extract critical data, alter system configuration settings, and run programs on just about every hardware and software asset in the enterprise.

Almost every account on the network has some level of privilege associated with it and can potentially be exploited by a hacker. For example, business applications and computer services store and use privileged identities to authenticate with databases, middleware, and other application tiers when requesting sensitive information and computing resources.

In fact, there are so many privileged accounts in large enterprises that many organizations don’t even know where all of their privileged accounts reside—or who has access to them.

Unlike personal login credentials, privileged identities are not typically linked to any one individual and are often shared among multiple IT administrators with credentials that are rarely—if ever—changed.

The Privileged Account Attack Vector

Cyber attackers need privileged access to carry out their illicit plans—whether it’s to install malware or key loggers, steal or corrupt data, or disable hardware. That’s why privileged account credentials are in such high demand by hackers. In fact, research conducted by Mandiant revealed that 100 percent of the data breaches they investigated involved stolen credentials.

A destructive data breach can begin with the compromise of just one privileged account. Criminal hackers and malicious insiders can exploit an unsecured privileged account to gain the persistent administrative access they need to anonymously extract sensitive data.

As stated previously, if attackers want to get into your environment, they will— and there’s really no way to prevent it short of creating an “air gap” to isolate your most critical systems from the rest of your network. Conventional perimeter security tools that most organizations rely on, like firewalls, react too late to defend against new advanced persistent threats and zero day attacks.

So, the issue is not whether attackers will penetrate your perimeter, but what will happen once they’re in. The first thing they will do is look for ways to expand their access. Usually remote access kits, routers and key loggers are installed. The intruder’s goal is to extract the credentials that will give them lateral motion throughout the network.

To accomplish this, attackers look for SSH keys, passwords, certificates, Kerberos tickets and hashes of domain administrators on compromised machines. Often, hackers will quietly monitor and record activity on the systems, and then use this information to expand their control of the IT environment.

This is the classic “land and expand” attack, and the entire activity can be completed in about 15 minutes. It doesn’t take long because most of these attacks use automated hacking tools.

Next Generation Adaptive Privilege Management

Given the fact that your adversaries are using highly advanced automated tools to attack, shouldn’t you match their efforts with your own automated security solutions?

Adaptive privilege management is an automated cyber defense solution that proactively secures privileged accounts in response to a stimulus. For example, an organization’s logger, SIEM, or trouble ticket system reports an anomaly. Then, the adaptive privilege management solution uses that information to look up the address—say, in LDAP or a configuration management database (CMDB)—to determine what is being targeted.

If the organization under attack has a hundred sets of systems, the adaptive privilege management solution might have a hundred password change jobs in place to manage those credentials. Based on the outside stimulus, the solution can call PowerShell or another web service with the appropriate password change job and begin immediate remediation.

Adaptive privilege management works in conjunction with detect-and-respond software to react to notifications that those products produce, and immediately change the credentials on systems under attack. Every time the intrusion detection system spots a new event, the credentials are changed again.

The goal is to block intruders by responding with new credentials as soon as any logins are compromised. Essentially, when hackers harvest a credential, the solution deploys new credentials—effectively minimizing lateral motion inside the environment, even in zero day attack scenarios.

The basic idea is continuous detection and remediation. Adaptive privilege management automatically discovers privileged accounts throughout the enterprise, brings those accounts under management, and audits access to them.

Remember, if you can’t find the privileged accounts on your network, you can’t secure them. But just because you may not know where all of your privileged accounts reside, that doesn’t mean the bad guys can’t locate these powerful accounts—and leverage them to execute their cyberattacks.

The reality of today’s cyber security landscape is that attackers can breach your network regardless of your countermeasures. Fortunately, with adaptive privilege management you can remediate security threats faster than cyber attackers can exploit them.

This article originally appeared in the August 2015 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Busy South Africa Building Integrates Custom Access Control System

    Nicol Corner, based in Bedfordview, Johannesburg, South Africa, is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. This is the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption. Nicol Corner (Pty) LTD has developed a landmark with sophisticated design and unique architecture by collaborating with industry-leading partners and specifying world-class equipment throughout the project. This includes installing a high-spec, bespoke security and access control system. Read Now

  • Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3