Privileged Identities
Learning what is at the core of online attacks
Over the last year, we have witnessed a series
of staggering data breaches affecting
some of the world’s leading businesses—
with each breach seemingly worse than the
last in terms of financial and reputational
damage.
Following intrusions into Target, JP Morgan, Sony Pictures
and others, many people are asking “has it reached the point
where no system is ever fully protected from hackers?”
The unfortunate answer to this question is that if an intruder
wants into your network—they will get in—no matter how many
perimeter defenses you build around your IT infrastructure. It is vital
for IT departments to anticipate that their systems will be breached,
and their most sensitive data could be stolen and made public.
Therefore, the real question that corporate
executives should be asking themselves
is: what can be done to minimize the damage
of a cyberattack on my organization?
The Keys to Your IT Kingdom,
Privileged Identities
The lesson from the recent Sony Pictures
hack is that organizations that do not
have a security solution which can limit
damage internally are taking remarkable
risks and acting extraordinarily naive
about the advanced capabilities of today’s
cyber attackers.
That’s because one of the most common
ways for cybercriminals to gain access
to systems is through unsecured
privileged accounts. Privileged accounts
provide the access needed to view and
extract critical data, alter system configuration
settings, and run programs on just
about every hardware and software asset
in the enterprise.
Almost every account on the network
has some level of privilege associated with
it and can potentially be exploited by a
hacker. For example, business applications
and computer services store and use
privileged identities to authenticate with
databases, middleware, and other application
tiers when requesting sensitive information
and computing resources.
In fact, there are so many privileged
accounts in large enterprises that many organizations
don’t even know where all of
their privileged accounts reside—or who
has access to them.
Unlike personal login credentials, privileged
identities are not typically linked to
any one individual and are often shared
among multiple IT administrators with credentials
that are rarely—if ever—changed.
The Privileged Account
Attack Vector
Cyber attackers need privileged access to
carry out their illicit plans—whether it’s to
install malware or key loggers, steal or corrupt
data, or disable hardware. That’s why
privileged account credentials are in such
high demand by hackers. In fact, research
conducted by Mandiant revealed that 100
percent of the data breaches they investigated
involved stolen credentials.
A destructive data breach can begin
with the compromise of just one privileged
account. Criminal hackers and malicious
insiders can exploit an unsecured
privileged account to gain the persistent
administrative access they need to anonymously
extract sensitive data.
As stated previously, if attackers want
to get into your environment, they will—
and there’s really no way to prevent it
short of creating an “air gap” to isolate
your most critical systems from the rest
of your network. Conventional perimeter
security tools that most organizations rely
on, like firewalls, react too late to defend
against new advanced persistent threats
and zero day attacks.
So, the issue is not whether attackers
will penetrate your perimeter, but what
will happen once they’re in. The first thing
they will do is look for ways to expand
their access. Usually remote access kits,
routers and key loggers are installed. The
intruder’s goal is to extract the credentials
that will give them lateral motion throughout
the network.
To accomplish this, attackers look for
SSH keys, passwords, certificates, Kerberos
tickets and hashes of domain administrators
on compromised machines. Often,
hackers will quietly monitor and record
activity on the systems, and then use this
information to expand their control of the
IT environment.
This is the classic “land and expand”
attack, and the entire activity can be completed
in about 15 minutes. It doesn’t take
long because most of these attacks use automated
hacking tools.
Next Generation Adaptive
Privilege Management
Given the fact that your adversaries are using
highly advanced automated tools to attack,
shouldn’t you match their efforts with
your own automated security solutions?
Adaptive privilege management is an
automated cyber defense solution that
proactively secures privileged accounts in
response to a stimulus. For example, an
organization’s logger, SIEM, or trouble
ticket system reports an anomaly. Then,
the adaptive privilege management solution
uses that information to look up the
address—say, in LDAP or a configuration
management database (CMDB)—to determine
what is being targeted.
If the organization under attack has
a hundred sets of systems, the adaptive
privilege management solution might have
a hundred password change jobs in place
to manage those credentials. Based on
the outside stimulus, the solution can call
PowerShell or another web service with
the appropriate password change job and
begin immediate remediation.
Adaptive privilege management works
in conjunction with detect-and-respond
software to react to notifications that
those products produce, and immediately
change the credentials on systems under
attack. Every time the intrusion detection
system spots a new event, the credentials
are changed again.
The goal is to block intruders by responding
with new credentials as soon as
any logins are compromised. Essentially,
when hackers harvest a credential, the
solution deploys new credentials—effectively
minimizing lateral motion inside
the environment, even in zero day attack
scenarios.
The basic idea is continuous detection
and remediation. Adaptive privilege management
automatically discovers privileged
accounts throughout the enterprise,
brings those accounts under management,
and audits access to them.
Remember, if you can’t find the privileged
accounts on your network, you can’t
secure them. But just because you may not
know where all of your privileged accounts
reside, that doesn’t mean the bad guys can’t
locate these powerful accounts—and leverage
them to execute their cyberattacks.
The reality of today’s cyber security
landscape is that attackers can breach
your network regardless of your countermeasures.
Fortunately, with adaptive
privilege management you can remediate
security threats faster than cyber attackers
can exploit them.
This article originally appeared in the August 2015 issue of Security Today.