More than a Byte
How hackers get privileged access to IT systems
- By Márton Illés
- Dec 01, 2013
Cybercrime is on the
rise, and sensitive,
is one of the top targets
of external and
internal attacks. Most
organizations are prepared to protect
their data with firewalls, IPS, IDS, DLP,
IAM, SIEM and other systems, but they
are not prepared for advanced, persistent
It is no coincidence that several compliance
regulations, such as PCI-DSS, specify
rules for monitoring the activities of employees,
especially those having privileged
rights. The most costly and dangerous cyber-
attacks are made by using privileged
accounts, as these accounts have access
to all sensitive information. No wonder
privileged identities have emerged as the
primary target for cyber-attacks and have
been exploited to perpetrate the most destructive
data breaches in recent years.
For this reason, BalaBit IT Security
hosted a hacker competition last summer
with the most-popular Hungarian IT security
blog, Buhera Blog, and the professional,
ethical hacking company, Silent
Signal. The aim was to provide a framework,
“Ghost in the Shell Control Box:
The Ultimate Hacker Playground,” where
anyone, such as university students or security
professionals, could try to get privileged
access to a sample IT system. The
most successful players were awarded.
All the hackers’ activities were tracked
by Shell Control Box, a privileged access
monitoring appliance. This transparent
device records activities in movie-like audit
trails that can be searched and replayed.
With Shell Control Box, it is possible to
monitor what is happening in the IT system
and prevent malicious user activities
in real-time, either external or internal,
and even those initiated by users with the
Our analysis is based on more than
17,000 high-quality, tamper-proof and
confidential audit trail files (6.6 GB), recorded
by Shell Control Box during the
one-week competition. The audit trails
can be used as evidence in cases of troubleshooting
or forensics investigations.
The Ultimate Hacker
The hackers’ playground, based on an
existing, global, financial institution’s IT
system, where exactly one server of a local
subsidiary was copied with all IT services
and security tools, consisted of four levels.
The task was to get root access to the
server on each level. The server ran a content
management system, a project management
system and a web management
interface of a backend database, serving
the CMS and PMS. A firewall was implemented
with stricter restrictions than
generally used, and the server was able to
filter the most widespread, automated, offensive
tools so that some basic intrusion
prevention system and intrusion detection
system functionalities were covered.
Get Privileged Access
Organizers of the hacker competition
tracked each user’s activities, and thanks
to Shell Control Box, it is now possible to
model the whole process of getting privileged rights from first entry to root access.
Nearly 400 hackers including engineering students, IT and IT
security professionals, and employees of IT security vendors took
part in the competition. Only a small percent used TOR anonymity
networks, even though they knew their activities were tracked.
Nine percent of the hacker players were able to complete at
least the first level and get privileged access to the target server.
Six percent of the players were able to complete all four levels.
Half of those who completed all four levels did so within 24
hours; the fastest player finished within 7 hours.
Methods for Breaking into the IT System
Compared to log-based forensics, the visualizing capability of
Shell Control Box significantly reduced the time required to reconstruct
the event. It can be seen that:
- There were two possible ways to complete the first level of the
hackers’ playground. Forty-five percent of the hackers were
able to discover the vulnerability of the project management
software. Sixty-two percent could upload files to the server
through this vulnerability, and 7 percent could bypass the restrictions.
(PHP files were not allowed to upload).
- Another possible option was to get root access through the
content management system. Nearly 25 percent of the hackers
were able to notice a backup configuration file that was left
behind in the system. Most wasted time trying to break the
password database, although it was possible to add new users.
- Another 32 percent used SQL injection to get information,
preferring to use automated tools and web scanners. The most
popular tools were SQLmap, SQL Power Injector and bsqlb.
- In many cases, PHP shells were downloaded from untrusted
sources, which meant that approximately 2 percent of the
hackers used shells that “call home” and open a door for the
creator of the shell. Using one of these untrusted shells, a
Turkish robot could get into the IT system and upload the
main page of their website[u1].
Although the vulnerabilities of the example company were
immediately patched after being discovered, the fact is that it was
copied from a real IT system. There was a time when such vulnerabilities
existed in that IT system, and this gives us a reason to
focus more on the security.
From the results of the hacker competition, you can see how easy
it could be to get privileged access. This highlights the importance
of monitoring the privileged users’ activities through the
commonly-used, administrative protocols (SSH, RDP, HTTP,
Citrix, VNC, Telnet) and differentiating the usual behavior from
the unusual in real-time.
Although monitoring the actions of privileged users has become
a key part of enterprise risk management, it is a challenging
exercise. The following best practices can give a helping hand to
mitigate the risks related to super users. To gain real benefits from
a Privileged Activity Monitoring (PAM) solution:
Adopt the least-privilege principle. Give a user account only
those privileges that are essential to that user’s work.
Use unlimited access only in emergency situations. Generally,
system administrators do not need unlimited access to the systems
they manage. Lock your super user accounts (root, admin, system,
and so on), and use them only if absolutely needed.
Personalize every single account. Make personal accountability
possible among privileged users. The first step is to minimize
the number of shared accounts. The second rule is that sharedaccount
passwords must not be shared. Then, go on with the
elaboration of functional areas, detecting incompatibilities and
Limit the number of systems in scope for each person’s privileged
accounts. System administrators should have super user
privileges only on the systems that are needed, those consistent
with business and operational needs. This is a common audit recommendation.
Build a central user monitoring infrastructure. Log management
or SIEM solutions do not capture all the necessary information.
The easiest way to eliminate these blind spots is to use a
PAM solution that augments the existing logs by showing precisely
what the user did as opposed to the technical results of
what he did.
Implement an independent and transparent activity monitoring
device. Implement an independent PAM tool that operates transparently
and extracts the audit information directly from the communication
between the client and the server. This prevents anyone
from modifying the audited information—not even the administrator
of the device can tamper with the encrypted audit trails.
Use strong authentication and authorization for privileged accounts.
Where super user privileges are assigned to personal accounts,
protect those accounts with strong authentication methods.
To avoid accidental misconfiguration and other human error,
certain PAMs support the 4-eyes authorization principle. This is
achieved by requiring an “authorizer” to track administrator actions
on the server.
Control remote access in detail. The most secure way is to control
who can access what and when based on the protocol being
used. With the right PAM solution, it is possible to control filetransfers
and other unusual traffic. For example, protocol channels,
such as disk sharing, port-forwards or file-transfers, can be
allowed or denied based on the group-membership of the user or
the time of day.
Prevent malicious actions in real-time. Advanced PAM solutions
can monitor the traffic of remote connections in real time,
and execute various actions if a certain pattern (for example, a
suspicious command or text) appears in the command line or on
In case of risky user action, the device can send an email
alert or immediately terminate the connection. For example, the
connection can be blocked before a harmful administrator command,
such as “delete,” is executed on the server.
Improve forensics with movie-like playback and fast search. Advanced
PAM tools can replay recorded sessions just like a movie,
and all actions of the users can be seen exactly as they appeared
on the monitor. These tools enable fast forwarding during replays,
searching for events via typed commands or pressing “Enter” and
texts seen by the user. In case of any problems like database manipulation,
unexpected shutdown, etc., the circumstances of the
event are available in the audit trails; thus, the cause of the incident
can be easily identified.
This article originally appeared in the December 2013 issue of Security Today.