Organizations can reduce the threat of targeted attacks by proactively securing privileged accounts, according to CyberSheath. The theft, misuse and exploitation of privileged accounts is a key tactic in each phase of an Advanced Persistent Threat (APT) attack cycle.
The report compiles interviews with leading CISOs and security professionals at organizations that collectively have more than $40 billion in annual revenues and more than 170,000 employees around the globe.
CyberSheath combined these interviews with the analysis of several high-profile cyber attacks and related industry research from the past year to detail how privileged accounts are increasingly being used in advanced and targeted attacks to compromise organizations and steal data.
- The absence of fundamental access control measures was a crucial factor in all of the recent high-profile attacks that were examined, including the South Carolina Department of Revenue, The University of Georgia, the NASA Jet Propulsion Library, Red October, Utah Department of Health, Toyota, The Swiss NDB Intelligence Service, Saudi Aramco, and Global Payments.
- Attacks that leverage privileged accounts can delete logs to make forensic analysis more difficult and can be used to install new malware to evade detection and open more doors. In addition, privileged account use appears as normal traffic flow and is not detected by traditional means. Finding illicit privileged account use among legitimate processes is like finding a needle in a stack of needles.
- Eradicating attackers from a compromised network can be extremely expensive and painful. In addition to the high-costs associated with data breaches (the average cost of a data breach is $2.4M over a two year period1), the efforts to remove well-entrenched attackers from a network requires multiple remediation steps that can take thousands of man-hours of work.
- Locking down privileged accounts and preventing their use in APTs moves up the kill chain and helps thwart attack progression at the delivery stage, as opposed to the command and control stage.
Best practices for preventing APT privileged account compromise:
- Isolate, monitor and control every access point to all critical business systems
- Change default passwords on all servers, databases, applications and network devices
- Remove hard-coded passwords from scripts, configuration files and applications
- Employ technical means of automatically enforcing enterprise password policies
- Control access by enforcing least privilege
- Use multifactor authentication for access to privileged accounts
- Increase password complexity
- Use a unique password for each local administrator account
- Remove local administrator rights from the majority of users
- Reduce the number of privileged domain-wide service accounts
- Automatically change passwords on a periodic basis and immediately upon suspicion of misuse
- Monitor and record all activities associated with administrative and privileged accounts
- Implement tamper-proof logging, auditing, and alerting on privileged access.