What do the top data breaches of the 21st century have in common? Privileged identity abuse. In these breach instances, well-resourced, external actors were able to gain the credentials of users with access to privileged accounts – such as administrative, service or operational accounts – giving them the ability to collect and exfiltrate industrial-scale amounts of data.
Gartner recently listed privileged accounts as the number one project for security teams because privileged accounts have such a high probability of being breached. Although it’s difficult to fully quantify the impact of privileged account breaches, the total number of records exposed is in the billions and counting, including credit card information, personally identifiable information, medical records and more.
Today, the growing list of individuals and third-party organizations that have access to privileged accounts has created a major security gap within organizations. With so much at stake – not only files and data, but also the reputational and financial fallout that comes along with it – how can IT security leaders prevent and mitigate the threat of privileged identity-based attacks? Let’s explore three key phases: getting inside the mind of a hacker; remediating weak security practices; and implementing the right tools.
Getting inside the mind of a hacker
The first step in combating privileged attacks is understanding exactly how these attacks are carried out. There are three key phases to a privileged account attack, and no, it often doesn’t start with going after privileged users’ themselves. In fact, a common challenge with managing privileged account or credential misuse is not understanding where the attack begins.
External reconnaissance: Most attackers do not initially target an actual privileged; instead they tend to target a less tech-savvy, ordinary user to then move laterally within the network. In some cases, attackers will even exploit weaknesses in third-parties – like a partner, vendor or contractor with network access – to gain a foothold. With their initial prey identified, attackers will leverage tried-and-true tactics like spearfishing to get the user to share information (e.g., a login credential) or click on a link that installs malware on the user’s device to give them control over said device.
Internal resonance: Once an attacker has gained a foothold within the initial victim’s IT environment, they will perform internal reconnaissance. During this phase of the attack, the hacker will attempt to gather as much information as possible about the IT environment, mapping out the network and systems using a variety of network diagnostic tools.
Privilege escalation: Armed with an in-depth understanding of the network, an attacker can now go about acquiring higher privileges with the ultimate goal of obtaining access to a domain controller or similar target. A common method is dubbed “pass-the-hash.” Using this technique, the bad actor accesses and downloads cached password hashes to gain access to other machines and systems without having to decrypt privileged credentials.
Another is deploying malware to obtain SSH keys (i.e., credentials that provide access to the common Linux/Unix operating systems), providing a backdoor through which they can access other systems and in some cases compromise entire networks. Attackers can also use known or unknown (zero day) software vulnerabilities, which take advantage of an unpatched flaw in software and releases a virus into a device’s operating system to take control of the system and even earn superuser access.
Arming your systems with the right protection
Understanding the path of a hacker, it’s clear that businesses today must go beyond its existing security policies and legacy technologies like network firewalls or Security Information and Event Management (SIEM) to keep data safe. Organizations should at minimum leverage privileged password management to control access to privileged accounts, generate strong passwords, randomize passwords and store them in a centralized password vault that has been secured and hardened to offer an extra layer of protection from threats.
Password management alone, however, has its limitations. Once an attacker has compromised credentials to privileged accounts, they can move freely with the network – and password management does not provide visibility into what the attackers did after they compromised the credentials and obtained network access. That’s where privileged session management comes into play.
Effective session management includes real-time monitoring and recording of privileged sessions, automatic login with privileged credentials, centralized policy enforcement, alerting and termination of sessions if policies are violated. Together, the password vault and session recording allow credentials to be used and recorded without ever revealing those credentials to the users.
The third piece of the privileged identity theft protection puzzle is credential compromise detection, which up until recently has been difficult to achieve. Leveraging machine learning, a new approach called user behavior analytics has emerged to fill that void.
User behavior analytics leverages data about a privileged user’s behavior within a network – from keystrokes to the milliseconds between the double-clicks of their mouse – and applies advanced algorithms to gain an in-depth understanding of the users “digital footprint.” Utilizing machine learning to become more intelligent over time, behavior analytics can quickly detect suspicious, out-of-the-ordinary activity to proactively defend the business with continuous authentication.
“Process” makes perfect
While the right privileged access management approach is critical to safeguarding the organization against bad actors, one of the fastest ways to mitigate the risk of privileged identity theft is to remediate weak security practices, processes and policies. Some quick wins IT security professionals can achieve include:
Make sure your list of privileged accounts is up to date: Large enterprises running networks with thousands of servers and network devices often lack an accurate inventory of these assets.
Limit rights and access for each account: Always enforce the principle of least privilege, meaning that each account should have exactly the minimum rights required to carry out a specific task.
Delete old accounts and non-required privileges: Inadequate off-boarding creates a security gap where credentials exist for employees that have left the company or changed roles. In the case of contractors, IT security professionals should revoke access immediately after their project is complete.
Implement a formal password policy: A strong password policy should include routinely changing default passwords and implementing strong passwords. It should also prohibit sharing of passwords for privileged accounts. These may seem like obvious recommendations but companies large and small still fail to take these steps, making life easy for hackers.
Prevent users taking short cuts: Like anyone, privileged users want to work as efficiently as possible and are just as prone to the temptation of taking shortcuts when it comes to security. Educating employees and encouraging good security behavior can go a long way to mitigating risks.
As the cyber threat landscape continues to evolve, one thing is for sure: privileged credentials will remain a top target for hackers looking to wreak havoc on enterprise systems. By understanding the path of a privileged attack, taking steps to enforce strict privileged access policies and user education, and leveraging the trifecta of privileged account management – password management, session management and behavior analytics – IT security teams will be well on their way to mitigating the risks of privileged identity theft.