How to contain a privileged access breach and make sure it doesn’t happen again
When attackers pull off a privileged access breach, they have a beachhead into your network. Regardless of whether it’s software or users that are ill-protected, threat actors have a consistent playbook: establish a foothold on a vulnerable system, elevate privileges, then compromise additional privileged users to gain access to or hold at ransom what’s valuable.
The more widespread the compromise is, the larger the incident response process that victims must deal with, leaving them with an expensive and time-consuming cleanup and recovery. This is all too common—74% of breached organizations have admitted the attack involved access to a privileged account—and organizations need a better way to combat privileged access attacks.
Despite established best practices and investment in privilege access management solutions, users are given more privileges across the systems and this privilege is available to them all the time, 24 hours a day, seven days a week. Attackers exploit this and pivot from just one point of entry to all others in the organization that have elevated access, executing a full takeover in a very short time.
With the right approach, companies can contain privileged access breaches or avoid them altogether. Here are three things to keep in mind.
Many incident response plans don’t fully lock down access
Containment and eradication require a multi-faceted approach and you should have a response plan in place that considers an attacker’s persistence and ability to hide and move around the network.
Many victims respond by identifying and blocking network activity, software, and system configurations that were compromised in the attack. Disabling compromised accounts – or at least forcing password resets and implementing multi-factor authentication (MFA) – is another best practice, but there’s a common mistake that many victims make: keeping standing privileged access in place.
Compromise typically comes from credentials that have 24/7, always-on standing access. If an attacker gains access to one of these credentials, the keys to unlock doors are always within reach. Thus, removing the standing privileged access that attackers require to maintain a presence and gain lateral movement is a quick way to contain a breach.
Eradicating an attack is never a certainty, especially as threat actors have grown increasingly sophisticated, but by implementing this approach, it more effectively addresses the root causes to stop and prevent further activity.
Just-in-Time access offers better security
Many organizations don’t understand the danger they put themselves in by having standing privileged access. Yes, it’s slightly more convenient for admins and users to access systems as and when they want to. But it also gives the same convenient access to attackers holding the compromised credentials, allowing them to unlock any door and move throughout the network. Even worse, it undermines other safeguards in place for detecting attackers.
When an attacker gains access to credentials with standing privileged access in place, they weaponize their elevated access to bypass traditional extended detection and response (XDR), endpoint detection and response (EDR), and next-generation antivirus (AV) solutions, all of which focus on files, network and process activity, but have no visibility into privileged identities. This is also true of vault-based, legacy privileged access management solutions, which can’t identify hidden or nested admin rights and the persistence of these rights on the target systems.
Instead of standing privileged access, a “Just-in-Time” approach allows administrators to protect systems by only permitting access to verified, trusted administrators for a finite period, with continuous enforcement of no privileged access otherwise. In turn, this cuts off lateral movement without any friction for legitimate users.
You should move toward true zero standing privilege
During an incident, organizations should start implementing Just-in-Time access for the riskiest groups and users first to reduce standing privileged access among those most likely to be compromised.
Most credential harvesting typically occurs after the user authenticates, even if MFA is in place. One way to avoid this is to force multi-factor authentication and re-authentication for each ensuing system and application a user wants to access, but few users would put up with that much friction. That’s why many organizations opt for single sign-on (SSO) authorization like Security Assertion Markup Language (SAML), Open Authorization (OAuth), or Kerberos.
In those situations, however, attackers can impersonate users, whether through credential harvesting or by running code in another user’s login session. An account proving trustworthiness once, even if it happens before access is granted, isn’t strong enough security.
By limiting both the number of accounts that get full access and how that access is granted, organizations can greatly reduce the risk of cyberattacks and the lateral movement that may occur after a breach. Turning standing privileged access into zero standing privilege is one of the most thorough security measures an organization can take today.