The last year has witnessed a series of staggering data breaches affecting some of the world’s leading businesses – with each breach seemingly worse than the last in terms of financial and reputational damage.
Following intrusions into Target, JP Morgan, Sony Pictures and others, many people are asking, ‘Has it reached the point where no system is ever fully protected from hackers?’
The unfortunate answer to this question is that if an intruder wants into a network, they will get in no matter how many perimeter defenses are built around the IT infrastructure.
It is vital that IT departments anticipate that their systems will be breached, and their most sensitive data could be stolen and made public.
Therefore, the real question that corporate executives should be asking themselves is: what can be done to minimise the damage of a cyber attack on my organisation?
The lesson from the recent Sony Pictures hack is that organisations that still do not have a security solution that can limit damage internally, are taking remarkable risks and acting extraordinarily naive about the advanced capabilities of today’s cyber attackers.
That’s because one of the most common ways for cybercriminals to gain infiltrate systems is through unsecured privileged accounts, which provide the access needed to view and extract critical data, alter system configuration settings, and run programs on just about every hardware and software asset in the enterprise.
Almost every account on the network has some level of privilege associated with it, and can therefore potentially be exploited by a hacker. For example, business applications and computer services store and use privileged identities to authenticate with databases, middleware and other application tiers when requesting sensitive information and computing resources.
In fact, there are so many privileged accounts in large enterprises that many organisations don’t even know where all of their privileged accounts reside – or who has access to them.
Unlike personal login credentials, privileged identities are not typically linked to any one individual and are often shared among multiple IT administrators with credentials that are rarely – if ever – changed.
Privileged account attack vector
Cyber attackers need privileged access to carry out their illicit plans – whether it’s to install malware or key loggers, steal or corrupt data, or disable hardware. That’s why privileged account credentials are in such high demand by hackers.
In fact, research conducted by Mandiant revealed that 100% of the data breaches they investigated involved stolen credentials.
A destructive data breach can begin with the compromise of just one privileged account. Criminal hackers and malicious insiders can exploit an unsecured privileged account to gain the persistent administrative access they need to anonymously extract sensitive data.
As stated previously, if attackers want to get into an IT environment, they will – and there’s really no way to prevent it short of creating an ‘air gap’ to isolate an organisation’s most critical systems from the rest of its network.
Conventional perimeter security tools that most organisations rely on, like firewalls, react too late to defend against new advanced persistent threats and zero day attacks.
So the issue is not whether attackers will penetrate a perimeter, but what will happen once they’re in. The first thing they will do is look for ways to expand their access. Usually remote access kits, routers and key loggers are installed. The intruder’s goal is to extract the credentials that will give them lateral motion throughout the network.
To accomplish this, attackers look for SSH keys, passwords, certificates, Kerberos tickets and hashes of domain administrators on compromised machines. Often, hackers will quietly monitor and record activity on the systems, and then use this information to expand their control of the IT environment.
This is the classic ‘land and expand’ expand attack, and the entire activity can be completed in about 15 minutes. It doesn’t take long because most of these attacks use automated hacking tools.
If you can’t beat them join them
Given the fact that adversaries are using highly advanced automated tools to attack, organisations can attempt to combat them by matching their efforts.
Adaptive privilege management proactively secures privileged accounts in response to a stimulus. For example, an organisation’s logger, SIEM or trouble ticket system reports an anomaly. Then, the adaptive privilege management solution uses that information to look up the address – say, in LDAP or a configuration management database (CMDB) – to determine what is being targeted.
If the organisation under attack has a hundred sets of systems, the adaptive privilege management solution might have a hundred password change jobs in place to manage those credentials. Based on the outside stimulus, the solution can call PowerShell or another web service with the appropriate password change job and begin immediate remediation.
The goal is to block intruders by responding with new credentials as soon as any logins are compromised. So essentially, when hackers harvest a credential, the solution deploys new credentials – effectively minimising lateral motion inside the environment, even in zero day attack scenarios.
The basic idea is continuous detection and remediation. Adaptive privilege management automatically discovers privileged accounts throughout the enterprise, brings those accounts under management, and audits access to them.
If an organisation can’t find the privileged accounts on a network, it can’t secure them. But just because it may not know where all of its privileged accounts reside, doesn’t mean hackers can’t locate these powerful accounts – and leverage them to execute their cyber attacks.