Privileged identities are at the core of today's cyber attacks
Given the difficulty of preventing them, we should focus instead on minimising the damage from cyber-attacks, says Philip Lieberman.
Philip Lieberman, Lieberman Software
The series of staggering data breaches over the past year has seriously affected some of the world's leading businesses. Each attack has apparently caused more financial and reputational damage than the last. Following infamous breaches such as those of Target, JP Morgan, Sony Pictures and others, people are questioning whether any system can ever be fully secured against hackers.
Sadly the answer is no. If someone wants to access your network, they will, regardless of the number of perimeter defenses you have around your IT infrastructure. It is of critical importance that IT departments anticipate that their systems will be breached, and their most sensitive data could be stolen and made public.
So the question is no longer “How do we prevent an attack?” but “How do we minimise the damage of future attacks?”
The keys to your IT kingdom - privileged identities
If the Sony Pictures attack taught us anything, it is that even world-leading businesses are still lacking the appropriate security solutions. They need to realise how naive they are being about the capabilities of modern day hackers and take precautions in order to minimise damage internally.
One of the most popular ways into a network for hackers is through unsecured, privileged accounts. These accounts provide the access required to view and extract critical data, alter system configuration settings, and run programs on almost every hardware and software asset in the organisation.
Unfortunately, there are such a large number of privileged accounts in large organisations that many can't keep track of where all of their privileged accounts reside or who can access them.
Almost every account on a system has some level of privilege and can therefore potentially be exploited by a cybercriminal. For example, business applications and computer services store and use privileged identities to authenticate with databases, middleware, and other application tiers when requesting sensitive information and computing resources.
What makes it even easier for attackers is that unlike personal login credentials, privileged identities are not typically linked to any one individual and are often shared among multiple IT administrators with credentials which are seldom changed.
The privileged account attack vector
Privileged access is vital for launching cyber-attacks; whether it's to install malware or key loggers, steal or corrupt data, or disable hardware. Hence why, privileged account credentials are in such high-demand by attackers. As a matter of fact, a study by Mandiant found that 100 percent of the attacks they examined involved stolen credentials.
It only takes one breached privileged account to snowball into a disastrous attack. The persistent administrative access required by cybercriminals and malicious insiders, to anonymously extract sensitive data, can be gained through an unsecured privileged account.
Traditional perimeter security tools that most organisations depend on, such as firewalls, react too late to defend against new advanced persistent threats and zero-day attacks. So short of creating an "air gap" to isolate your most critical systems from the rest of your network, there is no way to prevent an attack.
So what happens once an attacker has infiltrated your system? The first thing they do is look for ways to expand their access. For instance by installing remote access kits, routers and key loggers. The goal is to gain lateral motion within the network by extracting the necessary credentials.
In order to do this, cybercriminals search for SSH keys, passwords, certificates, Kerberos tickets and hashes of domain administrators on compromised machines. A tactic often used is silently observing and recording activity and later using this data to increase control of the IT environment.
This is called the “land and expand” attack and although it may sound like a prolonged activity, it can be executed in around 15 minutes as most cybercriminals use automated hacking tools.
Next generation adaptive privilege management
So given the highly advanced automated tools to attack organisations, shouldn't these organisations fight back with their own automated security solutions?
One such solution is adaptive privilege management which provides automated cyber defense that proactively defends privileged accounts. By working together with detect-and-respond software, adaptive privilege management can react to notifications that those products produce, and immediately change the credentials on systems under attack.
Even if an intruder acquires credentials, those credentials are changed and unique credentials are deployed to each account. This effectively minimizes lateral motion inside the environment, even in zero-day attack scenarios.
The problem is that if you don't know where your privileged accounts are on your network, you cannot safeguard them. Think of an ostrich, just because it buries its head and is unable to see the problem doesn't mean that it won't get attacked. So the idea is to detect and remediate. Adaptive privilege management automatically locates privileged accounts throughout the network, brings those accounts under management, and audits access to them.
The uncomfortable truth is that in today's cyber-security landscape, malicious hackers can compromise your network no matter what security measures you have in place. Fortunately, with adaptive privilege management you can remediate security threats faster than hackers can exploit them.
Contributed by Philip Lieberman, Lieberman Software.