The rise of state-sponsored cyber attacks
Never underestimate just how valuable enterprise data is to cyber-criminals, from low-level thieves to extremely well-funded (and therefore, well-armed) state-sponsored attackers, says Matt Middleton-Leal.
Matt Middleton-Leal, regional director, UK & Ireland at CyberArk
Whether in the public or private sector, most organisations today store valuable intellectual property, customer or citizen information and other sensitive data that is useful in itself, or when combined with other information. As a result, all organisations that deal with sensitive information are at risk of being targeted by state-sponsored actors looking to inflict damage and these attacks are becoming increasingly commonplace.
Indeed, a pattern is starting to emerge with foreign-based cyber-attackers collecting vast troves of information on government employees and other citizens. From medical and financial records, to security clearance information and airline travel history, attackers are gathering intelligence that could collectively be used in any number of criminal activities – including fraud, bribery and phishing attacks.
In many ways, these attacks are arguably growing in number because organisations are not doing enough to protect themselves.
Privileged accounts: the keys to the kingdom
In terms of the methodologies employed in state-sponsored attacks, while the motivation behind cyber attacks may differ, the tactical approach is often the same. In order to breach networks, attackers typically employ an unsophisticated phishing-type attack to breach perimeter defences and install malware inside the network. Once inside, the attackers move laterally attempting to steal credentials for privileged and administrative accounts.
The act of stealing and exploiting privileged accounts is the common link in nearly all recent data breaches and cyber attacks. These accounts, which include administrative accounts, default and hardcoded passwords, application backdoors, and more, effectively deliver the ‘keys to the IT kingdom', enabling widespread access to the most sensitive data held within an enterprise network.
Once the attackers succeed in compromising privileged accounts, they can elevate privileges to new levels of access to move laterally inside the network and begin to lay the groundwork for a hostile takeover of the targeted network – virtually undetected.
Breaches such as those at the German parliament, US Office of Personnel Management, Sony Pictures and others were devastating not just because of the loss of data, but because each organisation completely lost control of their infrastructure and networks through compromised privileged accounts.
In many cases, breached organisations are forced to rebuild significant portions of their infrastructure to regain IT trust and operation.
Stopping an attack in its tracks
Companies of all sizes are now faced with the significant challenge of ensuring they can detect and protect against serious threats, like state-sponsored attacks. Critical to this is taking charge of powerful privileged accounts – knowing where they are and how to protect and monitor them.
Organisations must now assume that attackers are already on the inside of the network and focus on putting in place robust controls around privileged accounts to mitigate the risks of these sensitive credentials being hijacked.
The first step is understanding how many privileged accounts exist and where – this is often grossly underestimated by the business. These accounts can then be reviewed to ensure that the right policies are in place – including who can use them and for what role, and that users have appropriate levels of access – no more and no less. It's important to note that privileged accounts aren't just users, they also include credentials needed for application-to-application or application-to-system communication.
Central controls and continuous monitoring then need to be put in place to ensure that the business always has a handle on the privileged accounts. For example, it is essential that all activity is logged and recorded in real time.
The use of behavioural analytics can indicate where irregular or risky activities are taking place. The ability to flag and analyse these anomalous activities, as well as to isolate users from sensitive target assets, is critical to stopping the impact of an attack in progress and limiting damage.
No business should be foolish enough to assume that it can catch all attacks at the perimeter alone. To protect against increasingly threatening attacks, it is critical that organisations adopt the mindset that they have already been breached and put in appropriate controls to mitigate risk.
The failure to robustly defend privileged accounts can ultimately enable attackers, whether state-sponsored or financially motivated cyber-thieves, to move around a network virtually undetected for months, if not years.
The cyber-threat landscape is evolving rapidly and organisations must move fast and smart in order to keep pace.
Contributed by Matt Middleton-Leal, regional director, UK & Ireland at CyberArk.