What do we mean today by a ‘targeted attack'? Where once it referred to the fact that a specific organisation was being targeted – as opposed to a more traditional ‘spray gun' malware campaign – now the targeting is far more sophisticated. By investing more man hours into reconnaissance and intelligence gathering, attackers have discovered they can get the keys to the kingdom by targeting your IT administrators. Just look at the huge breadth of data types the Sony hackers lifted. That kind of access can only come from admin level permissions.
These attacks are short, sharp and yield a much higher success rate: more like a sniper than a foot soldier spraying machine gun fire. But how can we guard against attacks targeting what should be the most tech-savvy members of an organisation?
The long game
Up until now a common assumption is that the ‘path of least resistance' in an organisation lies with a lowly staff member who might not think twice about opening a malicious attachment. Once inside, the attackers will then try and escalate privileges until they have access rights to the data they're looking for. However, the truth is that by putting in more groundwork, the attackers can skip this time-consuming ‘escalation of privileges' step altogether and stand a much better chance of not being caught.
It's all about playing the long game. The first stage is reconnaissance – much of which can be done via LinkedIn or Facebook – to work out which member of the IT team to target. A junior database admin would be ideal. Specialist forums are also stalked by cyber-criminals looking to find out details of database versions and other technical information related to targeted systems. With good intelligence gathering the attack team will know exactly which account and system they need to focus on to get to the data they covet.
Should know better?
After that it's a classic case of using that old favourite, social engineering, to trigger the malware download. The mistake so many organisations make is thinking that because of their role, IT staff should be somehow more cyber-savvy. This isn't always the case – especially with junior IT staff who, neatly, are often given the most privileged account access. It's a peculiarity of the profession that senior IT staff usually have fewer access rights, as they've moved into more strategic and less hands-on roles.
Another benefit of targeting the IT function is that staff typically have less restrictive policies applied to their accounts – for example they're able to download more file types or send and receive attachments in emails. This gives the hacker a greater chance of success as there are more attack paths into the target. It's also less likely to arouse suspicion as IT staff accounts are usually forever downloading files and less subject to close scrutiny.
False sense of security
The problem is often compounded by password reuse across administrative accounts and IT systems, sometimes via so-called “Gold Builds”, which make the attackers' job that much easier. Over-privileging is another key failing whereby junior staff are given the keys to the kingdom because an organisation's access policy is not granular enough. Once they've used “The Password” it is likely to have been cached somewhere – accessible to the determined cyber-criminal.
There are at least 60 ways to access administrator passwords: few IT staff appreciate just how exposed they are. A false sense of security also comes from the fact that many apps say that passwords are stored in encrypted files. What IT teams often forget is that if they are compromised whilst in that app then they have effectively opened the door for the attacker.
So what can we do to mitigate these risks? Remember that hackers will always be more sophisticated, agile and cyber-savvy than most IT staff, and that well-crafted spear-phishing emails will still work on them. Gain greater visibility into your admin accounts and who's accessing what so you can tell when something abnormal happens. This isn't easy when we're talking about detecting a phishing email sent to just one member of staff, and with a subject line specifically related to their role.
Better still, operate a policy of least privileged access and provide a mechanism for IT staff to access systems which is not reliant on passwords. If the user can log-on directly via a secure but automated system then there is nothing for attackers to steal. Few organisations will admit to it, but privileged accounts represent a real and present danger to data security. It's time we took out those cyber-snipers.
Contributed by Kev Pearce, CTO, Osirium