Research reveals hackers are increasingly exploiting privileged accounts

News by Steve Gold

New research claims that the security threats landscape is now almost egalitarian in nature, with almost every industry - and every company - now being a security target.

The reason, says the report, is that cyber-attackers have broadened their targets, pursuing companies of all sizes and across all industries.

As a result, the CyberArk analysis - which is entitled `Privileged Account Exploits Shift the Front Lines of Cyber Security - says that this is often a means to an end as attackers are after their supply chain partners.

The report is billed as providing an expert's analysis into targeted cyber-attacks by tapping into the experiences of threat investigators at five firms renowned for detecting, analysing and remediating serious cyber-security incidents.

These firms include Cisco Talos Security Intelligence and Research Group; Deloitte & Touche LLP's Cyber Risk Services and Deloitte Financial Advisory Service LLP's Computer and Cyber Forensics Team; Mandiant, a FireEye Company; RSA, the Security Division of EMC and the Verizon Risk Team.

The problem, the report notes, is that privileged accounts are vastly underestimated, with the risks and security vulnerabilities posed by privileged accounts being much larger than most companies realise.

Researchers found, for example, that modern organisations have at least three to found times as many privileged accounts as employee headcount.

As a result, the report concludes that attackers show increasing sophistication in exploiting privileged access, using privileged accounts to break into a wider range of systems and to become harder to dislodge from networks.

This situation is compounded, says the researcher, by the fact that attacks can stay hidden for months or years, with several cyber-threat investigators interviewed for the report finding evidence that cyber-attacks have been ongoing for months and even years before they're discovered.

"Investigators estimate it takes an average of six to eight months before their clients detect a problem and call for help. This time estimate is consistent with Mandiant's published findings, which peg the median number of days attackers were present on clients' networks at 229 before discovery," the report notes.


Solutions to the problem are - from an audit perspective, notes - obvious, with users being advised to know what privileged accounts they have, what they do and are supposed to do.

Issues that need addressing, says the report, including making it harder to get privileged access across a broad range of IT systems by changing default passwords and using different administrative passwords on each system. Users should also carry out regular, recurrent "housekeeping" of information assets and how they are accessed. 

On top of this, IT security departments should also, notes the report, apply patches as quickly as possible.

Sarb Sembhi, a director of Storm Guidance, said that the report - whilst stating the obvious in many cases - has a very relevant message that there is a need for effective risk management.

"It should be clear from the report that organisations are not spending enough on their security technology. This is caused by a combination of budgets and risk issues," he said, adding that, because business is now so fundamentally reliant on IT systems, a risk-based approach to security has become a must-have requirement.

Sembhi's comments were echoed by John Walker, a visiting professor with Nottingham-Trent University, who explained that the IT security industry - rightly or wrongly - has become self-serving.

As a result, he says, we - as an industry - need security solutions that actually work, as well as meeting GRC (governance, risk and compliance) requirements.

"The problem is that we are focusing too much on GRC issues. There is now a knee-jerk response to problem of security attacks when they are discovered. We now need a realistic approach to solving the problems, and a root-cause analysis where possible," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews