2017 has been a big year for hackers. We've seen a whole host of attacks taking many different forms and private and public sector organisations suffering as a result. In tandem, businesses are being tasked with innovating faster than ever before. With new technologies such as AI and machine learning on the horizon and organisations struggling with the security implications of cloud technologies and shadow IT, gaps are emerging which are leaving businesses exposed. All this is taking place in the context of changing regulation and increased scrutiny, particularly as we creep closer to GDPR coming into force. It's certainly a complex picture.
Take digital disruption for instance. Simply stating that an organisation has a new digital strategy in place or is looking to innovate quickly could place it in the spotlight of hackers. An increasing focus on DevOps and innovation is just one example which often leads to security falling by the wayside. Research of 1,300 IT security decision makers, DevOps and app developer professionals this month revealed that 75 percent of organisations report no strategy to manage and secure DevOps secrets, and over a third (37 percent) of DevOps professionals recognise compromised DevOps tools and environments as one of their organisation's greatest security vulnerabilities. Organisations are therefore leaving themselves exposed, undermining any innovations they are able to deliver by risking corporate and customer data.
One of the best ways for organisations to lock down data and ensure their “crown jewels” can only be accessed by those necessary is by implementing a privileged account strategy. As we have seen in many attacks this year, stolen credentials can used time and time again, and at every stage of attacks - be that infiltration, lateral movement within an organisation's perimeters, or data exfiltration. These threats will only increase as hackers find new methods of attack, so we have looked at the trends emerging from hackers this year and put together a forecast for the attack vectors we're likely to see more of in the coming months:
- Clouds and fog — Migration to cloud infrastructure, whether it be private or public, will continue to be a sore subject for access and privilege management, and operations visibility. Security operation centres (SOC) teams controlling and monitoring privileged activity might not have the visibility required to spot targeted malicious or suspicious activity in time. Though opportunistic attacks are likely to still be uncovered faster as these attacks are often “loud” by their very nature, attackers taking a more targeted approach may remain undetected for much longer. Therefore, time for detection (which is currently about 110 days on average) might rise again to the levels seen two to three years ago (220 days and above). Consequently, organisations must have adequate protection for their data in advance, and not rely on responding to threats as they occur.
- Two-factor vs Single Sign On (SSO) — As cloud becomes the standard infrastructure for enterprise services, Single-Sign-On mechanisms will become common and necessary; users will benefit from smooth operations without the need to type in passwords regularly. SSO mechanisms only require users to insert their password once a day or so, using a token near the end-point to access provided services. If two-factor is deployed, the user will have to authenticate to get this token, which should have a sufficient life span to allow the user password-less work time.
From the attacker perspective, hackers inside networks will embrace technologies that allow them to bypass two-factor authentication and use legitimate tokens issued to the user. To counter that vector, organisations will have to monitor privileged accounts actions closely and limit SSO mechanisms to services and users that do not pose immense risk to the organisation.
- Accurate privileges — As privileged account management and protection becomes second nature to security teams, attackers will have to adapt and use credentials with the least privileges they require to avoid being exposed. Attackers will therefore create new accounts with specific privileges or modify non-privileged accounts with permissions to gain access to additional data or areas of the network. This will help them avoid restrictions and potential exposure by the SOC teams. This form of attack will require organisations to continuously monitor the privileges of all accounts, specifically when these are changed.
As new forms of attacks emerge and traditional forms of defence falter, now is the time for organisations to take a more meaningful look at their security practices and put in place a cohesive plan. This coordination will require buy-in across any given organisation, but with hackers lining up to demonstrate business vulnerabilities, time is running out to get on the front foot.
Contributed by Lavi Lazarovitz, Security Researcher Team Lead, CyberArk
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.