David Mattos, Principal and EVP, SecureITSource, Inc.
Once again, many are wondering if their personal information is compromised. While it makes everyone crazy wondering how, why did this happen AGAIN, the simple fact is that it will continue to happen. Even the most fiercely protected networks have been compromised – the CIA and NSA, for example.
If you are in Cyber-security (or have been involved in a breach), you may have been privy to the anatomy of an attack. If you are not, all you can think of is the guy in a hoodie in a dark room doing “something” on a computer. Truth is that the path to an attack can take weeks, months, or even years. For meatier targets, criminals can be very patient – and very thorough in reconnaissance and the ultimate take-over. It almost always involves becoming an insider under the disguise of a legitimate employee. Cyber-surveillance, physical surveillance, bugs, cameras, and physical entry can all be part of an attack. Bottom line – if an attacker wants IN, there are very few things that can completely stop them. However, by layering protection – one gate, another hurdle, a closed door – you can slow them down. Slow them down just enough to have one of your detection tools – or an ultra-alert human – stop them in their tracks.
When looking at the risks of credential theft, impersonation, lateral movement, and total network takeover, the key question is, “where do we start”? One place is privileged access and the layers you put in place to protect privileged assets with a solution such as CyberArk. Privileged is important, as they could be the keys to your kingdom!
Recommendation 1: Restrict privileged access to tier-0 and high value systems, most commonly domain/enterprise admin’s access to Domain Controllers. This should be done in conjunction with Multifactor authentication (Okta), Identity Management (SailPoint) and proper network segmentation and tiering. Once the access is established, monitor behavior to the systems and stop known bad processes.
- Impersonation of a privileged user leads to the ability to perform a total network takeover such as an advanced Kerberos attack or Golden Ticket.
- Access to critical assets is often part of some user’s day to day activities, making it hard to separate an outsider impersonation or rogue insider.
- Many times, the same account used to access the high value systems is also the account used for all production support, making the operational impact of account management very high.
Benefits: Multiple layers of security and control are important to mitigating the risks of credential theft, impersonation, and total network takeover. Creating credential boundaries and decoupling the user from the account devalues the credential and requires the attacker to steal multiple things to get to multiple places. In the event an account is compromised, the attacker should not be able to connect directly to the high value asset. Assuming the attacker can impersonate and gain access to the asset, the behavior of the user will change and blacklisting techniques can be applied. The recommendation addresses both rogue insiders as well as outsiders impersonating insiders.
Recommendation 2: Remove local Admin rights and apply greylisting to high value user systems such as financial, Developer, Domain Admins or HR laptops/workstations.
- Each organization will identify its own subset of high value end-points. Attackers will target these systems with phishing attacks or similar methods to “land”.
- An organization’s high value end points are valuable to attackers as a way to impersonate the user to critical systems, plant malware, or gain a higher level of permission for lateral movement.
- Many times, organizations struggle to apply proper whitelisting or remove local admin rights for complex or external high value users, such as developers and vendors, due to perceived operational risk and perceived impact to the business
- Attackers have many vectors to gain control of the network, so even if they don’t land on the critical user’s endpoint, they would be looking to move laterally to that system after mapping the network.
- Removing local admin rights from high value users can be difficult, and companies fail to apply the best practice due to operational risk and perceived impact to the business.
Benefits: Apply greylisting to prevent fraudulent processes that may be trying to access sensitive data or install malicious code. This can also be an effective control against threats like ransomware, which can run as non-privileged users. The same greylisting is also a precursor to a good whitelisting program by silently collecting approved privileged escalations without any impact to operations or current access. Removing local admin rights of users is a common best practice and has been proven to limit malware infections.
Recommendation 3: Randomize built-in Admin passwords on top technologies. Common examples are local admin on windows, root on Unix/Linux and SA/SYS and SYSTEM on databases
- Attackers rely on the ability to move laterally in technologies with large footprints such as servers, desktops, and databases.
- Organizations struggle to change passwords frequently. Even if a password is changed to a complex and random password, it is frequently the same on multiple end points.
- Privileged access can be represented, stolen, and misused in many forms including passwords, tokens, and keys
- Disabling and renaming accounts is a good best practice, but the accounts almost always still exist and still represent risk.
Benefits: Unique and complex credentials create boundaries between systems and block an attacker from stealing one set of credentials and using them in many places. Backdoor accounts are seldom used on a daily basis and represent a minimal user and business impact. Frequent rotation of built-in accounts to a strong randomly generated password is a common part of most audit and compliance requirements.
Recommendation 4: Protect high-value service accounts used for automation, discovery and vulnerability management by removing the persistency on the systems and devices. Critical accounts and keys should be consumed dynamically and changed frequently. Common examples are:
Vulnerability Management such as QualysGuard, Rapid7, Tenable Nessus and McAfee Vulnerability Manager
Automation such as Puppet, Ansible, Jenkins, Docker and EC2
Discovery such as Service-Now Discovery, HP Universal Discovery and ForeScout CounterAct
- Sensitive service accounts are not only at risk when unchanged and hard coded, but also when exposed to end users and during the import/update process.
- Due to the elastic nature of dev-ops and infrastructure as a service, lateral movement and lack of credentials boundaries are exponentially greater with these highly permissioned accounts.
- Many systems run outside of regular hours to limit the network impact at the time of scan or discovery, thus making it nearly impossible to manually change and rotate credentials.
- Attackers use these accounts with high levels of access to nearly every system in the environment as an easy gateway for lateral movement and additional credential theft.
Benefits: Companies can immediately protect high-value accounts that are frequently targeted in penetration tests and live attacks by attackers or red teams. Even though the systems live for a short amount of time, the accounts used in templates and to create the systems are no longer static.
Recommendation 5: Protect new high-impact levels of access to the modern data center such as virtual consoles and keys for public and private cloud.
- Most public cloud options such as AWS provide a customer specific set of keys with very high levels of access and no way to rotate or protect them. Stealing these keys provides an attacker the ability to comprise the environment in multiple ways.
- Virtual console access buys an attacker time by allowing copies of systems to be created and compromised offline. This level of access also is the heart of the cloud operations and can easily shut down or disrupt a business from a single point of compromise.
Benefits: Storing, isolating and rotating the credentials used for critical access decouples the privileged access from the individual allowing an organization to have much more control over what people do and when. Recording these sessions also provides information to complement a big data program by providing a thorough audit trail.