Cyberattackers often enter an organization’s systems through the businesses’ multitude of privileged accounts. Why? Because access to the most valuable data is often guaranteed in this way. These attacks can go undetected for a long time, usually only becoming apparent once there’s a full-blown data breach or irreversible damage to contend with. It’s important that this threat is properly managed as almost all damaging cyberattacks involve privileged account compromise. Businesses need to develop a robust privileged access security program to reduce this potential threat.
What are privileged accounts?
The first accounts that come to mind are admin accounts, but there are so many more privileged accounts in every network that can be exploited by bad actors — including all accounts that provide access to a multitude of sensitive resources, systems, infrastructure, applications, and data. Accessing these accounts often allows access to parts of the network that the average employee would not have access to. So, surely it should be a priority to properly manage access to these accounts to prevent them from being accessed and used by intruders
Bad actors can use privileged access to take over networks (sometimes with irreversible damage), can access infrastructure accounts to access sensitive data, can use privileged accounts to leverage lateral movement by targeting endpoints and stealing credentials, can target credentials of third-party applications (sometimes bypassing the companies defenses all together), and can target admins and privileged business users, to name a few. Any account that enables an attacker to elevate their level of access and authority with each move is a valid option. All of these types of attacks can lead to serious damage and all involve privileged account access.
Attackers aim to gain control of as many privileged accounts as they can. This allows the highest chance of access and agile movement within the company’s network so that they have a better chance of achieving their desired goal. Most of the time this involves compromising the company’s critical data. Attackers are pretty patient. They have the resources and the time on their side, and with enough time they will obtain the strategic set of privileged credentials that they need.
Possible privileged accounts attack process
More often than not, attackers start by exploiting a known vulnerability, perhaps an unpatched system, and use the initial endpoint as a base within the company to start working from. They use every credential that they find and steal along the way to gain traction, further navigate the network and move towards their goal. Generally, it’s a systematic process. First, they get a foothold by exploiting a vulnerability. Then, they obtain privileged credentials. Using tools and manipulation, they use privileged access to move laterally through the network to reach their target. They repeat this process until they gain the access that they need and their desired outcome is reached. Attackers often use malware, social engineering, malicious tools — anything in their power to gain the privileged credentials they need. Unsuspected employees are usually happy to oblige (unknowingly — of course).
Why so popular?
Attackers are always looking for the least challenging way in. So, if this route is viable, left open, and does not offer much of a challenge, attackers will choose this option over other more high-risk and difficult attack routes. Using privileged accounts as an attack vector enables criminals to follow a methodical process to achieve the valuable data that they want. A lot of the time, this type of attack goes undetected until the damage has escalated. So, attackers have the time to have a good nosey around and make a success of their attack. This type of attack is favored by cybercriminals because they are aware of many companies’ weaknesses that play to their advantage. For example, many companies still follow a reactive response to breaches instead of a more preventative approach. So, when this is the case, the detection of such an attack is unlikely.
Also, employees with privileged access usually have particular roles in the company. Attackers know this and use it to their advantage. They know that these individuals (their accounts and behaviors) are not as closely monitored as others might be. So, with relative ease, they can get the credentials and access that they need and move through networks unobserved.
Targeting privileged accounts with elevated access allows attackers to infiltrate and exploit any associated privileges and use the accounts to benefit their cause.
Fight back with a layered defense
Layered security works well to protect against this threat. Build layers so that each separate barrier functions specifically, but when they are working together the composite protection gives a superior defense. These layers of security are crucial, especially since the attack process happens at different levels and in stages. You need to put yourself in the attacker’s shoes. Consider the attack tactics they use (there are loads), then aim to reduce the threat potential at each step. Attackers will exploit endpoints, steal credentials, exploit a multitude of privileged accounts, and manipulate people. They will use methods like malware, social engineering, phishing, and spear phishing attacks and will exploit unaddressed gaps and vulnerabilities. So protection is needed for all represented potential threats at each stage of the attack.
Defend at every stage
In many organizations, efforts placed on employee education or encouraging threat and security awareness leave much to be desired. Employees, a lot of the time, are unaware that their actions may result in a major security breach and this is directly related to the company not prioritizing essential training and keeping it exciting, current, and frequent. Users are ultimately a primary point of any attack and are easily manipulated into handing over information and credentials that can be used to further the attack process. Educated users are more aware and are more likely to be suspicious of untoward activity including scheming behaviors, sham emails, and malicious links. It’s important that employees know what to look out for the types of attacks and the methods that attackers can use to enter an organization. Education is an important part of defending against privileged account attacks. The entire organization needs to feel part of the process and know the importance of their contribution to securing the company and its critical assets.
2. Manage gaps and vulnerabilities
Identify the security gaps in your systems and fix them. Keep systems updated and patched. This is fundamental as vulnerabilities are always found and exploited. The longer a vulnerability is left unresolved the more time’s available for attackers to find a way to exploit it. It can take time and effort to manage vulnerabilities effectively and continuously, but it is necessary and is well worth it. If it means procuring the professional services needed to get it done and done correctly then this is what needs to happen. It can’t be ignored. Be sure to keep your entire network in check, continuously detecting and fixing vulnerabilities. Automation tools can be very useful for this too.
3. Protect the endpoints
Endpoints are often used as a footing to initiate an attack and are a means to navigate laterally through a network. Protect each one of them. Put defenses in place so that your endpoints cannot be used against you. Layer your defense and protection. It works.
4. Lock down access to privileged accounts
Identify which accounts are privileged accounts so that you can manage and protect them effectively. Understandably, this is a complex process due to the dynamic environments of many organizations which often include on-premises, cloud, and hybrid resources. It is a necessary process, but once you’ve figured this out can you really understand your company’s unique threat potential and manage it appropriately. A privileged account inventory is a good way to organize this and is helpful when identifying how to incorporate defensive actions for each one. There is nowhere near enough control over privileged actions, accounts, and credentials in many companies, which makes detecting exploitation of these privileged accounts challenging.
Also, situations exist where people have privileged access when they shouldn’t and organizations are not even aware. Ex-employees, for example, often find that their access credentials continue to work even though they have been absent from a company for many months — they can still access privileged accounts using their old credentials. This type of situation should not be happening. Prevent access to privileged accounts by using practices such as the principle of least privilege. Only allow the privileges necessary to fulfill a job. The least amount of privilege is best — always.
Ensure that access to privileged accounts is controlled and managed appropriately all of the time. Audit the use of privileged accounts — no matter who is accessing it. Avoid anonymous and unlimited access at all costs. Perhaps, consider setting limits for dedicated use for predetermined time sessions. Or restrict from where a privileged account can be accessed. For example, don’t allow or at least limit remote access. Any way that the organization can limit access and manage it effectively should be considered. This way, any behavior outside of the norm and malicious activity can be more easily detected.
5. Manage and secure privileged accounts and credentials
Credentials to privileged accounts must be properly managed. Also, they should not be handed out haphazardly. The first prerequisite to gain access to sensitive areas and areas that are off-limits to most is credentials. This being said, it is often where the first mistakes are also made. In business, employees responsible for these credentials like administrative credentials, for example, often don’t think twice before sharing them with others. Often, the credentials are not even shared or stored securely — it’s done inappropriately. This mismanagement leads to credentials ending up where they shouldn’t and in the wrong hands. Additionally, when they are not periodically changed and are reused and across multiple privileged accounts this increases the risk potential. Ensure that privileged credentials are controlled, secured, changed regularly, not shared and their use is audited. Use multifactor authentication methods. All of these tactics go a long way to help. If they are properly managed, any abuse of them is more noticeable.
6. Monitor and detect
Monitoring can give better insight into the activity taking place. Looking at behavior patterns (how credentials and privileged accounts are used) is important. It is essential so that normal actions can be established, so anything out of the ordinary is picked up. A means to detect any suspicious use and actions by identifying changes in behavior patterns can help to detect inappropriate use of privileged accounts and potential attacks and malicious activity. An automated process is great for this. Reports are an important part of the process, but only if they are actionable so that the organization can learn from what has occurred and use the information to improve security.
Stops attackers from using your systems against you
Just as intruders follow a systematic process to exploit privileged accounts for their own gain, organizations need to follow a strategic method to take back control of privileged accounts and better manage and secure them and their wider systems to prevent this type of abuse. The aim should be to devise an actionable plan that stops attackers from using your privileged accounts and systems against you. There’s a requirement for organizations to improve security by reducing the attack surface to lessen the chance of data breaches and damage from cyberattacks. Improving overall security is only achievable by removing as many of the potential threat areas as possible and if the potential threat can’t be absolutely removed (which is often the case), managing the threat and the potential risk is essential.
If the potential for this threat is not managed, the risk potential for a breach is high.
Featured image: Shutterstock