Authored by: Morey J. Haber, CTO, CISO, BeyondTrust
“Shoulder surfing” may be a near perfect personal attack vector. If you are not familiar with the concept, it is literally a threat actor looking over your shoulder and observing everything you type, see on the screen, and interact with in the physical world including paper, pens and even removable media. Shoulder surfing is the ultimate method a threat actor can use to compromise a system because the only method of detection is just to say “no” or obfuscate the screen with a polarised filter and shield the keyboard from viewing. Both, however, are not typically present in a corporate environment when dealing with trusted individuals. But, what about untrusted identities? This is where session monitoring fills the gap and provides a valuable tool to determine if remote access is appropriate. This is just like a trusted individual looking over your shoulder to teach or assist you in troubleshooting, configuration, or setup of a solution when the knowledge from both (or more) individuals is needed to complete the task.
But before we dive into session monitoring, we need to draw the analogy a little tighter and translate its importance to the cloud. Over the last decade, we have seen exponential growth in the number of cameras on cell phones, within homes, present within businesses, and in the public looking for potential social disruptions. Cameras are similar to over the shoulder attacks because they provide a view (with optional audio) of what is in occurring within their field of view or frame. Using advanced software, they can identify people (tagging), suspicious behavior (using AI or motion-based detection), and even see in the dark. When dealing with the cloud, there is no physical presence, it is someone else’s computer, and for the most part, based on Linux (Windows graphic implementations in the cloud are slightly different but follow the same model but requires their own parameters when discussing session monitoring). Over the shoulder attacks can therefore only occur in the cloud when remote sessions are established. This is where session monitoring comes into play. It is the only way to record (like a camera) the activity of a cloud session to determine if the activity was appropriate. While this model is also true for remote sessions on premise, it is the only viable method for the cloud due to the lack of computing ownership, physical presence, and methods for interactive session activity available today. These are typically VNC, SSH, RDP, or HTTPS based. Session monitoring provides the future documentation needed to review, analyse, and determine if the session was authorised, contained malicious behavior, and was appropriately conducted.
So how does session monitoring work? Based on the protocol (this is where Windows or other graphic sessions are different) all text on the screen and key strokes are recorded (excluding passwords). These are inspected in real time for critical pattern matches that can perform automated actions like alerting, session pausing, and even session termination. The list is typically defined by administrator’s but most vendors provide a critical list out of the box governing database commands, lateral movement, sensitive operating system commands, and other suspicious behavior. The data is captured and indexed for future searching and audit reviews, and typically processed via a SIEM or analytics engine for advanced user behavior based on time, data source, concurrent sessions, users, commands, etc. The result is as close to over the shoulder recording as you can provide, for viewing or reviewing at a later time, when no physical presence is possible. And, what is often over looked is the potential sensitivity and security of recorded sessions just like having cameras in your home. This is similar to the security of preventing an over the shoulder attack from occurring in the first place. The access needs to be restricted.
Finally, all protocols implemented for session monitoring are not the same. Text based sessions like SSH are easily captured, indexed, and can be alerted based on characters on the screen or entered on the keyboard. Graphical and web-based sessions are not the same. These remote sessions are typically RDP, VNC, or HTTPS (using a browser). Keystrokes and command prompts are easy to capture but text in a graphical window can be embedded, displayed as graphics or across multiple screens, or even rendered with a plugin like Flash. This is where session monitoring benefits from monitoring mouse clicks, processes launched, and titles in application frames. This data is not as complete as logging everything in an SSH session but helps provides the visibility necessary to determine if the remote session is appropriate and if malicious behavior is potentially occurring. It is as close to over the should monitoring as you can get for graphical sessions as well.
The importance of session monitoring is a critical buying need when working with the cloud. It is the only method to observe, document, record, and detect inappropriate behavior when access is always initiated remotely. While other techniques can monitor other protocols or API based access to the cloud, only session monitoring can capture the real time behavior of interactive uses and their interactions. And, if the users know they are being recorded (or shoulder surfed electronically) the deterrent alone may be enough to curb some malicious behavior or even innocent snooping.