Authored by: Morey J. Haber, CTO, CISO, BeyondTrust
Earlier this year, BeyondTrust published its annual Privileged Access Threat Report. The report was conducted with over 1,000 participants to gauge the perceived threats facing organisations and the risks of Privileged Attack Vectors. The results produce some noteworthy statistics in the form of breaches and poor cyber security practices:
64% of respondents thought it is likely they’ve suffered a breach due to employee access and 58% indicated that they likely suffered a breach due to vendor access
62% of respondents are worried about the unintentional mishandling of sensitive data by employees based on the following poor security practices:
Writing down passwords (60%)
Downloading data onto an external memory stick (60%)
Sending files to personal email accounts (60%)
Telling colleagues their passwords (58%)
Logging in over unsecured WiFi (57%)
Staying logged on (56%)
71% of organisations agree that they would be more secure if they restricted employee device access.
With these statistics in mind, what are the attack vectors that are in support of these opinions? If we consider the 2019 Verizon Data Breach Investigation Report (DBIR), we clearly see that the Use of Stolen Credentials is the second mechanism threat actors perform when breaching an environment (Figure 12, Top threat action varieties in breaches) just below Phishing, and that it is the leading method Hacking illustrated in Figure 13. The most common place stolen credentials are used are mail servers. Unfortunately, the actual techniques used for obtaining and applying Stolen Credentials is not covered in the report, but they can be summarised as the following privileged attack vectors. All of which are valid in support of the methods:
Dictionary Attacks or Rainbow Tables
Brute Force Attack
Pass the Hash or Other Memory Scrapping Techniques
Security Question Social Engineering
Account Hijacking Based on Predictable Password Resets
Vulnerabilities and Exploits
Malware like Keystroke Loggers
Social Engineering including Phishing
MFA Flaws using Weak 2FA like SMS
Default System or Application Credentials
Anonymous or Enabled Guest Access
Predictable Password Patterns
Shared or Unmanaged Stale Credentials
Reused Passwords or Credentials
Shadow or Obsolete (Former Employee) Credentials
Various Hybrid Credential Attacks Based on Variations Above like Spray Attacks
Therefore, if we conclude that more than half of employees and vendors have been the source of a breach, and that poor cyber security hygiene for credentials and passwords is the leading cause, we can easily deduce the privileged attacks listed above are the root causes based on the statistics provided by Verizon DBIR for breaches and hacking. The data is consistent and leads us to the conclusion that organisations and users should find a mitigation strategy to resolve these privileged attack vectors. The question is how?
To begin, consider the following cyber security best practices for every organisation regarding credential and password management:
All privileged accounts (administrator and root) should be monitored for appropriate activity and have proper certifications based on roles and ownership.
Users should perform their daily functions as a Standard User and only use a privileged account when appropriate.
When possible, administrative privileges should be removed or eliminated, and end users, administrators, DevOps processes, and RPA (Robotic Process Automation) should operate using the concepts of Least Privilege.
All accounts, regardless of operating system or application, should have a unique password whenever, and wherever, possible. The rotation and management of which is subject to decisions based on regulatory compliance and other security best practices like NIST.
All sessions, locally initiated or remotely started, should honor all of the best practices listed above.
While you may consider this a very short list, the implementation of these concepts may seem daunting and unachievable for most organisations. The truth of the matter is they should not be. They are all practical and just need the adoption of a formal Privileged Access Management (PAM) program to reduce risk, mitigate the attack vectors, and adhere to cyber security best practices. To that end, a successful PAM journey within an organisation encompasses:
Password Management for rotation and check in and check out of passwords
Session Management for recording, indexing, filtering, and documenting all interactive sessions.
Endpoint Least Privilege Management to remove administrative or root privileges on any platform including Windows, MacOS, Unix, Linux, and even network devices like routers, switches, printers, and even IoT devices.
Remote Access to establish sessions based on personas like vendors or help desk staff with least privilege credentials and the need to share credentials with approved operators.
Directory Bridging to consolidate logon accounts across non-Windows systems like Unix and Linux and have users, regardless of persona, authenticate using their Active Directory credentials in lieu of local accounts.
User Behavior Analytics and Reporting to provide complete attestation reporting, certifications, and alerting on inappropriate behavior based on privileged usage.
The complete integration of all the items below with an organisation’s established ecosystem for change management, ticketing, operational workflow, and security event information managers.
These characteristics ensure that credentials and passwords cannot (easily) be stolen for hacking attempts or the basis for a breach. In addition, if they are compromised, the risk surface is drastically lowered by reducing the privileges of the credentials used to standard user and making it more difficult for a threat actor to use privileged attack vectors as a method of compromise (stolen credentials). For example, each credential password pair is unique, has the lowest form of privileges, and every privileged session is fully documented.
The BeyondTrust Privileged Access Threat Reports highlights the fears, knowledge, and security risks that information technology and security professionals deal with every day. The surveyed correspondents proved the results can be correlated and validated with other benchmarks like the Verizon Data Breach Investigations Report to highlight how threat actors are breaching organisations. And, the results prove Stolen Credentials are the top method hackers target in navigating through an organisation. It is the easiest method for them to continue navigating through resources after a breach. The privileged attack vectors responsible for stolen credentials are well known and cyber security best practices to mitigate them can be solved with a successful privileged access management solution. In the future, for organisations that have embarked on a PAM journey, the Privileged Access Threat Report statistically should have better or more favorable results (lower) since network and security professionals have tools and procedures to ultimately mitigate the perceived threats. This covers everything from users to vendors, cyber security credential and password weaknesses, all the way through the devices used to access organisation resources. The goal of PAM is to make the statistics reported in future reports irrelevant.