Privileged access: Securing cybercrime’s most coveted target
If cyberattacks seek to compromise an organisation's “crown jewels” then privileged access accounts are the “keys to the kingdom.” Not only do privileged identities provide unfettered access into an enterprise’s systems and data, but they also ease an attacker’s ability to remain undetected. Privileged identities can be used to establish persistence, escalate privileges and turn off security controls and move laterally as needed to conduct cyberattacks.
For instance, when it comes to ransomware, cybercriminals will often use stolen credentials to establish initial access before using a variety of tools and techniques to escalate privileges, terminate endpoint security agents, and dump even more credentials. Privileged credentials tend to enable lateral movement or they may be sold on to other attackers.
As a result, cybercriminals are always on the hunt for these valuable identities, knowing that all organisations have them, but very few adequately secure them.
Visibility challenges across privileged accounts
One of the biggest problems with these accounts is that organisations often have no idea how many privileged identities exist, so there is no way to monitor their use.
Privileged accounts are used by IT admins and developers to develop, maintain, and backup systems, as well as support users. They are also created regularly, for example, as needed to resolve an urgent system outage, and can be easily forgotten about after the task is completed. IT and security teams are only human and they are being stretched to do more and more every day, so it is understandable how these mistakes can easily happen. Privileged accounts also exist as non-human accounts intended to only be used by systems to automate and secure IT processes, including those in the many legacy applications and systems most organisations have.
Case in point, according to Illusive research, 87% of local admins are not enrolled in a privileged account management solution. Furthermore, 21% of admins use default account names and 62% of passwords have not been changed in more than a year. These sort of misconfigurations make accounts very susceptible to brute force password attacks.
Given the risks and the determination of cyber criminals on the hunt for privileged access accounts, how can organisations improve the security of them?
Securing Privileged Accounts through PAM
In cybersecurity the most important aspect of every programme is visibility.
Whether it be monitoring devices on a network, monitoring systems for software vulnerabilities, or monitoring for privileged identities, security teams need to know exactly what exists in their environment so all these assets can be secured.
Once privileged identities are identified, they can be managed by a PAM solution to protect their credentials before attackers exploit them. If the team implementing PAM isn’t aware of a privileged identity, then it goes unmanaged and creates risk for the company.
The key to the effectiveness of PAM solutions is not about the accounts that an organisation already knows about, but instead the many unknown privileged accounts that go unmanaged by PAM.
While PAM solutions often include some basic discovery capabilities, these discovery capabilities are often designed as a one-time process for discovering those accounts which are easiest to onboard to PAM as part of the system's initial deployment. This leaves newly created privileged accounts completely unmanaged. These PAM-provided tools are often limited in the discovery of all the account types that attackers commonly exploit using modern attacker tools like Mimikatz. Shadow Admin accounts that have unintended privileges, privileged credentials stored in the memory of endpoint admin applications, and other misconfigurations in identities have often gone undetected until they are exploited by red team exercises or cyber attackers.
IT teams who have attempted to gain this visibility, have needed to do so by collecting and managing their understanding of where privileged accounts exist with spreadsheets, and time-consuming and error-prone manual processes to maintain these spreadsheets. Even if an IT team could keep up with this manual process, there is still no guarantee that they have complete visibility. The key to success is in automation.
Solutions that can automate the comprehensive and continuous visibility into the risks that any given identity creates are necessary to mitigate these risks. With this regularly updated insight, IT teams can measure their effectiveness of managing identity-related risks, and show measurable risk reduction by prioritising identity and access management projects, such as those with PAM, MFA and SSO solutions, to best mitigate risk. Additionally, these tools can be used as an automated compliance control to reduce compliance and audit risk as well as the cost of manual internal audit efforts.
Cyber attacks, including ransomware, have become a real issue for most organisations, in part because of attackers commonly able to exploit privileged identity vulnerabilities, such as accounts that have gone unmanaged by PAM. This has caused the need for a new class of solutions called identity threat detection and response (ITDR) solutions, which include this level of visibility into identity risk and are able to detect indicators of compromise as they’re happening. The consistent and continuous assessment of risk with any identity is required to ensure security on accounts is up to date and regulatory compliance requirements are being met, thus improving overall security, while also making it significantly harder for attackers to reach these coveted accounts.