From Saudi Aramco to Global Payments to the US Chamber of Commerce, many of the recent high-profile attacks and sophisticated malware have targeted and leveraged privileged accounts. These instances show that current efforts to protect businesses and organizations from these types of attacks fall short. The use of anti-virus software and perimeter security has all but left accounts vulnerable to outside threats. As attackers become more adept and sophisticated, new ways of shielding accounts should be considered – and that includes privileged account security.
Privileged accounts are often thought of as only the accounts used internally by IT and sys-admin staff. In fact, the definition also includes default and hardcoded passwords, application backdoors, and more. What all of these accounts have in common is that they act as a gateway to an organization’s most sensitive data.
Traditionally thought of as vulnerability for insider-based attacks only, these accounts are also used by cyber-attackers to perpetrate some of the most devastating advanced attacks.
Cyber-attackers are getting through the enterprise perimeter by traditional means such as spear phishing, malware, zero day exploits, and then immediately targeting privileged accounts to gain widespread access to the rest of the network. The 2012 Verizon Data Breach report highlighted that several of the primary attack vectors used by hackers had privileged connections. These advanced attacks usually start when there is a breach in the perimeter and when a beachhead is established. This is typically accomplished through attacks that are incredibly hard to fully protect against, simply because there is too great a reliance on the human element. At some point, you’ll have an employee click a link, open an email attachment, or visit a website that is infected. These simple acts open the enterprise doorway to attackers, helping them easily avoid firewalls, anti-virus, and similar perimeter defense systems.
Once inside, the attackers escalate their privileges, enabling them to move freely around the network undetected. This allows them to access valuable information almost at will, while covering their tracks. The escalation of privileges, or using a stolen password, is much simpler than it sounds.
For instance, the default passwords for a lot of enterprise software can easily be found online. These passwords are rarely changed or managed by the company implementing the software.
Once an attacker has the password, they simply need to be invited into the network through the means discussed above. From there, they can move freely through the network as if they were a privileged employee, such as an IT or network administrator or top executive. Attackers can also infect an individual employee’s machine, lie in wait for an IT staffer to fix the machine, and then surreptitiously record their administrative password once it is entered.
Once the attackers gain access to privileged accounts, they can easily traverse the network, identify and gather sensitive information they were targeting, and slip in and out with the information without detection. The company is then left wondering, “What just happened?” With administrative account access, the attackers can also easily hide their trail by erasing the logs of where they went on the network.