The recent cyber attack on the IDT Corporation signals what appears to be a paradigm shift in how hackers are targeting enterprise networks. The bad guys are using ransomware as a smoke screen to disguise what they are truly after: privileged user credentials. Given the high-value assets privileged users have access to, every privileged user compromise poses a high risk to enterprises.
Even organizations with a relatively small administrative ratio that may not be perceived as a risk, have thousands of privileged accounts that are a target for attackers.
The challenge for many security teams is being able to deal with the amplified risk privileged identities pose as organizations undergo digital transformation. According to the 2017 Verizon Data Breach Investigations Report, 81 percent of breaches used stolen user passwords and other credentials to further attack systems—and that number may be on the rise.
The creativity and sophistication of hackers isn’t the only contributing factor to the increase in cyberattacks. As recent attacks have highlighted, The Internet of Things (IoT) has introduced billions of new devices into the connected world and has shaped the course of digital transformation. As organizations begin their own transformation, the traditional definition of a privileged user will evolve to include not only human users, but also privileged access to applications and physical devices.
Manage The Lifecycle of Privileged Credentials
The digital transformation that most organizations are undergoing has created a situation where more and more users are seeking privileged access, whether an employee, contractor, or partner. Nevertheless, according to a survey [Note: link opens a PDF] from the Ponemon Institute, 49 percent of respondents did not have policies for assigning privileged user access.
Traditionally, system administrators gave these privileges manually, but this human provisioning & certification process isn’t scalable. Going further, most organizations don’t include privileged accounts in role mining and role definintion exercises, but as the number of privileged accounts and privileged third party accounts continue to proliferate, organizations have to apply same level of inspection and control to privileged credentials.
The first step towards scalability is to reduce the number of manual steps in place for system administrators to provision access to privileged users, and tie the authorization decisions to clearly defined policies.
Applying automated checks to the roles and access authorizations assigned to privileged identities can help proactively flag violations, such as a developer being provided access to credentials to production code or as in the GitLab outage example, a developer having authorization to execute commands which can be harmful on a production system. With more super user accounts than ever before, organizations have to deprovison privileged access when administrators leave the company – a recent study from Lieberman showed 15 percent of administrators had access from a prior job and 36 percent shared accounts and passwords.
Behavior Analytics is The Best Second Line of Defense
With more privileged accounts and more paths of attack, traditional monitoring solutions are challenged to keep up. The problem is that most of the tools being used today depend on static policy which can’t detect the type of attack perpetrated in the IDT example. Traditional detection finds less than one percent of breaches (Verizon DBIR) because they were not designed to accommodate the dynamic nature of attack behavior.
What’s needed is a domain-specific approach that leverages context and knowledge about privileged user behavior. In a nutshell, this approach takes into account what actions privileged users are taking, what they’ve already done and the associated risk with each of their actions. In the IDT example, the attack was deliberately scheduled when employees would be offline. A system that included user behavior analytics would be able to detect this anomaly and stop the lateral movement of the attackers. Even with a privilege access solution in place there is a chance of being compromised, the best second line of defense is the ability to analyze behavior to detect anomalies.
By being able to narrow down and respond to the actions that represent evidence of an attack, organizations have a better chance of finding and mitigating the “needle in a haystack” security threat.
Prevention Works Better Than Detection
Still, far too often the strategy for priveleged user security has been to focus on detection – this is the equivalent of waiting until you have a car accident to purchase an automobile policy? In most cases today by the time we detect the breach, attackers are long gone with the data. Baselining privileged user behavior is the best way to prevent data loss before it happens. As digital transformation continues and new IoT-related access points are created, security teams have the opportunity to reinvent how they approach managing threats.
At the end of the day, being able to pinpoint attacks that exploit privileged credential theft isn’t a question of accumulating more event data, but involves leveraging data about privileged user behavior. With integrated governance and automation, systems can more easily flag when a user attempts to access data inconsistent with their normal behavior.
As cyber attacks continue to escalate and increasingly focus on accessing user credentials, as we saw with IDT, organizations must have a plan in place to govern privileged user access and detect anomalous behavior. An automated, scalable approach to managing privileged user access can help ensure that attackers can’t get into your systems and if they get in, they can’t get far enough to do damage.
About Mordecai Rosen
Mordecai (Mo) Rosen leads the Security Business Unit at CA Technologies. He is responsible for ensuring the company’s products, services, and partnerships protect and enable customers’ businesses.