As the compromise and misuse of identity is often at the core of modern threats, privilege accounts are a prime target for phishing and social campaigns. Peter Draper, Technical Director EMEA, Gurucul, discusses how Privileged Access Management monitoring enables companies to mitigate against insider threats.
It’s widely accepted by today’s cybersecurity departments that many serious data breaches can be traced back to the abuse of privileged credentials and yet teams still struggle to integrate this realisation into day-to-day operations.
On the face of it, this shouldn’t be happening. Organisations have been making big investments in IT security tools such as Security Information Event Management (SIEM), next-generation firewalls and intrusion prevention systems (IPS), as well as a variety of anomaly detection systems, email and web filtering and Data Leak Prevention (DLP). Despite this, data breaches continue to plague companies, with new avenues for attack appearing such as unsecured Remote Desktop Protocol (RDP) and VPN servers, oiled by a steady flow of software vulnerabilities, including ‘surprise’ zero days.
Organisations feel compelled to open their networks to cope with an increasingly mobile, remote workforce, to the cloud and IoT, and to enable a complex web of remote access used by suppliers and service providers. Many of those connections, including those to cloud applications, are accessed using powerful privileged account credentials that represent a security risk. These accounts are difficult to find and controlling and monitoring access to them is challenging.
From the attacker’s side, bypassing these privileged account credentials to access sensitive systems is little more than a percentages game. With so many avenues to target them – social engineering, phishing attacks, zero days and collaboration with malicious insiders – penetrating an organisation’s network is about patience. If at first you don’t succeed, keep trying because it’s a certainty that a new weakness will emerge.
Once armed with the credentials to get behind an organisation’s defences, attackers look to grab what they can, such as SSH keys, certificates and domain admin hashes to move laterally on the network. It’s a despairing thought that among the thousands of privileged accounts attackers might aim for, it takes only one to seed a major data breach that brings an organisation to its knees.
Privileged Access Management (PAM)
This isn’t just about threats from outside the organisation, but the ones emanating from inside it too. According to Gurucul’s Cybersecurity Insiders’ 2020 Insider Threat Report, security professionals are well aware of the threat posed by unsecured privileged accounts, with 63% agreeing that privileged users pose the biggest risk from inside an organisation and 68% saying they felt vulnerable to insider attacks generally. Almost all of these organisations will have deployed multiple layers of security solutions to contain threats from outside the organisation, but conventional security tools do not defend against privileged account misuse. When the same scenarios are modelled inside the network, there is often no defence at all.
A major problem hindering organisations has been the inherent difficulty in identifying and securing privileged accounts, including those in the cloud. Consequently, many invested in Identity and Access Management (IAM). While IAM is good at managing user identities tied to a known person, it struggles to cope with identities that aren’t defined in this way such as admin accounts used to manage IT resources. Finding these privileged identities can be difficult, let alone stopping a malicious party from accessing them.
For this reason, organisations have increasingly turned to Privileged Access Management (PAM) systems which impose control and management on accounts using the principle of least privilege. Unfortunately, even PAM struggles under real-world conditions in which many privileged accounts slip through the net to the extent that Gurucul estimates from customer data that up to half remain unknown to IAM or PAM platforms.
Insider abuse is often cast as a general willingness by one or more employees to misuse systems but an essential part of this is the way they exploit privileged access. This can be both abuse of privileged accounts for which an individual has permission, but which is being misused, as well as access to non-authorised accounts. Clearly, permissions don’t act as a barrier to either because one form of access might appear legitimate while the other would remain invisible.
On top of this is access bloat where over time multiple users have been given access to a resource. This is not only a bad idea because it stretches user management but expands the attack surface for cybercriminals looking to execute a phishing attack. Finally, there is the under-estimated weakness of credentials and root keys left exposed in the cloud, which can allow an attacker to not only set themselves up as the admin but potentially lock out existing ones. Indeed, the cloud poses huge challenges of its own, not least because it has been the biggest driver for the expansion of privileged and risky accounts.
This uncertainty can now be addressed using Identity Analytics (IdA) technology, which uses Machine Learning to discover and analyse privileged accounts and account access, working as an extension to existing IAM and PAM to spot accounts that are not being controlled. This includes not only accounts that have acquired more privileges after they were provisioned but also privileged credentials embedded within applications and unstructured data. IdA is particularly effective at finding associated accounts that might aid hidden backdoor access, which are today a major risk area for organisations of all sizes.
Using Machine Learning to do this is ideal because it’s a technology perfectly suited to detecting anomalous access once it has modelled what baseline access looks like for an organisation. It’s also good at spotting and risk scoring orphaned or dormant ‘access outlier’ accounts that will often be unknown to admins. Once these accounts have been brought to the attention of admins, decisions can be made about which to de-provision or impose additional authentication upon on the basis of peers, activities and context, a process which can be automated through API integration with provisioning platforms. Achieving the same result through manual methods and old-world rules – the traditional technique for housekeeping privileged accounts – would be both time consuming and almost certainly fail at some point.
It’s a lot to take in: organisations move to IAM, mature with PAM and then fill in the gaps and exceptions with IdA. But what is ultimately driving this evolution is the increasing complexity of businesses that now depend on cloud access, rapid development and ever more layered security. This is how business is and there is no evidence these trends will slow down. IdA, then, is another technology a company can use to make sense of this riskier world.