In particular, organisations should start looking at actionable steps that organisations can take to “clean up” current weaknesses and potential vulnerabilities. This is particularly important in the wake of massive attacks such as WannaCry. In fact, post-attack studies show that WannaCry’s impact could have largely been prevented if basic security best practices such as securing privileged accounts had been applied. With this in mind, international institutions such as the US National Institute of Standards and Technology (NIST) have started to recommend securing privileged accounts, credentials and secrets as one of the most effective, preventative steps an organisation can take to bolster its security programme. The institute’s latest CyberSecurity Framework further offers useful best practices UK businesses can incorporate in their security strategy.
Many of the CyberSecurity Framework’s refinements centre around cyber hygiene. As the CyberSecurity Framework explains, attackers continually look for new ways to exploit an organisation’s vulnerabilities, so a “set it and forget it” approach is sure to fail, especially when it comes to privileged access. This is because a company’s sensitive applications and systems can change as a company grows or changes direction. For example, if your organisation secured privileged access for Windows built-in accounts on systems with access to sensitive data, then you need to go one step further and commence work on the next set of systems that deliver the most risk reduction, given the time and effort required to do so.
Since the enterprise infrastructure is ever-changing, it’s important to look for new infrastructure in the cloud and new SaaS applications that could have access to sensitive business data. To have the strongest defence against attackers, organisations need to ensure their privileged access security program is up to date and continues to protect their most critical infrastructure, applications, customer data, intellectual property and other vital assets.
The most common types of attack
To help establish and maintain a strong privileged access security programme, organisations can implement actionable processes to achieve the highest level of protection against common attacks on privileged accounts, credentials and secrets. This type of cyber hygiene program is usually most effective against the following attacks:
· Irreversible network takeover attacks: Cyber attackers establish persistence in an organisation by performing an attack that is not only hard to identify but also so intrusive that the business must rebuild their network to remove the attacker—e.g., a Kerberos attack, such as a Golden Ticket.
· Infrastructure account attacks: Hackers leverage powerful default infrastructure accounts that exist on-premises or in cloud environments and are seldom used in day-to-day operations, but can provide the attacker with excellent opportunities for access to highly sensitive data.
· Attacks that leverage lateral movement: Hacker soften steal credentials by gaining a foothold on endpoints and then moving laterally, for example by using Pass-the-Hash techniques, in order to steal elevated permissions.
· Targeting credentials used by third-party applications: Hackers compromise third-party applications that are used to perform operations such as deep scans in order to steal their embedded privileged credentials. From here, they execute attack goals while completely circumventing the targeted company’s defences.
· Targeting *NIX SSH keys: Hackers leverage unmanaged SSH keys in order to login with root access and takeover the *NIX technology stack. Unix/Linux systems house some of an enterprise’s most sensitive assets and Linux systems are increasingly deployed in the cloud. Individual accounts and credentials—including SSH keys—used to gain root privileges are often overlooked by security teams.
· Targeting DevOps secrets in the cloud and on-premises: Hackers can compromise secrets embedded in code and Continuous Integration/Continuous Deployment (CI/CD) tools, in order to exploit the environment for more pervasive access.
· Targeting SaaS admins and privileged business users: Hackers steal credentials used by SaaS administrators and privileged business users, in order to get high level and stealthy access to sensitive systems.
Implementing a privileged access security cyber hygiene program
Often, significant data breaches - including those at many large organisations - result from some of the most common attacks involving privileged access, and each example provides valuable insights into how attackers operate and exploit an organisation’s vulnerabilities.
To proactively reduce the risk posed to privileged accounts by attackers and implement strong hygiene practices, organisations typically need to:
- Use their understanding of the most common types of attack that exploit privileged accounts: how does a hacker think and behave in each case to exploit the organisation’s vulnerabilities?
- Prioritise the most important privileged accounts, credentials and secrets, and identify the potential weaknesses and vulnerabilities in their existing privileged account security program, particularly those that could jeopardise critical infrastructure, the organisation’s crown jewels, and so on
- Determine the most effective actions to clean up these weaknesses and potential vulnerabilities. Which actions are the highest priority? What can be achieved quickly versus requiring a longer-term plan?
- Ensure continuous, reassessment and improvement in privileged account hygiene to address a changing threat environment
As cyber attackers become increasingly creative with their tactics, now is the time for UK businesses to go back to basics and do a cyber hygiene check-up. Establishing privileged account management is a good starting point to help organisations reduce risk, satisfy security and meet regulatory objectives. Ultimately, it comes back to monitoring and reviewing who has access to the most sensitive data to ensure it is safe and secure.
