Joseph Carson, Chief Security Scientist and Advisory CISO, Thycotic, explores how organisations can develop more advanced strategies for protecting privileged accounts.
Gaining access to privileged accounts is considered getting the ‘keys to the kingdom’ for threat actors. Hacking into these superuser accounts enables cybercriminals to steal, manipulate or delete data, access critical systems and just generally cause havoc. What is worse, being in control of such high-level accounts enables them to cover up their tracks and even create their own superuser accounts to make detection all the more difficult.
How do criminal hackers break in?
The number one way threat actors access these accounts is through weak or stolen passwords. Their first step to cracking or gaining a password is reconnaissance. Threat actors can spend up to 90% of their time casing out a potential target company, looking at the social media accounts of key personnel and using Google dorking to find weaknesses in websites to gather the information they need to create a digital blueprint.
Using personal details and templates from the target organisation or third-party suppliers, threat actors will often send an authentic-looking email to select employees they have identified as an easy target within the business. This could ask the unsuspecting victim to click a link and type in credentials, which are actually picked up by the threat actor. They can then use these to pose as an official member of staff and explore the IT environment under the disguise of a legitimate employee.
In corporate networks with poor security hygiene, cybercriminals are, at that point, only a few steps away from gaining privileged access. The process of escalating privileges is made easier for threat actors if they break into organisations where a majority of employees have local admin rights, which is not uncommon.
Or even better for them, an organisation that gives full admin rights to those employees that don’t need it and have little training in how to keep their information safe. In such scenarios, once threat actors have the credentials to these relatively unprotected accounts, their job of gaining access to privileged accounts is done.
Prioritising and getting value out of PAM
In an effort to stop the described sequence of events from happening, many organisations are employing some form of privileged access management, or PAM. This is a framework that looks to reduce the risk of privileged accounts being compromised, while at the same time improving business agility and operational efficiencies.
Thycotic’s 2019 State of PAM Maturity Report shows that while four out of five (78%) organisations have privileged account protection, their PAM security practices still fall short of the mark.
To help organisations understand how mature their PAM security practices are and where they should be, there are four levels of PAM maturity: analogue; basic; advanced and adaptive intelligent.
‘Analogue’, also known as manual, is the lowest level of PAM security, offering very little in the way of protection, sometimes just meeting a checkbox. An organisation is operating at this level if it uses default passwords, has little in the way of password complexity requirements and no rotation.
At this level, password and credential tracking is recorded on paper or even in a spreadsheet. Also, it is likely that the organisation will have little idea about how many privileged accounts it actually has or who has access to them. Knowing exactly what and where these privileged accounts are is critical for security – after all it is not possible to protect something if you don’t know you have it or who has access.
A level above this is ‘basic’. At this stage of maturity, an organisation would have developed enough to start using multi-factor authentication, non-default passwords and password vaulting. It would also have automated privileged account discovery, to ensure it knows what is on its system and who has access.
To make it to ‘advanced’ maturity, an organisation needs to have implemented everything included in ‘basic’ plus have a number of other checks and measures in place.
These include password obfuscation, privileged session proxying, least privilege and application control. Further safeguards to detect any unusual activity should also comprise four-eyes protocols, session monitoring and immutable privileged activity and auditing.
‘Adaptive intelligent’ is the pinnacle of PAM maturity. At this stage, organisations employ automated anomaly detection and remediation, automated privileged account lifecycle management and DevOps workflow privileged access management.
How to grow in maturity
Despite a vast majority of organisations implementing some form of PAM, worryingly our research shows that 85% of companies are struggling to get beyond the ‘analogue’ stage. More than half of those surveyed (55%) are hampered by not knowing how many privileged accounts they have or where they’re located. A similar amount (50%) have privileged accounts that never expire or become decommissioned.
To create a more mature PAM strategy, organisations need to take a step-by-step approach. This starts with defining what a privileged account is, followed by identifying, both initially and continuously, all privileged accounts on the network.
Once these accounts are known, a ‘least-privilege’ policy should be implemented alongside password rotation and the auditing, analysis, managing and monitoring of individual privileged session activity.
Organisations also need real-time oversight of privileged accounts to detect any unusual activity, which must then be responded to and aligned with an Incident Response Plan.
Finally, the automated review and auditing of privileged access can help highlight unusual behaviours and track possible causes of security incidents. They can also provide useful metrics to demonstrate compliance and provide information to help make informed business decisions.