Saudi Aramco. Stuxnet. The Flame virus. Red October. Subway Restaurants. Global Payments. Utah and South Carolina. U.S. Chamber of Commerce. Pacific Northwest National Laboratory.
What do all of these have in common? These are just a few of the recent, high-profile cyber attacks and sophisticated malware that targeted and leveraged privileged accounts. Despite repeated warnings and plenty of examples to learn from, privileged accounts have become the primary attack vector for all enterprise assaults – originating from both inside and outside an organization.
Privileged accounts are often thought of as only the privileged and administrative accounts used internally by IT and sys-admin staff. In fact, the definition also includes default and hardcoded passwords, application backdoors and more. What all of these accounts have in common is that they act as a gateway to an organization's most sensitive data. That, and they're often protected by weak passwords, which are seldom replaced.
Traditionally thought of as a vulnerability for insider-based attacks only, privileged accounts are increasingly being used by cyber attackers to perpetrate some of the most devastating advanced attacks.
The trends are clear – cyber attackers are getting through the enterprise perimeter by traditional means – spear phishing, malware, zero-day exploits – and then immediately targeting privileged accounts to gain widespread access to the rest of the network. The most recent Verizon Data Breach report highlighted that several of the primary attack vectors used by hackers had privileged connections.
Our research at Cyber-Ark Labs shows that these advanced attacks usually progress through three basic stages:
Phase one: Breach the perimeter and establish a beachhead
This is typically accomplished through attacks that are incredibly hard to fully protect against, simply because there is too great a reliance on the human element. At some point, you'll have an employee click a link, open an email attachment, or visit a website that is infected. These simple acts open the enterprise doorway to attackers, helping them easily avoid firewalls, anti-virus and similar perimeter defense systems.
Phase two: Escalate privileges or use stolen passwords
Once inside, the attackers escalate their privileges, enabling them to move freely around the network undetected. This allows them to access valuable information almost at will, while covering their tracks. The escalation of privileges, or using a stolen password, is much simpler than it sounds.
For instance, the default passwords for a lot of enterprise software can easily be found online. These passwords are rarely changed or managed by the company implementing the software. This is one of the primary reasons why SCADA and ICS systems are so vulnerable to attacks.
Once an attacker has the password, they simply need to be invited into the network through the means discussed above – from there, they can move freely through the network as if they were a privileged employee, such as an IT or network administrator or top executive. We've also seen attackers infect an individual employee's machine, lie in wait for an IT staffer to fix the machine, then surreptitiously record their administrative password once it's entered.
Phase three: Profit
This is the phase where the attacker exfiltrates the targeted data without being detected and the company wonders what just happened. Once the attackers gain access to privileged accounts, the attackers can easily traverse the network, identifying and gathering the sensitive information they were targeting, slipping in and out with the information without detection. With administrative account access, the attackers can also easily hide their trail by erasing the logs of where they went on the network.
Unfortunately for a lot of businesses, this phase is played out in headlines at news organizations across the country.
The reality is that these unsecured privileged accounts represent a threat to all sensitive corporate data and systems, and are one of the greatest security challenges most businesses face. The number of privileged accounts in any organization is typically four times the number of employees. In an enterprise with 10,000 employees, this means 40,000 accounts or access points that are often unknown and poorly secured.
Protecting against advanced threats requires a new approach to security – starting on the inside and working out. This doesn't mean that the world doesn't need firewalls or perimeter security – it means a change in priority. Identifying all of these privileged access points and locking them down should be the first priority for any organization that is serious about security.