Advanced Cyber Attacks: Understanding Privileged Account Breaches

0

Cyber Attacks

By Dan Dinnar, Vice President, Asia Pacific, CyberArk Software

Privileged accounts have become the largest attack vector that cybercriminals use to breach organisations for a variety of purposes such as data theft and cyber espionage. These accounts are the most powerful in any company, which is why attackers seek to exploit them in every advanced attack. In fact, privileged accounts are exploited every day by advanced and insider attacks to steal billions of dollars’ worth of sensitive information. This can be seen from the high-profile attacks that highlighted the recent cybercrime landscape. Therefore, if companies step up measures to protect privileged accounts, they can significantly reduce their network’s exposure to cyber attackers.

THE WHAT AND HOW OF PRIVILEGED ACCOUNTS BREACH

Privileged accounts have a set of credentials to access a particular system or several systems on a network. However, their credentials provide elevated, non-restrictive access to platforms that non-privileged users do not have access to. Privileged accounts are also used by system administrators for management and troubleshooting of network systems, running of services or enabling applications to communicate. This means that the accounts can be leveraged by malicious actors or insider threats to damage an organisation and its network.

Sophisticated cyber attacks, regardless of the nature and motivation of the attackers, rely on exploiting privileged accounts to penetrate organisation’s networks and stealthily harvest data. If attackers access a company’s system through its privileged accounts, they are almost guaranteed to succeed. Having greater visibility and actionable intelligence on privileged accounts within an organisation’s IT environment will increase its ability to detect and disrupt breaches.

A cyber security report “The Role of Privileged Accounts in High Profile Breaches” compiled by consulting firm CyberSheath, and commissioned by CyberArk, also found that malware variants are developed consistently to penetrate systems. The report noted that in recent times, cyber attacks that exploit privileged accounts also caused the greatest damage to both large and small organisations. It was found that the many accounts within organisations faced the following challenges:

  • Local administrator accounts share the same passwords
  • Privileged service accounts that do not expire and enable users to log on interactively
  • Privileged account usage has poor accountability

CYBERATTACKS LEVERAGED PRIVILEGED ACCOUNTS

Several high profile data breaches had resulted in theft of intellectual property and financial losses last year. Majority of these breaches involved attackers exploiting privileged accounts, in spite of the different targets and attack motivations.

The most well-known case of privileged account abuse was when the former NSA contractor Edward Snowden convinced his co-workers to give him their system credentials. According to Reuters, Snowden was working as a system administrator and might have asked close to 25 NSA employees for their usernames and passwords, claiming that he needed them to perform his job. This enabled him to use his elevated administrator privilege to scale to other part of the network to steal classified information.

Over in Asia, there is also the case of a malware attack taking down the computer networks of three South Korean banks and two TV broadcasters in the country. The attackers had obtained an administrator login to a security vendor’s patch management server. They then distributed the malware as a software update, leading to an interruption in bank transactions, shutting down of ATMs and bank customers being unable to use their debit cards.

Attackers targeting privileged accounts are also getting more advanced. According to a November 2014 CyberArk report which analysed the forensic experiences of the top cyber threat investigators, attackers are becoming more sophisticated in their exploitation of privileged accounts. Their methods include repeated exploits in service accounts, to embedded devices in the Internet of Things to establishing multiple identities in Microsoft Active Directory to ensure redundant access points and backdoors.

WHAT HAPPENS IF YOU DO NOTHING?

Should companies decide not to secure their privileged accounts, it could result in their data being stolen, heavy financial losses, and loss of reputation. For example, a case study explored in the CyberSheath report was a fast growing company with more than 40,000 employees globally and annual revenue exceeding US$20 billion. This company had given almost all employees administrative rights to foster greater productivity. This resulted in 100,000 privileged accounts, of which 30,000 were traditional accounts that shared the same passwords.

Unknown to the company, an Advanced Persistent Threat (APT) had resided in the company’s network and taken advantage of the situation to breach the network. The shared administrator password and lack of management and monitoring enabled the APT to stay hidden. This resulted in more than 200 compromised machines, more than 10,000 man hours of overtime, and a total breach cost of more than US$3 million over a period of six months. The company could have avoided the losses with an enterprise privileged account security solution.

If the company had been able to manage their privileged accounts, they would have been able to avoid resource drain and data loss. When it comes to privileged account security, the cost of being reactive is measured once a company realises it has been breached. Despite continuous education and expert recommendations, many companies are still not taking precautions until they have been compromised, ultimately having to pay the price.

WHY COMPANIES ARE NOT DOING ANYTHING

This raises the question of why organisations are not making it a top priority to protect, manage and monitor them in the first place. Firstly, there is the issue of shared responsibility. The authority and management of these accounts does not usually reside with the Chief Information Security Officer (CISO) but the vice president of IT Infrastructure, or someone with a similar title.

Companies also often think that doing nothing is the path of least resistance when it comes to striking a balance between ease of administration and protecting access to these accounts. Many organisations have not taken advantage of the solutions that protects both privileged accounts and facilitates ease of administration through workflow approvals, mobile access and direct connections to managed devices. In the past, we had to wait for forensics to be conducted to discover which privileged accounts were compromised, but today such information is available with privileged credential management solutions.

CISOs have also prioritised their resources to products that integrated new security solutions with their existing security investments. This approach breeds failure since more tools are purchased than can be effectively deployed by the existing staff. Organisations are also pushing the data they get from privileged session exploits into their security information and event management solution for real-time operational intelligence.

IT’S TIME TO ACT

Hence, protecting, managing and monitoring privileged account access is not only a business enabler for the IT delivery organisation, but also a critical strategy in the protection against advanced and insider threats. There are solutions for organisations regardless of resources and budget.

One method is manually protecting, managing and monitoring privileged accounts. However, it is not feasible for larger companies to manually audit the numerous privileged accounts on a daily basis. It can also be prone to human error, which can result in millions of dollars spent on incident response, recovery and lost productivity. While it is the least mature and effective solution, manual auditing is better than having zero protection.

A more effective approach would be to purchase and manage their own privileged account security solution or contract a managed service to provide a solution. The solution that protects, manages and monitors privileged users, sessions and applications while integrating with existing security investments brings the best value to large companies.

Regardless of the approach, it is important to rollout a company’s security solution in a phased and organised manner. Otherwise, it will be overwhelming, especially for companies that do not have privileged account security solution in the first place.

To conclude, majority of cyber attacks that resulted in data loss within large and small companies had their privileged accounts compromised. If CIOs and CISOs invest in safeguarding these accounts, they will be able to reduce risk and gain return on investment at the same time. Securing privileged accounts through automated solutions can help win the fight against APTs by reducing human error, overheads and operational costs.

Share.