Whether it’s well-publicised cyberattacks on government organisations or widespread ransomware that threatens to halt business operations, attackers continue to target privileged credentials as a quick and easy means to reach critical assets and steal sensitive data.
Based on what we’ve learned from working with organisations that have suffered a major breach, once attackers break into the network – often through targeted phishing and weak passwords – they must find a way to move through the network and escalate privileges to complete their mission. Stealing privileged credentials – or taking the “privileged pathway” – is the most common way to do this. As a result, securing privileged credentials is one of the first actions organisations take following a breach.
In today’s cyber threat landscape, every organisation is susceptible to a breach. Furthermore, each breach teaches us more about what we can, and should, do before we’re attacked to prevent or reduce the impact. Using these lessons to establish a realistic plan for achieving “quick wins” to prioritise risk reduction, quantify progress, and retain support from executive management and the Board is of vital importance. We call this a sprint – the first leg of a longer-term security program.
So, what if you had to start your own cybersecurity sprint – rapidly implementing proactive security measures gleaned from the hard luck of others? Where would you start as an organization?
Based on research conducted with Global 1000 CISOs and security executives from major organisations that have experienced large data breaches, we’ve developed a framework that can be implemented rapidly to help shut down the privileged pathway and significantly reduce the privileged account attack surface. It prioritises the implementation of controls for protecting privileged credentials to drive tangible results within 30 days. From there – armed with these quick, demonstrable successes – organisations can scale efforts and turn the sprint into a sustainable cyber security program.
Gearing up: Get focused
For attackers, privileged accounts are considered low-hanging fruit – the obvious first choice for expanding their reach within an organization. Most companies have primarily focused on implementing security controls to keep attackers out of their network. But, breach after breach has shown that motivated attackers will find a way past these perimeter defences. Once inside, attackers can use hijacked privileged credentials to move throughout the network and complete their mission.
It’s important to remember that attackers often take this path of least resistance – like all of us, they want the biggest return with the least investment. The sprint framework focuses on the Windows environment, on what attackers know, want, and don’t have to write sophisticated malware to get – administrative accounts for Active Directory (AD) and member computers. Starting with this small, targeted set of accounts will enable the implementation of key controls, without requiring major time, resource, and technology investments.
The first four controls to implement to quickly protect your most powerful (and most vulnerable) accounts include:
1. Isolate and monitor access to domain controllers and member computers
Enterprise workstations (used for email, web browsing, and more) are frequently the point of initial infiltration for attackers. To limit exposure of privileged credentials, administration of Active Directory and member computers must only be permitted from a trusted environment without internet access and with strong control of what applications can run. This environment serves as a barrier between the sensitive asset and the workstation, denying the attacker the ability to steal privileged credentials.
2. Protect privileged credentials with multi-factor authentication
As demonstrated by its inclusion in the federal cyber security sprint following the breach at the U.S. Office of Personnel Management, multi-factor authentication (MFA) is vital to stopping attackers, especially for privileged users. If an attacker manages to compromise a credential, MFA can stop them from being able to use it to inflict harm.
3. Eliminate unnecessary accounts and privileges
Ideally, organisations should have the smallest reasonable number of privileged accounts to minimise the attack surface and to simplify identity management. Reality is far from this ideal, as years of lax controls have led to the proliferation of accounts and privileges. The sprint prioritises the elimination of unnecessary domain and enterprise administrator accounts, as these privileges are commonly overextended and pose the greatest risk to the enterprise.
4. Establish credential boundaries
One key to defending the privileged pathway is to break the cycle where lateral movement leads to privilege escalation. This is done by “tiering” machines (domain controllers > servers > workstations) and disallowing credentials used in one tier of machines to be used in a different tier. For example, domain administrator accounts should only be used to manage domain controllers, not servers or workstations. Implementing this control restricts privilege escalation, preventing the attacker from compromising a credential in one tier and leveraging the credential to access an asset in another.
Showcase success and create your to-do list
Adopting a “sprint mindset” – quickly applying lessons from breaches and prioritising effectively – are some of the most important factors in being able to achieve rapid risk reduction, making it more difficult for cybercriminals to carry out their goals. This intensive, 30-day effort to implement targeted security controls establishes the framework for everything else that happens through the life of the privileged account security program. It is the first key metric of success.
Bolstered by this momentum, your team can then turn its attention to the next leg of the security program journey. This typically involves expanding the four core controls to more accounts within the enterprise and increasing the depth of the controls, by eliminating personal privileged accounts or removing embedded passwords in applications, for example, and formalising the program to ensure ongoing maintenance and support for these new controls.
While starting to sprint can seem overwhelming, a strong start sets the business up for success, and creates a repeatable framework that can be used to demonstrate measurable milestones and enterprise resiliency.
By Gerrit Lansing, Chief Architect at CyberArk