Security Experts:

Privileged Accounts Play Key Role in Advanced Cyber Attacks

Malware and attackers are increasingly targeting privileged accounts as part of multi-stage operations where they breach networks, gather information, and exfiltrate sensitive data, according to a recent report from security firm CyberSheath.

Theft, misuse, and exploitation of privileged accounts is a "key tactic" in each phase of advanced persistent threat and other targeted attack campaigns, CyberSheath wrote in its APT Privileged Account Exploitation report released Wednesday. CyberSheath's "descriptive benchmark study" interviewed ten "leaders in the cyber community" heading security efforts at major U.S.-based corporations, along with former government executives.

Attackers Access Privileged Accounts Compromising privileged accounts is often critical to the success of the attack campaign, participants told CyberSheath. In fact, the ability to takeover and utilize legitimate credentials during the attack was "a reliable enough indicator to classify an attack as APT," a security executive said in the report. Removing the adversary's ability to compromise privileged accounts would "essentially stop their ability to move laterally throughout the network," another security manager said in the report.

"Cyber-attackers know these weak spots exist and will do anything to gain access. By cutting off the means for attackers to travel freely and hide their tracks, organizations can reduce the APT threat," John Worrall, CMO of Cyber-Ark, said in a statement. Cyber-Ark commissioned this report from CyberSheath.

A privileged account is normally used to manage the system and refers to any login ID on a system or application, which has more permissions and rights than the average user. Traditionally, these referred to IT and administrator accounts, but built-in accounts with hardcoded or default passwords are now also included in this group. Privileged accounts are pervasive throughout the organization, and CyberSheath suggested that in some cases, there may be more privileged accounts than general user accounts.

"These accounts exist everywhere – in servers, network devices, applications and more," Worrall said.

Attacks that leverage privileged accounts are more difficult to detect, shut down and remediate because they look like normal traffic. Attackers can also delete logs, making it harder for administrators to know what is going on. "Almost everyone can detect firewall activity, but how many can tell every host a domain admin has logged into?" the report asked.

Organizations are also much slower detecting attacks where privileged accounts have been compromised. Report participants said breaches can remain undetected for months, even years.

Detecting legitimate processes being used for illegitimate purposes is the equivalent of "finding a needle in a stack of needles," the report said.

Many of the prominent data breaches reported in 2012 involved some form of credential theft or misuse, according to the report. CyberSheath researched 10 well-reported attacks, including the attack on systems at the South Carolina Department of Revenue, the Red October campaign uncovered by Kaspersky Lab, and the data-wiping malware that shredded data over at Saudi Aramco.

A privileged accounts protection tool would have detected the initial compromise at the South Carolina Department of Revenue, the report found. If these accounts had been protected, the adversaries would not have been able to move laterally throughout the network in the case of the Red October example. These kinds of security protection would also be able to block privileged activity and disrupt the attack while it is in progress. Enforcing the concept of least privilege would have ensured that users who don't need access to network shares and other sensitive systems don't have those privileges.

"In each case, it was evident that attackers targeted the credentials of privileged users," and organizations lacked essential credential protection, accountability, and intelligence processes to "detect and stop the attacks before data was lost," the report found.

Only a few of the interviewed participants in the report had implemented any advanced protection for privileged accounts. Nearly all focused on detection and containment after a breach, and most employed basic password management and relied on end-user training, the report found.

Organizations need to identify all critical business systems, and then isolate, monitor, and control every access point to those systems, the report found. They should reduce the number of privileged domain-wide accounts, and then deploy multi-factor authentication to protect those accounts. End-user access should be restricted by enforcing the principle of least privilege.

Some of the tasks fall under basic security hygiene, such as changing default passwords on all servers, databases, applications, and network devices; removing hard-coded passwords from scripts, configuration files, and applications; automatically enforce password policies to ensure complexity and encourage frequent password resets; selecting unique passwords for each local administrator account; and removing local administrator rights from general users.

Organizations need to monitor and record all activities associated with administrative and privileged accounts, and implement tamper-proof logging and audits, the report said.

CyberSheath is not the only one flagging the problem of stolen credentials. Verizon RISK Team noted that 76 percent of network intrusions in its 2013 Data Breach Investigation Report exploited weak or stolen credentials.

Taking corrective action to clean up after a compromise is "very painful to users and very expensive" to the organization, the report found. For the most part, incident response required administrators to reset passwords for all accounts and manually removing administrator accounts from all accounts on the system and reassigning them back to the ones that legitimately need those rights.

"Security needs to start with identifying and securing every one of these powerful accounts and automating the controls around them," Cyber-Ark's Worrall said.

Related Reading: Attackers Capitalizing On Poorly Managed Privileged Accounts

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.