Network Administrators Are Not Just the Protectors of the Organization – They Are Also the Most Valuable Targets
Network and system administrators are critical to the success of virtually every modern organization. Their job is inherently to both avert and fix problems across a seemingly endless number of users, devices, applications and systems. From a security perspective, all of these assets have potential vulnerabilities that need to be managed, and admins must also keep pace with a constantly evolving spectrum of threats. Staying on top of all of these challenges at the same time typically requires black-belt time management skills just to keep one’s head above water. With all of this focus on taking care of others, it is easy for admins to forget to take care of themselves.
However, from a security perspective this can be a fatal flaw. Administrators have to remember that they are not just the protectors of the organization – they are also the most valuable targets. If an attacker gains admin level to a device, then he can own the machine. If the attacker can gain admin level access to the network’s domain controllers, then he can own the network and potentially anything on it. If an attacker owns the domain, he can spread to virtually any device he wants, plant backdoors and backdoor admin accounts to maintain persistence and forge Kerberos tickets for pretty much any service he wants. In short, a compromised admin can turn layers of hardened defenses into merengue.
Information leaked by Edward Snowden provided a clear example of just how valuable admins are to advanced attackers. In an internal NSA blog titled “i hunt sys admins,” an NSA analyst detailed the how and why of targeting administrators. While there is plenty of interesting information in the post, the following statement stands out:
“…who better to target than the person who already has the ‘keys to the kingdom’? Many times as soon as I see a target show up on a network, one of my first goals is, can we get CNE access to the admins on the network.”
While this perspective comes from the NSA, the strategy holds true for other advanced attackers ranging from nation-states to dedicated criminal groups.
So with this in mind, what can organizations do to better protect themselves? Starting with the obvious, it is critical to make sure that all administrators’ devices remain full patched and secured. While it may seem counter-intuitive, it is not unheard for administrators to spend hours and days patching the organization’s servers, but forget to patch their own devices.
Once the basics are addressed, organizations can begin to further reduce the admin-related attack surface. This can include having fewer users with admin-level privileges, and further tightening exactly what admin rights and roles a particular administrator truly needs. For example, every admin probably would not need full administrator privileges on a domain controller. In addition, it makes sense to implement more stringent authentication procedures for admins. One of the first tricks attackers will try is to dump administrator passwords or password hashes from memory to reuse in the network. Additional factors of authentication and rotating of passwords could make this sort of attack more difficult.
While the previous steps are more preventative in nature, there are things that can proactively detect when an administrator has been compromised. Behavioral analysis is particularly powerful in this regard because it focuses on what an admin and his devices are actually doing. Behavioral systems can learn what actions are normal for a particular admin, and what devices they typically use. If an administrator account begins to make unusual connections from an atypical device, a behavioral model can quickly flag the activity. Much like a fraud alert on your bank, behavioral analysis can deliver an early warning so that the team can take action before any damage occurs.
As with any approach to security, these steps are not a silver bullet, but part of a larger approach. However the important issue to remember is that administrators are not only the defenders of the network – they are also the prime targets. All of the best practices that we preach to our end-users need to be doubly applied to ourselves as admins.