Any data breach can have devastating consequences, particularly if hackers managed to gain access to your company’s privileged accounts. In fact, Verizon’s 2017 Data Breach Investigation Report states that privilege abuse, including compromised accounts of privileged users, is the second most common cause of cybersecurity incidents.
Using legitimate credentials of privileged users, hackers can get access to every critical asset in your network and take the entire system under their control. Thus, ensuring privileged users’ account security and monitoring and controlling their activity is an essential part of an organization’s cybersecurity strategy.
In chase of privileged access
In every organization, there are several groups of privileged accounts, each serving a different purpose. Below, we list the six most common types of accounts with elevated privileges:
- Administrative accounts are standard accounts automatically created for every system.
- Personal privileged accounts grant elevated privileges to a particular system user who obtains access to sensitive data or critical assets.
- Local accounts allow accessing a particular server or workstation within the corporate network.
- Domain accounts give administrative access to all servers and workstations located within a particular domain.
- Application accounts for accessing and managing applications and their databases.
- Emergency accounts allow fixing issues that require an elevated level of privileges in a timely manner.
Privileged user accounts are often used by system and database administrators, security personnel, network engineers, upper management staff, and other employees whose duties require constant access to critical data and infrastructure.
How do they get compromised?
Hackers are constantly developing new ways for compromising privileged accounts. However, there are several “classic” attack vectors that are consistently used used by attackers:
- Weak passwords
- Shared accounts
- Application exploits
- Phishing emails
- Brute force attacks
Let’s take a closer look at each of these attack vectors.
Weak passwords are basically the Achilles’ heel of any organization. According to one report, around 20% of respondents admit that many users use default passwords that are extremely easy to hack for the attackers. Plus, around 30% of users share their passwords with their colleagues on a regular basis.
Shared accounts are a common thing for the majority of organizations: the same passwords are often used either among multiple users or across several systems.While it makes things a bit easier for both users and system administrators, it also makes these accounts more vulnerable to attacks. Storing administrative passwords on a spreadsheet accessible to a large group of people also is a controversial decision.
Application exploits and unpatched vulnerabilities give hackers one more opportunity to gain access to a victim’s system and critical data. Thus, if an organization doesn’t keep its software up-to-date, all of its critical data and assets are in danger.
Phishing emails is another technique hackers often use for their attacks. By clicking on a link in a seemingly trustworthy email, a victim initiates the installation of a file with harmful payload aimed to steal the victim’s credentials.
A significant threat is posed by spear phishing – a sophisticated targeted version of a phishing attack. In the case of spear phishing, hackers don’t want just to steal the victim’s credentials, they need that data to access the victim’s network and perform their main attack.
Brute force attack is an old-school hacking method many attackers use even nowadays. Using the so-called rainbow tables – special tables designed for cracking password hashes – hackers can quickly break weak passwords and enter the system under a legitimate user’s credentials. It’s reportedly the method hackers used to compromise nearly a hundred of the U.K. Parliament’s emails in 2017.
Privilege abuse: what are the symptoms?
A compromised account is somewhat close to an organ affected by a disease, in that it doesn’t work the way it should and, as a result, the entire system is also affected. And just like any other disease, privileged user compromised account has its typical symptoms.
Basically, there are two things you need to pay special attention to – unusual spikes of activity around your company’s critical assets and any deviations from the baseline behavior of privileged users. Here are some of the most typical signs that can help you identify suspicious activity from privileged accounts:
- A user tries to access, copy or change files or access a system that they don’t usually work with.
- A user tries to access sensitive data or critical assets at an unusual time, such as on holidays or outside of regular business hours.
- An account that was inactive for a long time suddenly goes live again.
- Multiple attempts to log in to the system from different endpoints using the credentials of the same account.
- Attempts to log in to the system from unusual end-points.
- Unusually large number of manipulations involving sensitive data or critical systems.
While anomaly user behavior can be detected rather quickly, many hackers are careful and try to disguise their activities as normal user actions. For instance, hackers can add one or even several more administrative accounts to the system and lay low for a while, waiting for the right moment to perform their attack. This is why every organization needs to constantly monitor and be able to control their privileged accounts.
Forewarned is forearmed
So, how can you detect privileged account abuse? First and foremost, you need to know how many privileged accounts are there in your system and what permissions do they have. You should also implement the least privilege approach to make sure that users have only the permissions they really need.
Then, you need to ensure privileged user access monitoring and management. As of today, there are two efficient approaches allowing to perform this task:
- Privileged Access Management – This approach makes it harder for the attackers to get hold of privileged user credentials and use them to get access to your network.
- Privileged Activity Monitoring – This approach allows detecting the attack and taking proactive countermeasures to prevent it from spreading further across the network.
Now, let’s take a more detailed look at each of these approaches.
Privileged Access Management
Privileged Access Management (PAM) is a complex approach meant to ensure constant monitoring, auditing, and effective management of privileged accounts. There are two strategies used for managing access to critical assets and data:
- Account-based access control
- Role-based access control
The account-based (or user-based) access control strategy allows securing critical systems and data at the individual level. This strategy can also be simple or complex. In a basic form of account-based access, a valid combination of login and password gives a user access to the system. In a more complex form of user-based access, each user (or group of users) has only a set of specific permissions so in order to perform a particular task, you need to log into an appropriate account.
The role-based access control works a bit differently than its account-based alternative: while users still use logins and passwords to enter the system, specific permissions are granted not to certain users but to specific roles: managers, administrators, and so on. Furthermore, one employee can be assigned to several different roles.
Also, you can implement Privileged Access and Session Management (PASM) tools to monitor and manage not only account but also sessions with elevated privileges. Thus, you can grant and restrict access to critical end-points in a flexible and efficient manner.
Pros and cons of these methods
Both account-based and role-based access control methods have their pros and cons. User-based access control can help you ensure a more granular control of your company’s network. However, managing user-based permission can be challenging since you’ll have to update the set of permissions for each user in the system.
Managing role-based permissions, on the other hand, is a bit easier since by changing current permissions for a particular role you’ll automatically change these permissions for every user assigned to that role. The main drawback of this method is that in companies with less structured hierarchy, you might need to create additional roles for a particular user if you need to grant them less or more privileges than the existing role already has.
Aside from separating roles or granting specific permissions to particular users, you need to ensure a high level of data protection by using multi-factor authentication and personalizing shared accounts. Look for an ultimate PAM solution with all these features available, such as Ekran System.
Privileged User Activity Monitoring
Simply knowing who has access to your critical assets and sensitive data isn’t enough. You need to monitor and audit actions of privileged users to make sure that they don’t abuse their privileges and that no one stole their credentials.
Privileged user monitoring isn’t only a preventive measure – it’s an effective tool you can use to detect an intrusion or insider attack. Advanced privileged user activity monitoring solutions give you full visibility across your network and help you manage every privileged account or session efficiently.
When building a privileged user monitoring policy, pay special attention to the following features:
- Constant user activity monitoring – You need to see every action of privileged users to be sure they behave normally and don’t abuse their privileges.
- Behavior-based analysis – By searching for behavior anomalies, you can detect an attack and stop it at an early stage. Tools like user and entity behavior analytics (UEBA) can help you detect suspicious activity in privileged accounts and investigate user behavior anomalies across your network.
- Advanced alert and notification system – You need to be able to set specific alerts for suspicious actions and potentially dangerous events.
- Incident response toolset – You need to have a well-thought-through incident response strategy to ensure proper reaction to possible privileged-account attacks and protect your critical data from loss or damage.
- Constant audit and reporting – Seeing the general picture can help you analyze the efficiency of your privileged account management strategy and take proactive countermeasures when needed.
Since privileged users have access to all critical end-points and sensitive data of an organization, their accounts are a tasty morsel for hackers. By compromising at least one privileged account, hackers can cause significant harm to the entire enterprise: steal large amounts of sensitive data, block access to critical end-points for other users, halt business processes, and so on. Therefore, protecting privileged accounts is an essential task for the companies of any size, industry, or region. Choosing an efficient privileged user activity management and monitoring system can help you solve this challenging problem.
Photo via Shutterstock.