Fraud or theft that occurs as a result of privileged account abuse is one of the most challenging for organizations to identify and mitigate. An organization’s so called ‘super users’ – those with the highest access rights and privileges – hold the keys to a mine of valuable information and data.
If a sophisticated hacker can breach the perimeter into a network and gain access to privileged user credentials, they have the ‘golden ticket’ to the network. There’s little to stand in the way of them doing whatever they want next; accessing systems or stealing sensitive information.
Also, of course, if the attacker is an employee, they already have access to legitimate credentials and the ‘keys to the kingdom’. Passwords can do nothing if the attacker already has access to all the information they want.
It means that we have to look beyond traditional access or identity management approaches and focus on a more continuous method of authentication to prevent attacks from within the perimeter.
A Sitting Target
Privileged users may account for a small proportion of the entire user base of your organization, but their privileged status makes them an obvious target for professional hackers.
In fact, in a survey just last year, 45% of hackers called privileged accounts a favorite target. These are the users with the highest access rights to sensitive company data, HR records, financial, payroll details or a company’s IP. They are the systems administrators, network engineers or IT security practitioners, with the authority to make changes to an entire network, to systems or files.
Keeping their account credentials well protected and restricting access to the systems they use is an essential part of managing a secure environment. The problem is that the solutions designed to manage these users, such as Privileged Identity Management (PIM) or Privileged Access Management (PAM) are fundamentally based on password management. Whilst they can restrict access to the network, they can’t protect the organization against privileged account abuse.
Take the following scenario: if an attacker has managed to breach the perimeter through a targeted spear phishing attack, they can then take control of a user’s PC. They can then scan for cached passwords and gain access to their credentials, or lie in wait and move from machine to machine to find a privileged user. If a PIM solution is in place, they need only wait for the user to log into the PIM web interface to gain access to their credentials.
Most worryingly, they can do all of this with surprising ease, and without any security alerts being raised to security teams. In this case, the process of authentication is designed to ensure that the person is who they are supposed to be. It’s not designed to monitor what happens next.
The Digital Footprint
The challenge for organizations is how to manage this threat without blocking or preventing users from doing their normal jobs. Privileged users perform vital roles within the organization; placing additional controls around their day to day activity is counterproductive.
Typical of this, is the ‘break the glass’ approach which relies on rule-based policies to tightly control what a privileged user can and can’t do, alerting security teams if they go beyond these constraints. Whilst it provides another layer of security, it can make for a highly restrictive and unproductive working environment.
We need to focus on the real issue; the problem that needs to be addressed has happened after the user has been authenticated to the system. In situations where a hacker has gained access to a user’s credentials we need to ask questions about what happens next. Are they exhibiting typical behavior for that user? Have they accessed files that the user associated with this account usually accesses, or logged on at times of day that are unusual. Or are there other behavioral signs – the way they are typing or using their mouse?
Every privileged user has a unique pattern of behavior; from the time of day each person accesses servers and what commands they use when they are there. Using all this information, we can build a baseline behavioral profile of each user, over time. Machine learning algorithms can be applied to compare activities against the typical user behavior and analyze anomalies in real time. If activity is detected that deviates from the typical behavior of the user, the security team is alerted, to avert breaches before they happen.
This more continuous form of authentication – User Behavior Analytics (UBA) – provides an additional level of protection without adding more layers of control. Whilst password management is a useful tool for IT administration, we need additional checks in place. User behavior is the new authentication: it’s the missing link through which we can significantly reduce the threat of compromise when the attackers are already inside the gates.