Privileged account compromise behind 100% of recent large-scale APT attacks

New research shows that privileged account exploitation was the root cause of nearly all recent advance threat attacks
New research shows that privileged account exploitation was the root cause of nearly all recent advance threat attacks

That’s the finding of the APT Privileged Account Exploitation research report, compiled by CyberSheath and commissioned by Cyber-Ark, which found that the compromise of privileged accounts was a crucial factor in a full 100% of recent advanced attacks.

"Privileged accounts have typically been viewed as the powerful IT administrator or super-user accounts,” said John Worrall, CMO at Cyber-Ark. “This old notion ignores the reality that the use of privileged accounts has expanded significantly throughout the enterprise. Privileged accounts also include default and hardcoded passwords, as well as application backdoors. These accounts exist everywhere – in servers, network devices, applications and more. Security needs to start with identifying and securing every one of these powerful accounts and automating the controls around them. Cyber-attackers know these weak spots exist and will do anything to gain access. “

CyberSheath found that the absence of fundamental access control measures was a crucial factor in all of the recent high-profile attacks that were examined, including the South Carolina Department of Revenue, the University of Georgia, the NASA Jet Propulsion Library, Red October, Utah Department of Health, Toyota, The Swiss NDB Intelligence Service, Saudi Aramco and Global Payments.

Further, the report found attacks that use privileged accounts are more difficult to detect, shut down and remediate. They can delete logs to make forensic analysis more difficult, and can be used to install new malware to evade detection and open more doors. In addition, privileged account use appears as normal traffic flow and is not detected by traditional means, so that finding illicit privileged account use among legitimate processes is like finding a needle in a stack of needles.

Also, eradicating attackers from a compromised network can be extremely expensive and painful. In addition to the high-costs associated with data breaches (the Ponemon Institute pegs the average cost of a data breach at $2.4 million over a two year period), the efforts to remove well-entrenched attackers from a network requires multiple remediation steps that can take thousands of man-hours of work.

"The theft and exploitation of privileged accounts is a critical and devastating part of the APT attack cycle,” said Eric Noonan, CEO at CyberSheath. “These accounts provide wide-ranging access in the enterprise and enable attackers to easily simulate normal business traffic, making infiltrations extremely difficult to detect.”

Locking down privileged accounts and preventing their use in APTs moves up the kill chain and helps thwart attack progression at the delivery stage, as opposed to the command and control stage. Some best practices for preventing APT privileged account compromises include isolating, monitoring and controlling every access point to all critical business systems, changing default passwords on all servers, databases, applications and network devices, using multifactor authentication and removing local administrator rights from the majority of users.

“Our examination showed that almost every major cyber-incident in the past couple of years involved privileged accounts,” said Noonan. “The protection, accountability and management of privileged accounts are the very first steps organizations need to take to stop targeted attacks."

What’s hot on Infosecurity Magazine?