Cyber Attackers and IT Admins: Twins Separated at Birth

Conventional wisdom says IT administrators are diametrically different than cyber attackers. A stereotypical hacker is imagined as someone in a hoodie in a dark room using command line tools to scribble messy scripts in an attempt to steal data from, or cause harm to, an enterprise. Hackers are thought of as anarchists who are opposed to any type of organization, structure or order.

On the other end of the spectrum, IT admins are thought of as very structured and regimented, meticulous about managing IT environments and making lives better for end-users.

However, in reality, professional cyber-criminals have a lot in common with enterprise IT admins; you may say that they’re like identical twins separated at birth. They have the same DNA, similar needs, use similar tools and depend on an organized network architecture to operate effectively. They just have different cultural environments and endgames.

Their commonalities are what makes cyber-criminals so effective, and why it’s become common practice to hunt system administrators. Just look to what American and Chinese nation-state actors are doing, in addition to organized crime. Let’s examine why this is so.

Bob is an IT manager for CardCorp, a medium-sized enterprise. He likes to keep things tidy: all the workstations have clear naming conventions, he can easily connect to servers through a server inventory app on his laptop and uses a password vault with SSO to make it even easier. He deployed the latest tools for managing and monitoring systems, including the ability to silently install software updates as well as remotely control systems without interrupting users, even when he’s outside the office.

Bob maintains an up-to-date document describing the network architecture, where firewalls are placed and which security policies and tools are deployed where. Keeping things organized is important especially as his day-to-day work is quite hectic, juggling help desk escalations and a variety of projects related to his company’s digital transformation. Every day is different and poses unexpected challenges but he must keep business working as usual.

Eve is a determined hacker, selling stolen credit card numbers for a living. She has identified CardCorp as a target to grab a huge credit card database. To get her hands on this database, she’ll need to understand the topology of the network, acquire credentials for infrastructure devices, know which security controls are in place and how access is done to that database. She’ll need to secretly install malware on multiple systems and see how users work before launching her attack. She’ll need to monitor CardCorp’s operation closely and make sure users don’t notice anything.

Thanks to Bob’s good work, Eve only needs to access Bob’s laptop to get anything she needs: a tidy inventory of all the systems in the network, local and domain admin rights, stealthy access to install and control anything, and full visibility into anything going on in the network.

It gets even better: as Bob’s work is so diverse and touches every aspect of the enterprise, there’s no “normal behavior” that anomaly detection agents could detect so Eve can easily hide in the noise of Bob’s activities.

In an ideal world, Bob would have a completely separate machine for accessing IT resources, also known as a “privileged access workstation” but in the real world, it’s not practical to carry two separate laptops everywhere. Bob mixes personal, day-to-day corporate and privileged usage on his single laptop. It takes just one mistake to let Eve take over: maybe Bob clicked the wrong link/opened the wrong email/plugged the wrong thumb drive/shared a folder/joined the wrong WiFi network.

Once Eve is in Bob’s laptop, it no longer matters what security controls are in place. Eve already installed stealthy remote control software on Bob’s machine and now has the privileges to connect to anything. Even if Bob uses jump boxes or a VDI desktop to connect to sensitive resources, Eve just follows him wherever he goes, sees what he sees, clicks and types in his name when the time is right.

Because cyber attackers and IT administrators have so much in common, it’s critically important to secure everything that IT administrators are doing. The admin’s personal device holds the keys to the kingdom and hackers can rely on it to open the front doors for them.

Securing these devices goes beyond traditional Privileged Access Management (PAM). It goes beyond isolating specified applications and browsers, which leaves the majority of corporate assets exposed. It requires comprehensive security of the IT administrator’s device OS and anything and everything running within it. This is the only way to ensure that the Eves of the world cannot follow the Bobs into and around the corporate network.

The sooner we appreciate how similar IT admins and cyber-criminals are in how they think and the tools they use, the better equipped we’ll be to improve security posture.

What’s Hot on Infosecurity Magazine?