The Most Important Part of Least Privilege Tactics

Written by

Since Verizon discovered that 75% of attacks use compromised credentials, businesses’ interest in the idea of "least privilege" has increased dramatically. Least privilege is all about restricting employee access to only the data they need to do their job — and nothing more.

If a cyber-criminal manages to get their hands on an employee’s legitimate login credentials, their ability to do any damage is greatly limited.

To put it in other terms, least privilege is a bit like being able to restrict a burglar in your home to just the kitchen. If they can’t access the rest of your house, they can’t steal that nice TV or your box of jewelry in the bedroom.

I would, however, argue that organizations treat least privilege with a pinch of salt. While the idea is undoubtedly positive - and I’d seriously advise organizations to put it in place - criminals will still have access to some data if they gain entry to corporate systems, which is worrying in itself. Surely the ideal scenario is to prevent unauthorized access in the first place?

Unauthorized access using employee credentials is the devil of all cyber breaches. Not only does an outsider have the opportunity to steal your sensitive data, they get to do so virtually undetected because most cybersecurity setups will not raise the alarm to the use of correct login credentials. Such is the problem of “undetectability” that most European organizations take 450 days on average to spot a breach. In that time, cyber-criminals have plenty of time to gain entry, snoop around your system, steal your data, and leave before you even know they’ve been there.

Spotting breach “indicators” at the logon
Detecting unauthorized access is challenging, but it is possible. Both insider and external threat activity include tell-tale signs of misuse. In other words, for every instance of unauthorized access, there are certain ‘indicators’ to suspicious behavior, which, if you could see, would enable you to put a stop to unauthorized access immediately. These indicators tend to occur around the logon. So, what exactly are these indicators? And how can you use them to prevent unauthorized access?

  1. After-hours use - Most employees tend to log into the corporate network at the same time each day — usually when they get to work or when their shift starts. It doesn’t take long before the employee builds up a regular logon pattern. Therefore, any login attempt that occurs at a strange time of day is likely to be suspicious, for example 3:00am on Saturday night for a regular 9–5 worker.
  2. Logons from unusual geographical locations - Similarly with time, most employees build up a regular logon profile in terms of geography. Either employees will log on within the confines of their office, or they’ll log on from home or from any location within their hometown. So, any attempt to log in from an unusual geographical location — either a city that’s miles away or from a different country altogether — is likely to be suspicious.
  3. User/endpoint mismatch - Even in the age of BYOD and multi-device working, most employees will use the same desktop, laptop, tablet and smartphone to access the corporate network. Logons from unusual endpoints, therefore, should be a source of concern — especially when combined with an unusual time of day or geography.
  4. Multiple logon attempts - Once attackers get their hands on a legitimate login, they’ll attempt to use it on every system possible, through a tactic called “credentials stuffing”. External attackers attempt to leverage credentials on as many systems as possible to increase their ability to move laterally across the network until they find data of value to them. The act of logging in many times in a short space of time is a clear indication of potential misuse.
  5. Multiple concurrent logins - Continuing the last scenario, an external attacker may successfully use compromised credentials to gain entry to multiple systems simultaneously — an abnormal occurrence for any account.

Getting visibility into network activity
Most organizations are not in a position to be able to detect any of the five “indicators” above. Doing it manually certainly isn’t practical for any IT team, no matter how large, and most cybersecurity setups don’t monitor contextual information around logins, and so cannot pass judgement on suspicious activity when it occurs.

However, the right technology can do the legwork for you — alerting IT teams in real time to any suspicious login behavior while informing the user that their login may have been compromised by a cyber-criminal. Protecting logons in this way goes hand in hand with least privilege implementation. First, stop the attacker from gaining entry, but if one slips through the net, make sure they can’t get steal anything of value.

What’s hot on Infosecurity Magazine?