Trust But Verify - Mitigating Privilege Account Risks

Privileged account access represents the keys to the kingdom for threat actors, enabling them to move around a network almost unabated. With it, miscreants can explore and extract as much sensitive data as they like.

It’s no wonder that Forrester estimates that privileged accounts are involved in 80 percent of security breaches, and Gartner made privilege access their number one security project recommendation.

Despite this, many organizations are still unaware of how their privileged accounts are used, creating a significant blind spot that can be exploited by threat actors. This includes the ability to identify key risk factors such as whether or not the privileged account has been accessed via an unusual host or service.

To overcome this issue, security teams need to be provided with access to actionable information generated through the monitoring of cloud-native and hybrid cloud environments. If not, organizations could find themselves becoming victims of a cyber-attack similar to the one that afflicted Capital One, where the records of 100 million customers were compromised.

The prevalence of privilege access risk

Privilege access anomalies are more common than most organizations realize. Research by Vectra using the Cognito network detection and response platform found that in the last six months of 2019, 57 privilege access anomalies were observed per 10,000 hosts, with finance, healthcare, education and manufacturing industries representing almost half of the total.

Drilling down further into the numbers, by far the largest proportion of these anomalies were caused by privileged access from an unusual host, representing nearly three quarters of such incidents. The anomalies detected were either one or a combination of, unusual service, unusual account or unusual host.

Often there is a perfectly innocent explanation for many of these unusual host anomalies, namely that an approved user is accessing the system from a new or different host. However, this could also be indicative that an attacker has taken over an account. As such, privileged access continues to present a risk to organizations, especially when not managed correctly.

Lessons from Capital One

One high profile instance of an unusual host being responsible for a significant data breach was Capital One, which was the result of an unauthorized person gaining temporary access tokens due to a web application firewall (WAF) misconfiguration. WAFs are designed to stop unauthorized access to a network, but in this case the threat actor was able to use it to make a request from an external unknown host to the internal servers.

They then retrieved tokens to grant themselves full access to web servers. It’s important to note that temporary access tokens can be issued to provide trusted users with time-limited security credentials for them to be able to use certain resources. Organizations use these to reduce the necessity for managing access to certain accounts, yet still give users the ability to use them for short periods.

Once they had full access, the threat actor then used the AWS simple storage service (S3) list-bucket command to display all AWS S3 bucket names. With this information they executed a sync command to copy 700 folders and buckets containing customer information to an external destination.

Detecting such an attack is challenging as the attacker blends in with the type of activity usually seen as part and parcel of normal admin operations. There was no malware or suspicious behavior to detect that would have given their game away. What should have raised alarm bells, however, is that privileged credentials from an unusual host were used to execute the commands.

Unfortunately, what was to blame in this case was the shared responsibility model. This is where the responsibility for securing an IT network is shared between the customer and the cloud service provider. In such cases, it is not uncommon for security issues to fall through the cracks as each side assumes the other will take responsibility for catching them.

Privileged access doesn’t equate to trusted access

Rather than relying on an entity's privileges or being independent of privileges, security operations must focus on how the entities use their privileges within the network. This means not only monitoring the hosts and the network, but also understanding how privileged access is being used within an organization between local networks, private data centers and cloud instances.

This can be achieved by firstly observing how entities interact with each other. Using artificial intelligence and machine learning, the privilege level of each entity can be assessed by how it behaves and the sensitivity of the assets they are trying to access. Once this has been established, any abnormalities in this behavior can then be determined. Those that have security implications will need to be acted upon as a matter of urgency.

By understanding how privilege access occurs between cloud instances, data centers and local networks, organizations can more easily identify a network compromise and act before a catastrophic breach, like at the one suffered by Capital One, can happen.

What’s Hot on Infosecurity Magazine?