ANALYSIS: The lesson learned from recent high-profile attacks is that in every case, from retail giants like Target to financial institutions like the Bangladesh Central Bank, the attacker was present in the network long before the breach was discovered.
They got in via comprised user credentials (login and password) to look around and using higher and higher access credentials to get to the end goal.
People often think of credentials user credentials; a standard, locked-down user or a privileged user, with higher data access and network operation privileges. In other words – humans.
The goal of attackers is not to impersonate humans – it is to get something. Mostly it is data that can be sold or to obtain an information/IP advantage, or operation privileges, or simply to cause havoc in the network.
{loadposition ray}
To get to the goal, attackers use any account credential – humans or automated process. The latter are machines and devices inside the network that control backup, scans scripts and many others, many of which are left with manufacturer's default admin passwords.
Any function that is automated is associated with an account. It is important to note that while many services are configured using machine accounts, services and applications can also be configured using user-defined accounts. For example, a human-created account can be used for a SharePoint or Exchange service.
Do you see the gaping security issue?
These types of accounts are often not subject to good security practices like regular password replacement. Another problem is that the permission levels of these accounts are defined by humans. These levels – what privileges the service account has in the network - are often too high. A common scenario is that the service experiences a problem the administrator ups the status the “admins group” – few elevated permissions are granted and never revoked. Or the CEO might have demanded elevated permission levels to access a specific resource, and because they are the boss, they get it.
Other bad practices include using the same account for multiple services on multiple servers, storing privileged credentials in scripts on endpoints, using privileged domain-level credentials for local system services and many others.
One inside, attackers can scan the network, find script-embedded domain admin credentials – easy pickings.
Several companies have been breached using this exact method, with the attackers getting into the network and scanning all shared drives and finding multiple VB scripts with domain admin level usernames and passwords. This enabled them to completely control the network and - for example - steal credit card details from Point-of-Sale machines.
So – everything has an account and that there are two types of account; machine and user. Human accounts should be separated from service accounts. Accounts should only be used by a single automated process, with granular permissions. Instead of granting them privilege levels that are too high, manage them.
Introduce a way to regularly change passwords. Make these complex and specific, not global in nature. Protect and monitor all accounts. Step beyond those technology solutions that just detect malicious human behaviour but are challenged in detecting deviations in behaviour from non-humans.
And then your CEO might not have to stand up in public to tell the world why your company didn’t protect your data better.
The following short video from CyberArk explains the issues.