Thought Leadership

Made Simple: Understand your adversary’s attack methods to plan your PAM defences

Written by Tim Hazel | Mar 2, 2020 2:12:24 PM

Gartner’s Four Pillars of Privileged Access Management (Pillar 1) tells us to “Track and Secure Every Privileged Account”.

The need to identify privileged accounts, human and computer, can leave an organisation locked in ‘Waterfall’ Discovery for months, trying to track every account without moving to secure those accounts already discovered.

A more successful ‘Agile’ approach would be to ‘Discover, Secure and Repeat’ as many times as required.  This should be built into ongoing IT process, as Gartner states, “discovery processes must be continuous” and with a good PAM tool this process can be automated.

At the outset though, you will need to decide which parts of your IT enterprise to deal with first. Basing these decisions on the greatest level of risk in your enterprise IT is recommended, which is made easier by understanding how an attacker might exploit your vulnerabilities and bad practice to compromise your privileged accounts.

Having identified your privileged account types and mapped out your landscape, you should carry out an assessment to find the exploits that might be used against you.  The following considerations highlight some of the techniques used by an attacker and inform the nature of this assessment:

1. Social Media

Today’s prevalent use of social media is blurring the lines between our business and personal lives, making it simpler to identify who’s who in an organisation.  Targeting CFO’s to generate illicit financial payments may have caught the headlines in recent times, but more practised is the use of social media platforms to identify the admins with accounts that attackers want to compromise.

The assessment should identify whether admin accounts are named and personal to an individual, making them vulnerable to targeting through social engineering, malware and even plain old bribery - to name a few.

2. Tiered Account Model

Privileged accounts have often been created with ease of use rather than security in mind, with admins using common IDs for multiple systems regardless of the differing levels of system security those accounts are used for.  Do service desk staff use domain admin accounts to remotely connect to end-user devices and administer accounts in AD for example?

Assess the levels of account segregation for systems with different levels of security to determine the risk of lateral movement following account compromise.    

3. Hard-Coded credentials

Determine whether computer account credentials are stored in scripts or documents that are accessible on your network.  Attackers, having compromised your network perimeter, and malware will move laterally through the network, searching shares and files for stored credentials, allowing them to further pivot through the network, searching for ways to elevate their privileges.

4. Password Rotation

Review your password rotation settings.  Often this is set, for example, every 30 days, to minimise the inconvenience to users and to reduce the possibility of lockouts through forgotten passwords.  30 days (or less) may seem reasonable but still presents a plentiful window for attackers to harvest credentials stored or left on a machine.

Assess which systems and account types have the greatest levels of exposure.  Often computer accounts are granted a greater level of leniency, increasing the risk.

5. Cloud Presence

Consider the maturity of your cloud-hosted systems, particularly if your cloud presence is inflating rapidly.  Attackers can compromise highly privileged API keys and other secrets for more pervasive access or to steal keys for crypto mining.  Are hard-coded credentials used? Also assess the use of, and risk of, admin consoles which provide super user level access.

Contrast to your on-premise presence and identify where the greatest level of exposure lies.

Assessing where your vulnerabilities lie and the risk associated with them will simplify the prioritisation task when planning your repeatable Discover and Secure phases.

Savanti has developed a successful assessment model to help inform and guide our customers through the planning process, building a successful foundation on which to manage and monitor accounts and to operationalise privileged access management processes. 

We'd be happy to support you on your journey, please get in touch info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk