It may come as a surprise that seven out of ten of the largest data breaches recently have all had one thing in common.

Privileged identity theft is on the rise; however, business leaders are failing to realise the devastating impact this can have on their business as well as what they can do to mitigate this invasive threat.

Csaba Krasznay, Security Evangelist at Balabit.

Privileged identity theft involves the theft or compromise of credentials providing access to privileged accounts within a business. This could mean stolen admin usernames and passwords through phishing methods, or the use of low-security passwords such as ‘admin’ or ‘password.’

Although it can be hard to quantify the impact of breaches involving compromised credentials, the total amount of records stolen is believed to be in the billions. This includes sensitive information such as credit card details, user accounts, employee information, and health records amongst others. Attacks such as these are happening on a global scale, including the far-reaching Yahoo data breach and even the Swedish Transport Association breach, which saw the theft of classified information from third-party credentials. Organisations must take action before they too become victims of privileged identity theft.

 

How do credentials become compromised?

It’s widely accepted now that perimeters alone are not enough to keep data safe. We are now living more and more of our lives online and through public facing apps, BYOD, and hybrid IT networks the number of attack vectors has increased exponentially, and hackers can easily exploit these vulnerabilities.

 

External research

While there are examples of privileged users such as system administrators being exploited via social engineering tactics, attackers are far more likely to choose a softer target initially.

Employees tend to struggle with understanding security risks compared to IT personnel. This means they can become vulnerable to attackers. Once the credentials of user accounts have been compromised, the attackers will then turn their attentions to the privileged accounts, which are far more valuable. With the proliferation of information available to attackers from social networks, it’s unsurprising that attackers are able to craft convincing messages to manipulate users.

Gain a foothold – Attackers have several go to methods when it comes to gaining access to an IT environment. They can even use a combination of tactics to gain a foothold which makes it possible for them to perform internal reconnaissance. Both phishing and spear-phishing remain popular ways of gaining an in, despite the issue being a focus for IT teams. Intrusions often begin with an attempt to trick an unsuspecting user into accidentally giving away some information or performing an action to further the attacker’s motives.

This is usually carried out through an email or instant message. A phishing attempt will try to convince the user into sharing valuable information (such as a login credentials) or in some cases, to open a bogus document or click on a link which enables the attacker to download and install malware. Spear-phishing involves more targeted research gathering on the victim organisation. The attacker will often carry out this research and use it to craft a convincing email to dupe their target. Another way criminals can learn valuable information is by installing other types of malware on a user’s PC or device.

Attackers can then install software that can either allow them to take over the victim’s device or gather information such as credentials. A common way this is done is by installing a keylogger malware, which can record every keystroke and steal every password entered by a victim.

Internal reconnaissance- The next step in the process once an attacker has established themselves within the victim’s IT environment is to perform internal reconnaissance. During this period, they will attempt to gather as much information as possible about the IT environment in order to map out the network and systems they’re infiltrating. There are a number of network diagnostic tools which can help accomplish this, including ping, traceroute and netstat. DNS records and port scanners such as nmap can also yield very valuable information about the victim’s IT environment.

Privilege escalation – Once an attacker is armed with this knowledge about the network, they can move on to acquiring higher privileges with the ultimate aim to take over the domain controller. Pass-the-hash, SSH key acquisition, kernel and services exploits are three common techniques used to escalate privileges.

 

 What can you do to reduce the risk of privileged identity theft?

One of the quickest wins for organisations looking to alleviate the risk of privileged identity theft is to fix weak security practices. Here are a few ways your organisation can protect itself.

  1. Keep on top of privileged accounts – As IT environments grow, so do the number of administrative, service and other types of privileged accounts. It’s often the case that enterprises running networks with thousands of servers and network devices lack a comprehensive, up to date inventory of these assets.
  2. Limit access for each privileged account – Limit the access across the infrastructure of any privileged account to enforce a principle of least privilege. Every account should have the minimum rights needed to carry out their specific tasks. So, an account set up for administering an application should not have any system privileges beyond what is required to change the application’s configuration and to restart the application. It’s also important to avoid enabling accounts on systems where they are not needed.
  3. Remove unnecessary accounts and privileges where you can – Insufficient offboarding often creates a security gap where employees that have left the company or changed positions still have credentials. Deleting or updating these is essential to tie up any loose ends.
  4. Put a formal password policy in place – Companies with a well-developed security posture usually implement a formal password policy for privileged accounts. This policy should involve changing default passwords as mandatory and implementing stronger passwords. This should be obvious, but the sharing of passwords should also be strictly prohibited. These recommendations should go without saying, but companies who fail to take these steps are just making a hacker’s life easier.
  5. Avoid short cuts – Most employees accessing privileged accounts such as administrative accounts and service accounts are doing so in order to complete daily tasks. Naturally, a privileged users goal is to work as efficiently as possible, which can lead to taking risky shortcuts when it comes to security. This can be tackled with a strong, well-rounded, security awareness education programme.

The number of organisations falling prey to privileged identity theft is growing and it remains a popular attack vector. Fortunately, relatively simple process improvements along with the correct technologies such as session management and account analytics can help spot compromised privileged accounts before attackers are able to inflict any damage.