Privileged account abuse is common to all targeted cyber attacks, a CyberArk report that collates input from across the cyber security and forensics industry has revealed.
The report entitled Exploits of Privileged Accounts Shift the Front Lines of Security is based on input from six information-security threat investigators.
CyberArk chief executive Udi Mokady said the sources for the report represent some of the smartest, most well-connected and knowledgeable threat investigators in the world.
“By understanding the commonalities they are discovering across their investigations, we are gaining significant insights into attack patterns for targeted attacks, regardless of their origin or focus,” he said.
The key finding of the initiative is the exploitation of privileged accounts occurs in almost every targeted attack, and is the primary reason why attacks are so hard to discover and stop.
“These accounts empower attackers to destroy breach evidence, avoid detection and establish backdoors that make it nearly impossible to dislodge them from networks,” Mokady told Computer Weekly.
More on privileged attacks
- Stopping privilege creep: Limiting user privileges with access reviews
- Privileged user management a must for DBAs
- Privileged account policy: Securely managing privileged accounts
- Privileged accounts are hacker sweet spot
- Privilege access management: User account provisioning best practices
- Security Think Tank: Least privilege is key to blocking IP theft
- Intel CPU hardware vulnerable to a privilege escalation attack
- Windows security case study: Controlling Windows 7 user privileges
- Exchange Server administration policy: Managing privileged user access
“Securing privileged accounts represents the new first line of defence in the ongoing cyber battle companies are fighting,” he added.
Privileged accounts enable attackers to go anywhere they want in a network, cover their tracks and exfiltrate data.
“By using these accounts to set up fake users, they are able to blend in with regular network traffic,” said Mokady.
Privileged account threat underestimated
One of the reasons organisations typically fail to manage privileged accounts properly, said Mokady, is because they vastly underestimate how many of these accounts exist in their organisation.
“Privileged accounts are built into just about every piece of IT infrastructure, and are open to abuse unless they are all closely monitored and managed,” he said.
CyberArk’s research demonstrates organisations typically have three-to-four times as many privileged accounts as employees.
Security investigators also reported that attackers’ exploits of privileged accounts are becoming increasingly sophisticated.
They reported exploits relating to embedded devices that form part of the internet of things (IoT) and exploits to set up multiple identities to create backup access points and backdoors.
Every company a target
Another key finding of the research is that every company in every industry is now a potential target of cyber attacks.
Contributors to the research agree cyber attackers have broadened their targets to pursue companies of all sizes in all industries.
Contributors to the report
- Cisco Talos security intelligence and research group
- Deloitte Financial Advisory Service computer and cyber forensics team
- Deloitte & Touche Cyber Risk Services
- Mandiant, a FireEye company
- RSA, the security division of EMC
- The Verizon RISK Team
“One of the reasons for this is smaller, less well-defended organisations have become a prime target for attackers who are ultimately aiming at larger partners in the supply chain,” said Mokady.
Threat investigators reported they have traced attacks to non-traditional targets such as trucking companies and all types of professional services firms, from management consultants and auditors to attorneys.
“All these types of companies provide potential stepping stones to bigger organisations higher up the supply chain,” said Mokady.
“For example, attackers targeting organisations in the oil and gas industry have been known to attack tubing suppliers as a means of infiltrating the network of the energy firms they supply,” he said.
While larger organisations are now beginning to look at the issue of supply-chain security, Mokady said many of the smaller suppliers are not even aware they may be target in this way.
“Accounting firms and even legal firms are often not geared towards providing a reasonably good level of defence against cyber attacks because they do not see themselves as targets,” he said.
The research reveals many organisations are still mainly focused on preventing intrusions and malware infections, rather than finding and stopping attackers who are already inside
Udi Mokady, CyberArk
According to Mokady, the research highlights the need for greater awareness among smaller companies and the need for larger companies to have a complete view of their supply chain, including non-IT suppliers.
“Larger organisations should identify all suppliers and ensure any network access given to those suppliers is secure and monitored,” he said.
Perimeter resistance is futile
Attackers will get inside perimeter security and the most likely infection point is employees, the research found.
Phishing attacks are the most common vector and are growing in sophistication, making employee logins far easier points of infiltration than network or software exploits.
“This means organisations need to base their cyber security strategies on the assumption attackers will breach their defences and will seek to take over privileged accounts,” said Mokady.
Attackers stay hidden for months
The research found most targeted attacks associated with various forms of espionage can persist undetected for 200 days or more because attackers are able to cover their tracks by using privileged accounts to delete log data and other evidence.
However, attacks aimed at stealing money tend to have a much shorter time to detection – usually less than 30 days – because they are normally much quicker and less careful about covering their tracks.
“The research reveals many organisations are still mainly focused on preventing intrusions and malware infections, rather than finding and stopping attackers who are already inside,” said Mokady.