Each attack presents its own risks, but none as great as a malicious attacker gaining access to privileged account credentials, such as domain or a local administrator account.
The first step to gain enemy perspective is to view an enterprise’s digital footprint with malicious intent.
Regardless of any safeguards on the network perimeter, endpoint protection, event monitoring, etc. once an attacker has gained elevated credentials, there is not much preventing them from creating additional accounts for backdoor access once the original compromised account has been identified.
Privileged credentials are by far the most common entry point that threat actors target
60%
60% of internal data breaches are caused by privilege abuse, where internal actors misuse their level of granted access.
1
2
80% of security breaches involve privileged credentials.
80%
81% of hacking-related breaches leveraged either stolen and/or weak passwords.
3
81%
One in five employees would sell their work passwords.
4
1/5
76% of IT professionals say their organization experienced the loss or theft of company data over the past two years – and the leading cause
is insider negligence.
5
76%
The average breach takes 99 days to be discovered.
6
99
How do threat actors get privileged credentials?
phishing
network
vulnerabilities
Employees – unintentionally or intentionally
Behind the eyes of the enemy
Why Threat Actors are Petrified of Privileged Access Management (PAM)
Attackers can obtain access to domain-level administrator credentials within three days of initial access.
Threat actors use these credentials to unlock security controls and move laterally within an organization to steal an enterprise’s most valuable possession—data.
Once threat actors gain access to an employee workstation, they can run services on a system to determine if a PAM program exists. If not, they work to elevate their privileges to root/administrator or compromise an existing elevated account to access and attain the most valuable data.
7
Mandiant M-Trends, 2016
7
1
Cannot identify or audit all of their privileged accounts
2
Do not have adequate protection and controls for
critical resources
3
Lack password policies and adequate processes to manage privileged accounts
4
Are able to elevate privileges or leverage an existing elevated compromised account
5
Do not remove local admin privileges from end user systems
6
Do not remove hardcoded or embedded credentials in applications, scripts, and files
Threat actors target organizations that do not have PAM programs because they:
Health Insurance Portability and Accountability Act (HIPAA)
Intellectual Property (IP)
Personally Identifiable Information
(PII)
Payment Card Industry (PCI)
job
scheduling
Production
human
resources
source
code
Original Equipment Manufacturer (OEM) accounts
Embedded credentials
Secure Socket Shell (SSH) keys
Original Equipment Manufacturer (OEM) accounts
Embedded credentials
Secure Socket Shell (SSH) keys
job
scheduling
Production
human
resources
source
code
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI)
Personally Identifiable Information
(PII)
Intellectual Property (IP)
What types of data are threat actors after?
Access to this data enables the enemy to:
Transfer files
Expose confidential data
Create new credentials
Rip off intellectual property
Delete databases
Transfer funds
Erase log files
Steal PII and PCI files
Shut down websites
Halt production
Privileged Access Management (PAM)
So, what prevents threat actors from gaining privileged credentials?
PAM helps businesses restrict and protect privileged accounts to data through a number of methods:
Workflow to tighten account, application and asset access
Vaulting credentials
Rotating credentials
Appropriate processes to manage privileged account approval and usage
Session recording and isolation
Application to application credential management
Ephemeral systems secret management
Restricting commands and applications that can be executed
Least privilege model enablement and enforcement
Just in Time (JIT) application elevation
why are threat actors petrified of PAM?
1
Eliminates lateral movement
6
Reduces attack surface on-premise and in the cloud
2
Can block commands and toolsets that could be used to gain privilege
7
Provides centralized, holistic view of privileged access—with auditing and alerting capabilities
3
Improves compliance and secrets management
8
Automatically enforces password changes and complexity rules
4
Eliminates known passwords through one time passwords and continuous rotation
9
Aligns change controls and privilege access
5
Workflows require peer or managerial approval to access accounts, systems and applications
10
Eliminates hardcoded and embedded credentials from common targets such as web.config files and scripts
11
Ability to systematically regain control and eliminate access for compromised accounts
Yet, some businesses are reluctant to implement PAM programs—or leverage the full depth and breadth of PAM capabilities—because they believe perpetuated myths vs. today’s realities.
Enterprises can calculate the ROI of a PAM program by tracking the number of successful threat actor incidents and multiplying by the global average cost of a security breach: $3.86 million, or $148 per data record.
It’s not possible to calculate the ROI of a PAM program.
9
2018 Cost of a Data Breach Study, sponsored by IBM, Ponemon Institute
9
Partnering with an IAM expert enables businesses to seamlessly integrate PAM into their IAM program.
Perception that PAM is difficult to implement.
An identity policy does not protect and cover privileged access unless a PAM program is intentionally integrated within the policy.
Many businesses assume PAM is accounted for in their IAM policy.
Enterprises can combat limited resources and budget by prioritizing security needs and outsourcing to a professional services team.
PAM is too expensive and takes too long to implement.
Implementing a PAM program forces process, structure and accountability as more accounts and passwords are created.
Disparate Dev Ops and security teams mean that implementing a holistic PAM program is not possible.
Thwart Threat Actor Attacks with PAM
Optiv Privileged Access Management services include assessments and discovery workshops, architecture, design, implementation, as well as a Privileged Access Managed service that is designed to:
Get started with our holistic
IDM program assessment.
Ensure compliance
Reduce enterprise risk
Increase security
Force structure around privileged identities
Gain peace of mind
