One of the most popular attack methods in IT security starts with posing a simple question: How many places in your IT infrastructure have administrative access? Unfortunately, getting to the bottom of answering this question is anything but simple, but it can be instructive. This is because understanding administrative access is perhaps one of the most important ways to defend your business computing network.
Admin access permissions are the bane of all security managers because they can serve as the golden ticket for hackers to compromise your computers. Once they figure out this privileged access, they can worm their way into your network and create all sorts of havoc. This class of problems is usually labeled privilege escalation. IT experts have been writing about it for years, calling it “least privilege.” The concept comes up often in security circles, and as the author mentions in that CSOonline post, “Security planning is now built on the premise that attackers will likely gain access to a system in one way or another.”
A 2014 report by The Ponemon Institute found that nearly half of the IT organizations it surveyed didn’t have any policies for assigning or tracking privileged user access. While things have gotten better since that survey, it does show how common privilege access abuses can be.
There are several basic methods that hackers use to escalate privilege:
All of these methods involve exploiting various flaws in operating systems (Windows being a particularly rich target), virtual machine collections and the way applications are typically built by developers. The privilege escalation abuse typically starts with a phishing email or a social engineering trick to allow a hacker access as an administrator to a part of your internal network: this was how the July Twitter hack was accomplished, for example. Previous data breaches of both JPMorgan Chase and Home Depot involved privilege escalation attacks as well.
A more detailed and recent demonstration of a privilege escalation attack on Meetup is described by researchers here: this enabled attackers to transform an ordinary user of the meeting service into the meeting organizer. From there, the attacker was able to redirect payments for the meeting to the hacker’s bank account. The blow-by-blow description is instructive, showing just how an adversary can accomplish this in a series of well-executed steps.
There are various methods that IT managers can implement to minimize privilege escalations. First, familiarize yourself with the least-privilege principles. Audit your users and application access and spend time with your developers to ensure that they understand these principles. It is certainly easier to just grant everyone total access. “Freely granting employees admin status is one of the most common mistakes enterprises make,” according to this article. The more people have total access, the more risk you are taking on that eventually someone’s account could become compromised. The post suggests you know where your data resides, track your users (especially those who have elevated privilege and leave the company) and give your various permission levels common-sense names to indicate their intended population (such as “sales staff” versus “sales managers”).
Next, clean up your Active Directory act. That link will take you to a detailed discussion of 16 common AD exploits, and many of them involve careful auditing of your user and application privileges and how to track them down and eliminate them. Remember those ex-employees? Many AD rolls need to be immediately purged when someone departs.
Make use of application sandboxing. These sandboxes can help determine if privilege exploits need locking down.
Make sure your endpoints are updated and patched. This is a common entry point, and attacks such as Eternal Blue and Boothole show just how quickly word gets out in the hacking community to take advantage of them to use for privilege attacks. You should deploy a variety of tools to help detect these abuses, including endpoint protection and response tools and intrusion detection tools to flag any abnormal behavior across your network. Another series of tools for consideration are specialized privilege management products such as Centrify, CyberArk, Thycotic or BeyondTrust.
Consider using the zero trust model for your security. This concept has been around for several years but basically means every device starts out as untrusted and access is only granted when it is needed, and only after it has been authenticated. Part of this operation could be splitting up single applications into microservices, each with its own trusted “bubble” to segregate them from each other.
Finally, consider segmenting your networks to catch cross-contamination and to limit lateral movement by hackers or staff with more access rights. This is good security practice and should be part of the feedback from the various intrusion and protection tools that you run across your infrastructure.