Getting to grips with Privileged Identity Theft

Seven out of the ten largest data breaches of recent years have all involved privileged identity theft, involving the compromise of credentials providing access to privileged accounts. In these breaches, well-resourced, external cybercriminals were able to gain the credentials of users with administrative or service accounts enabling them to collect and make off with large amounts of data. So, why aren’t more business leaders taking notice of this threat?

Although it is difficult to quantify the impact of these breaches, the total number of records stolen is no doubt in the billions – and includes incredibly sensitive information such as credit card details, user accounts, employee information, health records and more. These attacks are happening on an industrial scale – take 2014’s JP Morgan breach or the now infamous Yahoo breach, both saw hackers gain access through these means.  The proof is in the pudding; organisations need to wake up and take notice of privileged identity theft.   

How do credentials become compromised?   

The IT security community has come to the realisation that perimeters alone can no longer keep the bad guys out. In the age of the digital economy with public facing apps, BYOD, and hybrid IT networks, the ways to infiltrate an organisation’s ecosystem is almost infinite and hackers exploit these gaps in several ways: 

External research - While examples exist of privileged users such as system administrators falling prey to attackers’ social engineering exploits, it’s far more likely that attackers will choose a softer initial target. Regular employees tend to be less switched on to security risks than IT personnel and therefore, make for easier prey. Once the credentials of user account have been compromised the attackers will turn their attention to the ultimate goal, the privileged accounts. With the amount of information available to attackers, much of it shared by potential victims through their social, it’s not surprising that cybercriminals are able to craft convincing messages to manipulate users.  

Gain a foothold - Attackers employ several methods to gain access to IT environments, often using a combination of tactics to gain a foothold from where they can perform internal reconnaissance. Phishing and spear-phishing are still a popular means of an in, despite warnings from IT teams. Most intrusions begin with an attempt to trick unsuspecting users into performing some action to further the attacker aims. Typically carried out through email or instant messaging a phishing attempt will try to convince the victim to either share some valuable information (such as a login credential) or more commonly, to open a document or click on a link which enables the attacker to download and install malware. Spear-phishing is a more targeted, often using information they gathered while performing research on the intended target organisation and then craft emails to appear more authentic. Another way criminals can learn valuable information is by installing other types of malware on a user’s PC or device. In these types of attacks, the goal of the initial compromise is to install some software that can help attackers to either take over the victim’s device or gather information such as credentials. Keylogger malware that records every keystroke is ideal for this purpose for learning passwords to gain access. 

Internal reconnaissance - Once an attacker has gained a foothold within the victim’s IT environment, they will perform internal reconnaissance. They will attempt to gather as much information as possible about the IT environment, in order to map out the network and systems they’re infiltrating. This can be accomplished using a variety of network diagnostic tools such as ping, traceroute and netstat. DNS records and port scanners such as nmap yield very valuable information about the organisation’s IT environment. 

Privilege escalation - Armed with all this knowledge about the network, an attacker can go about acquiring higher privileges with the ultimate goal of obtaining access to the domain controller. Pass-the-hash, SSH key acquisition, kernel and services exploits are three common techniques used to escalate privileges. 

Pass-the-hash – Passwords have been the bedrock of IT security for decades. When passwords are stored they can be encrypted using a one-way transformation called hash. Normally, an attacker that steals encrypted passwords needs to decrypt them to gain access to systems but this can be time-consuming and difficult to achieve. On Windows machines, password hashes are cached in the Local Security Authority Subsystem. If an attacker is able to access this information, particularly ones for administrator accounts, they can then download these hashes to gain access to other machines and systems on the network. The attacker can then authenticate on a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of the plaintext password. 

SSH key acquisition – Many organisations use the Secure Shell (SSH) protocol to remotely manage machines with Linux/Unix operating systems. SSH keys, access credentials in the SSH protocol, are commonly used for automated processes and for implementing passwordless ssh logins by system administrators and power users. Attackers have been known to deploy malware in order to collect these keys, providing a backdoor through which, they are able to access other servers and in some cases, compromise the entire network. Part of what makes these SSH keys so dangerous, is that they often provide root or administrator access which gives attackers the ability to install malware. 

Exploits – Exploits are programs that take advantage of vulnerabilities in applications or operating systems. These pieces of code enable hackers to take control of a computer system or allow privilege escalation. Software exploiting vulnerabilities on Linux Operating systems attempt to give attackers super user access to target systems in the form of a root command prompt. In many cases, escalating to root on a Linux system is as simple as downloading a kernel exploit to the target file system, compiling the exploit, and then executing it.   

On Linux systems attackers can use other techniques to exploit vulnerabilities with the SUID, set user ID, and SUDO, substitute user do, features. When not properly configured, attackers able to take advantage of these two services and establish root privileges allowing virtually complete control of the target system. 

5 steps to reduce the risk of privileged identity theft 

One of the fastest ways to mitigate the risk of privileged identity theft is to remediate weak security practices. Here are some quick wins for your organisation to protect itself: 

1. Know your privileged accounts – As IT environments grow the number of administrative, service and other types of privileged accounts can proliferate. Enterprises running networks with thousands or tens of thousands of servers and network devices often lack an accurate inventory of these assets. 

2. Limit scope for each privileged account – Limit the scope across the infrastructure of any privileged account to enforce a principle of least privilege. This means each account should have the minimum rights required to carry out their specific tasks. For example, an account set up for administering an application should not have any system privileges beyond what is needed to make changes to the application’s configuration and to restart the application. Similarly, look to avoid enabling accounts on systems where they simply are not needed. 

3. Delete unnecessary accounts and privileges where possible – Inadequate offboarding often creates a security gap where credentials exist for employees that have left the company or have changed positions.   

4. Implement a formal password policy – Companies with a mature security posture usually implement a formal password policy for privileged accounts. The policy should include changing default passwords as a rule of thumb and implementing stronger passwords. It goes without saying but the sharing of privileged account’s passwords should be strictly prohibited. These seem like obvious recommendations but companies who fail to take these steps only make a hacker’s life easier. 

5. Stop taking short cuts – Most users accessing privileged accounts such as administrative accounts and service accounts will do so to complete their daily tasks. Like anyone, privileged users want to work as efficiently as possible and are just as prone to the temptation of taking shortcuts when it comes to security. Having a strong, well rounded, security awareness, education programme for employees is paramount for mitigating risks. 

Privileged Identity Theft is a widespread technique in some of the largest data breaches and cyber-attacks. A wide range of organisations have fallen victim to sophisticated, well-resourced cyber criminals but measures exist to mitigate the risks of the attack. Relatively straightforward process improvements combined with the correct technologies such as session management and account analytics can help detect compromised privileged accounts and stop attackers before they are able to inflict damage on organisations.   

Csaba Krasznay, Security Evangelist at Balabit 

Image credit: Frank_Peters / Shutterstock