In recent years, the threat of cyber attacks has grown steadily. Many large enterprises have suffered devastating attacks, despite having security resources in place. Why are so many falling prey to attacks? The answers are manifold, but one of the leading causes is the misuse and abuse of privileges, opening up an easy path for attackers to infiltrate your company. In this blog, we look at what most attacks have in common and some effective measures you can take to protect your business.
What are privileged attacks?
In short, privileged attacks involve an attacker gaining unauthorized privileges and then abusing those privileges to expand their hold on the business. In contrast, although it will not be discussed here, we can also imagine an attack where the perpetrator never even needs to breach the perimeter of your company to obtain what they want. For example, business email compromise (BEC) attacks rely on social engineering to trick victims into wiring funds to an attacker’s account.
In more detail, privileged attacks follow a few basic steps:
1. Perimeter Intrusion
At the beginning, the attacker will gain access to some device on the company network — be it an employee’s phone, a misconfigured printer, or a web server. From there, the attacker may not be in an immediately advantageous position, since the device they have access to may not perform any important functions or enable access rights. We’ll see in the next section how an attacker can work to improve their circumstances.
2. Privilege Escalation
Assuming the attacker did not land on a device with direct access to their targets, the next goal is to escalate their capabilities above whatever user privileges the device should have. This can be done by exploiting software vulnerabilities, but it is often accomplished through much easier, non-technical means. Often, the victim organization makes the attacker’s job easier by mismanaging devices and over-privileging accounts. For example, if an attacker initially accessed a device with typical user privileges, they may attempt to escalate to administrator permissions.
3. Lateral Movement
Once the attacker obtains admin privileges on one device and has it fully under their control, they will look to expand their reach — learning as much information as possible about network topology, user accounts, password practices, and business processes. This can be achieved by reusing already-known/stolen credentials or employing a combination of social engineering and repeated privilege escalation to access other devices on the network.
Once the attacker is at this stage, by repeating privilege escalation and lateral movement as needed, it is only a matter of time before they gain access to their object(s) of interest. Furthermore, once an attacker is in the network, avoiding detection (by hiding among normal network traffic) becomes easier. This is often why many breaches are not discovered until much later.
Stopping the attack
The most effective point at which to stop such attacks is before the attacker ever enters the network, so prevention should be first priority. After the attacker has an initial foothold, focus should be on averting privilege escalation and lateral movement. Forestalling attacks also includes a large human component, so security training and awareness play an important role. Read on for some technical solutions to help protect your organization.
Attack Mitigation #1: Harden Authentication
Hardening authentication is probably the most important thing you can do to both prevent an attacker from entering your network and decrease their ability move around easily once inside. Foster good password practices by centralizing identity with single sign-on (SSO) to ensure that employees do not have to keep track of a different password for each of their accounts and can instead focus on creating a strong password. This helps facilitate each employee having their own credentials and also prevents password sharing.
Deploy Multi-Factor Authentication (MFA) in front of your applications so that, even if credentials are stolen, attackers still cannot gain easy access to resources.
Worried about usability? See how Adaptive MFA can be the solution.
Don’t use default passwords for your devices! Also ensure device passwords are unique, so attacks can’t reuse the same credentials in the event that they gain access to a single device.
With a few changes, you can make sure you are more effectively protected against a huge swath of authentication-based attacks. Following security guidelines, like those suggested by NIST (Official Publication; Summary), also helps establish strong security practices.
Attack Mitigation #2: Avoid Over-Privileging Accounts
Having accounts with more privileges than needed in your company is a gift to any attacker. It dramatically reduces the effort necessary to achieve their goal. This means that you should not only avoid providing administrator accounts to regular employees, but also make privilege reduction and review a meticulous habit. Keep in mind, this extends beyond the privileges of the local user's machine and to devices as well. For example, does the printer need to be on the same network as the web server? Is direct communication between every workstation an actual requirement? Is it necessary for internal software developers to access all customer billing information?
When it comes to user privileges, take steps to make your life easier by automating lifecycle management as much as possible. With solutions like Okta Lifecycle Management, you can automate the onboarding and offboarding process so employees get access to the apps they need when they join, and access to those apps is cut off automatically when it is no longer required. This also solves the challenge of role changes, so employees can gain access to the applications necessary for their new role while privileges are revoked for apps that are no longer required — without IT having to manually make changes.
Finally, keep your external users in mind too. Customers and partners may need access to some, but not all, of your resources. Lifecycle Management can help reduce the available attack surface area by managing privileges and providing visibility into who has access to what.
Attack Mitigation #3: Keep Up with Security Updates and Patches
When it comes to general attack mitigation, the tried and true “update and patch” advice is still by far one of the most effective measures. Even if not all software and devices can be updated at once, establishing and adhering to an update and patch cadence will move the needle in the right direction. Making sure employees understand the importance of security updates and following secure work practices is also an education and process-oriented solution that improves your organization’s overall security posture.
The defenders' advantage
Cybercrime is on the rise and being the subject of a targeted attack has become not a matter of if, but when. Accepting this reality helps us develop effective defense measures. The measures listed here are not meant to be a complete solution, but a selection of the most (cost) effective strategies to thwart attackers.
Even cybercriminals have to follow a simple cost-benefit calculation, and while no system can claim to be “unbreachable” in practice, we can try to make reaching their goals as expensive as possible. As defenders, we have a distinct advantage: Most defense measures require a much higher effort to circumvent than to implement. By slowing the privilege escalation and lateral movement of attackers, you can make potentially-successful attacks highly improbable and save your business from devastating theft and sabotage.