By Raj Dodhiawala, President, Remediant
Imagine you’re the manager of a hotel. Your position entitles you to a master key to all the hotel rooms, with access to any room, at any point in time. This of course comes with the territory and assigned role, enables ease of operations, and is demonstrative of the inherent trust that is conferred to you as the person in charge.
But let’s say a pipe bursts in Room 10, and an external maintenance worker is required to address the issue. That worker is also given a key to that one room and is granted “permission” to enter at a designated time confirmed between both parties. All other rooms would remain off-limits or inaccessible, and it would be understood that you’d need to facilitate access to adjacent rooms above or below, or besides Room 10.
But what if an unidentified and unauthorized person, one with malicious intent, got a hold of that key card and could open the door to Room 10 whenever they wanted? Or, in an even worse circumstance, in the shuffle between rooms and access during this contingency, the person got hold of the master key and could easily and stealthily move from room to room without notice? Needless to say, this could put the well-being of hotel-goers at serious risk, could result in stolen items or damaged property, and would ultimately impact the reputation of the hotel.
This is unfortunately the current reality of enterprise cyberattacks today. With compromised credentials, organizations of all sizes and across all industries are under constant siege, struggling to address their attack surface due to privilege sprawl. Whether gaining footholds from vulnerable software or users, the playbook is fairly consistent: establish a beachhead on a vulnerable system, elevate privileges, then compromise additional privileged users to move laterally and access or hold at ransom what’s valuable. Exploiting privilege sprawl—or the always-on, always-available administrative access to servers, workstations, and laptops—through lateral movement is at the heart of 82% of ransomware attacks today.
While one account might serve as an initial entry point, attackers seldom accomplish their goal with access to a singular system in mind. Instead, they’ll quickly pivot from one end-user (with access to one computer), to whole IT staff with 24 x 7 x 365 privileged access on many or all computers and network-connected devices in just the blink of an eye. Given that 74% of compromised organizations have admitted the attack involved access to a privileged account, it behooves IT leaders to look at this issue more closely than they currently are.
So, how then, can companies prevent a privileged access breach before it occurs?
Wrapping arms around privileged access sprawl and attack surfaces
Privilege sprawl occurs when privileges, or special rights to a system, have been granted to too many people within an organization. Whether due to lax procedures, a lack of consistent oversight, or the fear of causing disruption to established processes, privileged access sprawl often grows in the dark of companies and quietly amasses to significant proportions. Compounded by the fact that administrators are assigned constant access, this privilege sprawl is a large attack surface that threat actors drool over. When privilege sprawl gets out of hand, an organization’s attack surface grows because of it, and — should one admin credential become compromised by an attacker or misused by an insider — they can easily use lateral movement to find or locate sensitive data to steal or to hold at ransom.
It’s therefore imperative today that companies take stock of their privileged attack surface – especially those lying dormant but available to attackers. By identifying where there is excess standing privilege and effectively eliminating it, companies can gain control over the crux of the issue that leads cause such damaging breaches.
Eliminating 24 x 7 x 365 privileged access and taking a Just-in-Time approach
As noted, while slightly more convenient for admins and users to access systems at any point, standing privilege can be more damaging to companies than it’s worth — simultaneously giving the same convenient access to attackers holding the compromised credentials. These malicious actors can unlock any door and move through most if not all other doors. Equally importantly, this undermines other safeguards and negates any defenses in place for detecting your attackers.
Instead of standing privileged access, a “Just-in-Time” approach, bolstered by multi-factor authentication (MFA), selectively elevates privileges to the specific system that requires attention, exactly when the administration is needed, and for just the right amount of time necessary to complete the task for that particular administrator. This cuts off the opportunity for lateral movement without any friction for legitimate administrators.
By limiting both the specific account that requires admin access and granting such access for a limited time to the specific system, organizations can greatly reduce the risk of cyberattacks and the lateral movement that may occur – even if the attacker has a toehold in their environment. Transforming standing privilege into Zero Standing Privilege – the underpinning of the Just-in-Time approach – companies can more effectively deter cyber thieves from using lateral movement to move from system to system, minimize the window of opportunity to steal admin credentials, and ultimately mitigate the ability to wreak complete havoc across their network.
As enterprises continue to grapple with privileged access attacks and lateral movement, and as threat actors grow increasingly sophisticated, things like a Zero Trust strategy have become the ideal beacon of hope. But for companies to be truly successful, they must master Zero Standing Privilege and Just-In-Time access first. Only then will they reduce growing attack surfaces, strengthen their posture against lateral movement attacks, and build the proper foundation to implement Zero Trust.
Raj Dodhiawala has over 30 years of experience in enterprise software and cybersecurity, primarily focused on bringing disruptive enterprise products to new markets. Currently serving as President of Remediant, he is bringing focus, agility and collaboration across sales, marketing, finance and operations and leading the company through its next phase of growth.