By Tony Goulding, cybersecurity evangelist, ThycoticCentrify
Employees have dozens of interactions with fellow team members, customers, and partners per day. Due to the remote work boom and accelerated digital transformation projects, many of those conversations and exchanges are online. While your team may think they know who is on the other end of that email or completing a task you have asked them to do, there is no guarantee. You also never know when an individual might turn against you and abuse access.
A recent ThycoticCentrify survey revealed that during the past year, over half the respondents are struggling with the theft of legitimate, privileged credentials (53%) and insider threat attacks (52%). Credential-based attacks continue to present a risky situation for security teams because of the inability to recognize friend from foe. This problem is exacerbated when an adversary targets privileged users whose credentials grant the bad actor access to sensitive company and customer information.
Similarly, insider threats – whether a malicious hacker, disgruntled employee, or an individual who makes a mistake – are masked under a cloak of familiarity and legitimacy. Often, insider threats result from enterprises extending too much access to individual employees or contractors, which was the case for nearly half (48%) of survey respondents. Unfortunately, two-thirds of insider threats led to the abuse of administrative privileges.
The survey also revealed that in 85% of instances, cybercriminals could successfully access critical systems and data by using privileged user logins. This wasn’t surprising; privileged credentials remain a prime target. Once obtained, they enable adversaries to download and install tools and malware to explore and map out the broader network, scan for vulnerabilities, identify and side-step security controls, and move laterally from system to system, looking for the crown jewels. With such elevated rights, the adversary has the power to encrypt data for a ransom, exfiltrated and sell sensitive customer and employee details on the Dark Web, and halt business operations.
The hackers conducting these attacks are going for the gold – which is why 65% of organizations saw their IT administrators targeted most frequently, followed by engineers and developers (21%) and the C-suite (19%). No one would typically investigate these users accessing sensitive information because it’s a routine aspect of their job roles.
Thus, with IT administrators often possessing the “keys to the kingdom,” malicious insiders and external adversaries alike take full advantage. When organizations fail to implement comprehensive privileged access security controls, it’s not a matter of “if,” but “when” they will suffer a data breach. It only takes one compromised privileged credential to affect millions – identities, compliance fines potentially, lost intellectual property, lost shareholder value, or ransomware payments. Associated bad press can result in customers losing trust in the brand.
While no single solution can eliminate the threat of privileged credential abuse, adopting a Zero Trust philosophy is an excellent place for organizations to start. Zero Trust aims to take these privileged accounts off the playing field and implement a least privilege access control model. Reversing the traditional security mantra of “trust but verify,” Zero Trust advocates eliminating implicit trust in our administrators and instead adopting a “never trust, always verify, enforce least privilege” approach. Zero Trust has been gaining momentum (62% of respondents are familiar with it) as a modern approach to security. It is designed to accommodate a dissolving perimeter and hybrid IT infrastructures resulting from digital transformation and cloud migration projects.
Below, we dive into some essential aspects of privileged access security that contribute to a successful Zero Trust posture and how your enterprise can start protecting itself from credential-based cyber-threats today:
Make privileged access management (PAM) a priority, especially to support a Zero Trust agenda
There are many paths to Zero Trust. With around 80% of data breaches involving compromised privileged credentials, a PAM solution designed to protect your business from identity-related data breaches should be a primary consideration. Look for a modern, cloud-ready PAM solution that can operate both on-premises and in the cloud. The solution should provide the two primary moving parts of PAM – password and secret vaulting and privilege elevation. Without these, Zero Trust will be tough to achieve. Thankfully, many of you are already on that journey. The ThycoticCentrify survey revealed that 83% of respondents have already incorporated a PAM tool into their security infrastructure.
Enforce multi-factor authentication (MFA) everywhere possible
Adversaries are using legitimate credentials to gain access to your systems and networks. For all access using privileged credentials, organizations must enforce MFA for extra identity assurance. In addition to a password, a second factor of authentication can stop an attacker in their tracks by requiring validation using (for example) a push notification to a mobile phone or a FIDO2 on-device authenticator such as Apple Touch ID or Microsoft Hello. MFA should not be limited to login. Your PAM solution should be capable of enforcing MFA at multiple access control decision points, such as password vault login, password checkout, server login, and host-based privilege elevation. Adversaries faced with multiple hurdles will likely move on.
Manage privileged credentials
Due to their value to cyber criminals, you must strictly manage and protect privileged credentials at all times. As part of a Zero Trust model, least privilege means eliminating privileged accounts representing standing privileges, thereby reducing your attack surface. Those you can’t get rid of should be vaulted for emergency access only and frequently rotated. Administrators will then use their individual enterprise ID (for example, an Active Directory or LDAP account) with minimum permissions and request elevated rights just-in-time, for a limited time, when required. Should the account be compromised, the blast radius is small, giving the bad actor little material value.
Do not forget non-human identities
Non-human identities for virtual machines, containers, microservices, applications, and more are far outpacing the growth in human users — particularly in the DevOps pipeline. Many enterprises forget to safeguard these identities, representing a massive expansion of the attack surface and presenting bad actors with more opportunity to perpetrate a data breach. Selecting a PAM vendor with solutions that seamlessly integrate into the DevOps pipeline to protect these non-human identities is critical to fully adopting a Zero Trust approach.
Digital transformation has empowered businesses to continue operations in this rapidly evolving age of remote work. Enterprises don’t have the time to slow down to consider whether they should trust who is on the other end of the screen. By adopting a Zero Trust philosophy and incorporating a modern PAM solution, organizations can minimize their risk of becoming the victim of a cyberattack, all while operating as usual.