+1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

PAM Security Video Series Part 2: Why Privileged Credentials Are At The Heart of Most Large-Scale Cyber Attacks

Written by Thycotic Team

July 7th, 2015

In this video blog series, IT security experts explain why compromised privileged credentials are at the heart of most large-scale cyber-attacks, and how privileged account management can help IT teams mitigate a host of security and compliance issues.

In our first video post for this series we debunked the common myth that passwords are dead. Next we answer the question, “Why is privileged account management a major security concern?”

Watch as Dave and Marcus tell real life stories of privileged credential compromise. Find out how easily attackers are able to escalate access on networks and gain access to highly sensitive information when they have access to a privileged account. Their stories will leave you wondering—has there been a compromised privileged user on your network stealing your organization’s secrets?

As we all know, the goal of most hackers is to get as much access on your network as possible. They usually start by getting some sort of foothold in your network, then working from there to get an administrator-level account. In these videos, security experts talk about how privilege escalation is the most common form of attack performed by hackers. Their goal is to try to escalate the privilege of that initial account or obtain access to a local Administrator account or Domain Administrator level account so they can move freely within the network.

Pretty much every cyber attack involves a compromised credential, followed by privilege escalation.

“Almost every attack now, and most of the ones I’ve seen in my career, involve some kind of a compromised credential and privilege escalation. They have involved someone trying to break in with a less privileged account and then once they get in, they exploit flaws in the software on the host. One of the things that is very frustrating about the way we do security in general is that we try to protect the systems against attacks from the outside, but there’s usually not very good defenses from the inside. What people don’t realize is that the outside very quickly becomes the inside if you can compromise any account, any place inside the perimeter.”

Once hackers find a hole in the perimeter and they get ahold of a vulnerable credential, they’re well on their way to launching a large-scale attack.

“You talk to people who are pen testers and the first thing they’ll tell you is they want to get an account somewhere in the target network. Once they get inside the target network, they’re going to look at the individual machine and are going to try and see what the options are for escalating privilege. Once you’ve escalated privilege then usually you’ll go after the local directory service or other sensitive information.”

If you have a malware problem, you have a privileged credential problem.

“Most of the really nasty malware out there requires some degree of privileges in order to be most effective. I have seen plenty of cases where malware doesn’t necessarily need privileges to gain an initial foothold. In fact it’s extraordinarily common today for drive-by downloads or other web-driven malware to gain foothold on a regular user’s work station. But it doesn’t take long before the attacker looks to escalate their privileges. In fact that’s one of the first things just about every attacker will do because they will hit a wall otherwise. They’ll only be able to gain access to less sensitive data or they won’t be able to move laterally through networks. They’ll have to get ahold of some sort of administrator privileges before too long. So whether that’s their initial strategy or it comes as a secondary or tertiary step as part of their attack campaign, they’re always going to look to gain privileged access. At some point the question is, ‘Do you know once they’ve got them and what are they going to do at that point?'”
“Most of the malware that I tend to run into today eventually tries to gain access to privileged information. In order to do so it’s going to need privileges.  So whether it starts off with administrative credentials or ultimately gets to them later, it’s always going to be a goal for those advanced attackers.”

Without a privileged account audit trail, compromised privileged credentials can go unnoticed.

“When I explain to people that privileged accounts are a really big problem, I often get asked  the question, “Why is this such a big issue?” A lot of times I like to demonstrate why they are such a big problem. If I have privileged credentials I can do any number of things in the environment, some good, some bad. A lot of times people don’t even have auditing around privileged accounts. In other words, I could use an administrator account to log into a shared drive and gain access to documents or I could find an embedded password in a script that runs against a database that allows me to pull records out of that database as the administrator. What people don’t realize is that attackers today love finding privileged credentials. They love coming across privileged accounts because it allows them to act not only as a privileged user, but as a privileged user that has access to sensitive data and can do so in a manner that often flies under the radar.”
 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.

Thycotic Team

We deploy smart, reliable, IT security solutions that empower companies to control and monitor privileged account credentials and identities.