Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

PAM Security Blog Series Part 4: 3 Privileged Account Management Security Benefits

Written by Thycotic Team

August 4th, 2015

In this video blog series, IT security experts explain why compromised privileged credentials are at the heart of most large-scale cyber-attacks, and how privileged access management software can help IT teams mitigate a host of security and compliance issues.

Part 1 | Part 2 | Part 3 | Part 4

Part four of our video blog series continues as Dave and Marcus dive into the security benefits of privileged account management to protect against nation state and advanced criminal organization attacks, as well as defending against pass-the-hash attacks. Dave ends by telling the story of weak privileged account life cycle support at a large healthcare organization. Would your organization have been able to find Dave hidden in plain sight? Find out.

Protecting against malware

“The current landscape of attacks is primarily driven through external actors, including nation states and advanced criminal organizations. The way they are gaining access to our sensitive data is primarily through malware. At some point through malware an attacker has to gain access to an administrative or privileged credential in order to get to the most sensitive data that we are trying to protect. One of the most important things organizations need to be thinking of today is, “How do I protect those administrative credentials? How do I prevent those attackers from getting there in the first place?”’

Solving pass the hash vulnerabilities with PAM

“You still have the pass-the-hash problem with active directory if you are giving users a regular account, but if you are going through a privileged account management system like Thycotic’s you’ve solved the pass-the-hash problem, and the end point destination control issue. You’ve also solved the logging and auditing capabilities, all of which are absolutely critical.”

Creating better privileged account life cycle support

“I did a penetration test for a large healthcare organization several years ago and they never really had an extensive security assessment of this type before. The CIO was driving this initiative and was being tasked by the board of directors to have a comprehensive security assessment performed. They brought my organization in to take a look holistically across the organization to find as many security issues as we could. They wanted to raise awareness across every level as to why security is important and examples to drive that.

We came in and there were a large number of different tasks we were performing across a long period of time associated with this. The penetration testing piece we did both externally and internally and when we performed the internal penetration test, one of our initial goals was to gain access to some sort of local administrator credential. Finding vulnerable local administrator credentials is one of our first targets to gain access to servers, a work station, or just escalating from there. That’s usually a very effective tactic for us. So we initially gained access to a local administrative credential through a poorly protected service through a system.

Our next goal naturally is to try to take that account and then try to use it to access not only sensitive data, but larger scale administrative privileges, though the first thing we are after is domain controllers. So we went after domain controllers and after about three days we not only gained access to the domain controllers, but we had taken over the domain admin role and dumped out all of the password hashes for the entire active directory.

That was the starting point.

Now the great thing about this story is not that we were able to gain access to those credentials, we were certainly able to do so through a natural progression of local admin, to local admin on the domain controller, to domain admin pretty easily. That’s not uncommon when attackers gain access initially into the environment. The great thing about this story is what happened afterward. So we were asked to come back a year later after we had performed the initial assessment.

We had given the report and the presentation, and showed them that we had gained access to the domain admin role. In fact, we had placed a new account into the domain admin group and had named it Dave. It was pretty obvious that it was there. We came back a year later to perform another assessment and unfortunately Dave was still a member of the domain admin group. Not only did they have poor security to begin with around privileged account management, but they also didn’t have good life cycle support for credentials in the first place because that account was left behind for an entire year.”


Like this post?

Get our top blog posts delivered to your inbox once a month.