Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Cyber criminals don’t want to be found—a Privilege Detective using Thycotic’s free Least Privilege Discovery Tool

Written by Joseph Carson

July 10th, 2018

Cyber criminals don’t want to be found. They play a great game of hide and seek, and in many companies—no one is doing any seeking. Instead, they hope that their security perimeter is holding strong, typically relying on traditional cyber security controls that are usually outdated and, for most cyber criminals, easily bypassed using phishing emails and other scams that exploit the human.

Work on the assumption that you’re already breached and should constantly hunt for cyber criminals within your network

Once a hacker breaches your network the average dwell time before discovery is more than 200 days. So work on the assumption that you are already breached and should constantly hunt for cyber criminals within your network.

Cyber criminals use your own infrastructure to stay hidden, sometimes disguising themselves as legitimate services. They abuse stolen identities and elevate privileges using your own administrative tools to move around, stealing your sensitive data, committing financial fraud, or even worse—poisoning your data.

Cyber criminals do not make a noise when they are attacking. Sometimes they cause distractions at the front door while they sneak in the back while all your resources are focused on keeping your business running.  Many of the cyber-crime techniques used today involve avoiding the places you are managing or securing. The hacker does not head straight to the target but instead moves slowly around the walls of your perimeter looking for systems or services where they can easily avoid detection and elevate privileges to perform their malicious activity.

The challenge for organizations is that they usually have a good number of local administrator accounts, local service accounts, application accounts or local administrator groups that are not known, managed or secured. These allow administrative permissions to the cyber criminal so they can use your own environment against you, installing tools, remote access back doors, malware or other malicious software.

Many organizations are reducing this risk by applying a “Least Privilege” cyber security strategy, meaning that their endpoints or systems do not have unnecessary local administrative rights that cyber criminals can abuse and avoid detection. This helps reduce the dwell time and expands the cyber security perimeter to privileges.

Least Privilege is the ability to reduce the end-user permissions, service account, application account or even local administrator account to the minimum privileges required to still carry out the authorized function or tasks. Limiting the exposure to full administrative rights helps the organization stay compliant while offering the ability to elevate privilege on demand, but without providing permanent administrative privileges that typically go unmanaged or secured.

Let’s dive into Thycotic’s free Least Privilege Discovery Tool

The Least Privilege Discovery tool is a simple tool that allows you to execute on your network without requiring Active Directory (AD). It can target multiple endpoints quickly discovering and identifying local administrative information within minutes.  It creates an executive report that provides an inventory of the findings, alerts and recommendations on how you can reduce the risks discovered.

If you are not discovering local administrator rights, then you might be one of those victims who have a dwell time of more than 200 days

Why is the free Least Privilege Discovery valuable? As I mentioned earlier local administrator rights are prime targets for cyber criminals. If you are not discovering them then you might be one of those victims who have a dwell time of more than 200 days. The tool enables you to find those local administrative privileges now and assess which are business-essential and which can be removed eliminating major risks.

To make it more difficult for attackers to compromise IT infrastructures, it is important to utilize the principal of Least Privilege. Least Privilege ensures that all accounts have only those permissions they need in order to perform their job, and no more. With a Least Privilege posture, should an attacker compromise an account the damage he or she may inflict is limited by the minimal privileges of the account owner. This can stop an attacker from advancing to more, and more valuable, data and systems.

How to use the Least Privilege Discovery tool. Well, it is quite simple.  All you have to do is download the Least Privilege Discovery tool, extract and execute.  Once you have executed the Least Privilege Discovery tool you will find a welcome screen to help you prepare and explain what the tool does, add some credentials required for the scan, choose the windows system targets, perform the scan and then review the report.

The Report provides an executive overview, summary on the privilege scan, local accounts found, service accounts, application permissions and then a complete breakdown on the risks and recommendations.

5 Least Privilege Hacks and How to Avoid Them

#1 Shared Accounts – yes, end-users and administrators take shortcuts and use the same password for multiple systems and accounts, and even common internet accounts.

*Avoid shared accounts and use a Privileged Access Management solution.

#2 Social Engineering – sometimes it is easier to ask the end-user or administrator directly for the password under the disguise of a legitimate company service, like health benefits.

*Avoid relying on only a password as a security control and enforce Multi-Factor Authentication for privileged accounts.

#3 Misconfigured Application Service Accounts – humans do make mistakes and sometimes misconfigure important application service accounts enabling a cyber-criminal to use the service account interactively or replace the application executables.

*Avoid having forgotten application services accounts by discovering and inventorying them for privileges.

#4 Default Passwords – yes, we are human and sometimes we forget to change the application default password, or an application needs to be reset which causes the password to revert back to the factory settings.

*Avoid default passwords by discovering them and rotating them so no one in the organization or outside the organization can abuse those privileges.

#5 Session Hijacking or Man in the Middle – another common privilege hack is to lure the helpdesk or administrator who has administrator privileges into logging onto the system you have compromised by faking that it is having performance or common errors in order to hijack your administrative session.

*Avoid session hijacking by using a Privileged Access Management solution that enables least privilege so accounts cannot be reused to move around the network.

Thycotic recognizes that a Least Privilege policy is important for its organizational security. When adopting a Least Privilege policy, the first step is to identify all the computers and accounts that have elevated privileges, then create a plan to minimize these privileges where applicable. Finding elevated privileges on servers that hold mission-critical solutions for finance, HR, and product development is expected and often fairly straight forward. Finding such privileges on end-user machines is more difficult. Many end-users are not aware of the extent of their privileges or account access.

Don’t wait for a Cyber Catastrophe to occur. Get ahead now, and start with the Thycotic Least Privilege Discovery Tool.

Looking for examples of least privilege?
Read our illustrated post: Least Privilege Examples



IT Admins: Our collection of free IT tools makes your life easy and your organization safer!