Webinar Preview: Back to “The Basics” – Pragmatic advice from Gavin Ashton, author of “Maersk, me, & notPetya”
Part 3 – Privileged Access
This is the final installment of a three-part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk. If you’ve missed Part 1 or Part 2, give them a quick read!
At the root of this attack, and so many before it lies a tangled mess of lateral movement and privilege escalation vectors. Privileged access assessments conducted for our enterprise clients frequently turn up thousands upon thousands of pathways adversaries could exploit to achieve domain dominance or compromise sensitive data.
These pathways commonly share several traits:
- The privileges granted to users implicated in these pathways frequently cross security boundaries. The classic example (with too frequently tragic consequences) is the user with Domain Admins privileges that also uses that account to log on to their workstation.
- They’re often the result of over-provisioned access. Years of lax practices have created many opportunities for adversaries to steal privileges. It’s almost a guarantee that in an assessment we’ll find a service account running with Domain Admins privileges.
- Passwords are shared with other (even lesser-privileged) users. Shared passwords are just bad. Combined with the all-too-frequent discovery that multi-factor authentication is not required and the conditions are just ripe for an adversary to abuse them.
It’s clear from posts like Gavin’s that many organizations still haven’t tackled these problems; they clearly must. But even organizations who have already invested in solving these problems can make improvements.
Privileged Access Management is not a new concept. Solutions that vault and rotate credentials, and securely proxy access to systems, have been around for years. However, these approaches fall short of actually reducing the privilege attack surface. Simply vaulting privileged accounts isn’t sufficient to stop adversaries from abusing them; they must be eliminated.
Organizations that want to adopt strong privileged access management processes should focus on achieving the zero standing privileges (ZSP) objective. Why should you protect privileged access all the time, when privileges are only used some of the time? The simple answer is you shouldn’t. Just-in-time access with identities that are created for a specific purpose with a finite lifetime can help you eliminate the privileges attackers strive to compromise.
Achieving ZSP is one of the most effective ways of denying adversaries opportunities for lateral movement and privilege escalation. If the privileges don’t exist until they’re needed, only exist for a short time window, are scoped to only a specific activity, and subsequently destroyed when the administrator has completed their task, then there’s little chance an adversary will be able to make use of them.
Gerrit Lansing is Stealthbits’ Field CTO. In his role, Gerrit leads strategic initiatives to improve customer engagement and Stealthbits’ products and positioning. He brings with him over a decade of experience in information security, with a focus on identity and privileged access management. Prior to joining Stealthbits, he started his career as an Information Security Analyst at Liberty Mutual before joining CyberArk Software where he held multiple roles including Director of Consulting Services and Chief Architect.
Gerrit holds a Bachelor of Arts in Administrative Science from Colby College in Waterville, ME.