Back to “The Basics” Blog Series – Part 3: Privileged Access

Back to “The Basics” Blog Series – Part 3: Privileged Access

Webinar Preview: Back to “The Basics” – Pragmatic advice from Gavin Ashton, author of “Maersk, me, & notPetya”

Part 3 – Privileged Access

This is the final installment of a three-part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk. If you’ve missed Part 1 or Part 2, give them a quick read!

At the root of this attack, and so many before it lies a tangled mess of lateral movement and privilege escalation vectors. Privileged access assessments conducted for our enterprise clients frequently turn up thousands upon thousands of pathways adversaries could exploit to achieve domain dominance or compromise sensitive data.

These pathways commonly share several traits:

  1. The privileges granted to users implicated in these pathways frequently cross security boundaries. The classic example (with too frequently tragic consequences) is the user with Domain Admins privileges that also uses that account to log on to their workstation.
  2. They’re often the result of over-provisioned access. Years of lax practices have created many opportunities for adversaries to steal privileges. It’s almost a guarantee that in an assessment we’ll find a service account running with Domain Admins privileges.
  3. Passwords are shared with other (even lesser-privileged) users. Shared passwords are just bad. Combined with the all-too-frequent discovery that multi-factor authentication is not required and the conditions are just ripe for an adversary to abuse them.

It’s clear from posts like Gavin’s that many organizations still haven’t tackled these problems; they clearly must. But even organizations who have already invested in solving these problems can make improvements.

Privileged Access Management is not a new concept. Solutions that vault and rotate credentials, and securely proxy access to systems, have been around for years. However, these approaches fall short of actually reducing the privilege attack surface. Simply vaulting privileged accounts isn’t sufficient to stop adversaries from abusing them; they must be eliminated.

Organizations that want to adopt strong privileged access management processes should focus on achieving the zero standing privileges (ZSP) objective. Why should you protect privileged access all the time, when privileges are only used some of the time? The simple answer is you shouldn’t. Just-in-time access with identities that are created for a specific purpose with a finite lifetime can help you eliminate the privileges attackers strive to compromise.

Achieving ZSP is one of the most effective ways of denying adversaries opportunities for lateral movement and privilege escalation. If the privileges don’t exist until they’re needed, only exist for a short time window, are scoped to only a specific activity, and subsequently destroyed when the administrator has completed their task, then there’s little chance an adversary will be able to make use of them.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.