Everyone wants access to something privileged, whether it’s an exclusive country club, a concert VIP area, or an airport lounge. For hackers, it’s privileged accounts. They especially target those in hybrid IT ecosystems since gaining control over a single privileged account of any part of the environment can enable them to establish control over the entire system.
Nearly three in four organizations operate in hybrid environments today, making it critical for security specialists to know how to properly protect privileged accounts in hybrid IT. This article explains how privileged accounts can be abused, how compromising a privileged account enables attackers to move through the hybrid IT environment, and how privileged access management (PAM) can help organizations significantly reduce their risk of security breaches.
The Main Attack Surface
The greatest attack surface for most organizations is the accounts with standing privileged access. Attackers actively seek out such accounts to compromise them and gain access to the organization’s most sensitive systems and data. Since they are exploiting a legitimate account, the activity is less likely to be detected and to raise alerts.
Imagine an administrator with a separate Active Directory account used to access servers, workstations, and databases. They might leverage this access once a month, and their account has this access 24/7. Replacing such a permanent account with the ephemeral one that automatically expires once the job is done will leave an attacker with no chance for lateral movement, even if they manage to steal credentials.
One More Access Point: Forgotten Privilege
Another risk lies in outdated accounts with redundant privileges. Such accounts often persist unnoticed in IT ecosystems for months or even years due to misconfigurations, process gaps, or human errors. Here are three common scenarios in which elevated privileges live on long after they should have been removed:
- Third-party account — A company’s IT department engages a contractor to assist with a system migration. When the project is complete, the contractor leaves, but no one deletes the account or even revokes its administrative access to critical systems.
- Service account — A development team creates a service account for an application that needs access to sensitive HR data. Later, the application is phased out, but the service account is never removed.
- Department shift — An employee in the finance department is promoted to a management position in marketing. However, their old privileges for accessing sensitive financial data are still there.
How Attacks Spread through Hybrid Environments
The interconnectivity between on-premises and cloud systems means that a breach in one environment can quickly spread to the other. For example, suppose attackers compromise the AD credentials of an account that exists in both Active Directory and Entra ID. They can then use those credentials to log into Entra ID. If passwords are the same, they can log directly into the cloud; if not, they can simply reset the password for the local account and wait for the change to be automatically synced to the cloud account.
While implementing multi-factor authorization (MFA) does add an additional layer of security, it doesn’t offer the level of protection that organizations might anticipate. The truth is that attackers can bypass MFA and gain access in multiple ways, including the following:
- Stealing access tokens — If adversaries compromise a user’s device, they can extract stored authentication tokens, or MFA claims to gain access without needing credentials.
- Modifying MFA settings — If they have admin access to Active Directory, they can temporarily change the user’s phone number to redirect MFA codes and approve logins themselves.
- Exploiting Entra ID synchronization — Rather than hijacking an existing user account, attackers can create a new account, add it to a privileged on-prem group, let it sync to Entra ID, and then set up MFA using an email address or phone number under their control.
A Practical Solution: PAM
Properly managing elevated privileges across a hybrid IT ecosystem requires Herculean effort to address the complexity of this environment.
How about countering these simple attacks with a simple defense? Rather than struggling to manage standing privileges, organizations can just get rid of them altogether. This is the premise behind the just-in-time (JIT) access offered by modern PAM solutions. With JIT, users are granted temporary privileges that exist only while they are needed for a specific task. Accordingly, there are no standing privileged accounts for attackers to exploit — effectively shutting down a major attack vector.
Other features of a typical PAM solution that are ideal for hybrid environments include:
- Centralized access control across on-premises and cloud environments
- Role-based access control to ensure that each user has access to only the resources necessary for their role or roles
- Monitoring of the activity of privileged users for auditing and compliance purposes
Final Thoughts
Before selecting a PAM solution, organizations should conduct a thorough inventory of their privileged accounts, access points, and security measures. Then, security leaders should define a clear PAM strategy that details the organization’s specific needs and goals for privileged access management. That documentation will be invaluable in assessing candidate PAM solutions to determine the best option for protecting the organization’s hybrid IT ecosystem.
Martin Cannard is VP of Product Strategy at Netwrix. With a 30-year track record of success from startups to enterprise software organizations, Martin is specifically experienced in the privileged access management and identity and access management areas. Leveraging his years in the privilege space, Martin has taken a visionary approach to attack surface reduction to redefine an established PAM market with Netwrix’s next-generation zero-standing privilege solution. Martin is a seasoned speaker who regularly participates in global technological events and webinars.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.