Over-Privileged Humans Aren’t Your Only Security Problem

Every large organization should assume that they have been breached.  If there is a lesson from recent high profile attacks, it is this: in every case, from retail giants like Target to financial institutions like the Bangladesh Central Bank, the attacker had been present in the network long before the breach was discovered, looking for ways to move around, using higher and higher access credentials to get to the end goal.

If companies do not buy into this way of thinking, they stand little chance of being able to prevent a targeted attack.  It is by luck alone that they are not admitting, on live TV or in a national paper, the extent of the breach that their focus on the ‘wrong’ type of IT security has wrought.

Credentials themselves are often thought of in a warped way.

When credentials are discussed, they are often understood as user credentials; a standard, locked-down user or a privileged user, with higher data access and network operation privileges. In other words – humans.

What is important to remember, though, is that the goal of attackers is not to impersonate people.  The goal is to get to something.  Data of some kind that can be used to make money (mostly) or to obtain some kind of information advantage, or even operation privileges, simply to cause havoc in the network

In order to get to the goal, attackers will use any type of account credentials.  And accounts are not just used by humans, they are used by automated process also – the machines and devices inside the network that control backup, scans scripts and many others.

When we connect a new machine to a domain, an account is created and certain services are automatically defined for that machine.  This is to enable network connections from the machine to other resources in the network, such as to retrieve configurations from a domain controller, and to enable access to file shares on the machine itself.

Any function that is automated is also associated with an account. It is important to note that while many services are configured using machine accounts, services and applications can also be configured using user-defined accounts.  For example, a human-created account can be used for a SharePoint or Exchange service.

And herein lies the problem.

These types of accounts are often not subject to good security practices like regular password replacement. Another problem is that the permission levels of these accounts are defined by humans.  These levels – what privileges the service account has in the network – are often too high.  A common scenario is that the service experiences a problem, doesn’t work properly, the administrator seeks a solution online and stumbles on “you probably have a permissions problem, just join the service to the admins group” – then elevated permissions are granted and never revoked.

Your CEO might have elevated permission levels to a specific resource, because he or she has kicked up a fuss about something and it’s easier for IT to acquiesce.  But the CEO would never be given domain level access.  With applications though, especially those on which the business relies for proper operation, it is really important that they work.  If they don’t, and elevated permissions is what is takes to fix the issue, then elevated permissions are going to be granted.

Other bad practices include using the same account for multiple services on multiple servers, storing privileged credentials in scripts on endpoints, using privileged domain-level credentials for local system services and many others.

This is very lucrative for attackers.  They can scan the network, find script-embedded domain admin credentials…and then the game is up.  On that note, this tool allows network or security admins to detect some risky services configurations in their environment  

Several companies have been breached using this exact method, with the attackers getting into the network and scanning all shared drives and finding multiple VBScripts with domain-admin level usernames and passwords. This enabled them to completely control the network and – for example – steal credit card details from Points-of-Sale.   

So it is key to understand that everything has an account and that there are two types of account: machine and user. Human accounts should be separated from service accounts.  Accounts should only be used by a single automated process, with granular permissions.  Instead of granting them privilege levels that are too high, manage them.

Introduce a way to regularly change passwords.  Make these complex and specific, not global in nature.  Protect and monitor all accounts.  Step beyond those technology solutions that just detect malicious human behaviour but are challenged in detecting deviations in behaviour from non-humans.

And then your CEO might not have to stand up in public to tell the world why your company didn’t protect your data better.