It seems hardly a few weeks pass by without yet another breach being announced. And it’s not just the big companies – smaller ones are targets as well. Attackers have become increasingly sophisticated in their methodologies while maintaining a high level of determination and perseverance to walk away with the trophy (compromised data) time after time. One common factor in almost all of these attacks has been the attackers’ ability to capture administrative credentials – once this has taken place, the probability of the attacker pilfering valuable data increases dramatically. What can organizations do to address this?
While the tune changes a bit from breach to breach, the dance has essentially remained the same:
- The attackers find a way in to compromise a non-critical portion of the infrastructure (oftentimes through social engineering or spearphishing). Also, third-party vendors and vendor systems are common compromise vectors. Attacks are rarely direct, but instead the attackers learn to traverse your network and ecosystems, looking for inherent weaknesses. For the most part, unless you have implemented a robust APT solution, consider your end-user workstations “owned” by the bad guys. This round allows attackers to remotely control these compromised workstations or for these workstations to “call home.”
- They inject malware to perform reconnaissance of network, systems, applications.
- They capture credentials (sometimes through password cracking, sometimes through man-in-the middle attacks, and sometimes through social engineering).
- Once admin credentials are captured, attackers install various tools/weapons to sniff network traffic, capture data in CPU memory, change program or configuration files, or to dump captured data to a dump server, etc.
While there are many means of increasing your defenses against each of these “dance steps,” this blog post will focus on protecting credentials, as well as minimizing the attack vectors against capturing credentials. I think this is a common weakness across many organizations.
- Only use Admin credentials when you are doing administrative things. Over the years, I’ve seen hundreds of administrators use one ID for doing their day jobs as well as for performing administrative tasks. Yes, it’s a little bit of a pain, but administrators should each have a unique account (i.e. “username-A”) to perform administrative functions.
- Process or application IDs should only be used by machines/applications and not by people. Make sure you build safeguards into your applications/databases to enforce this.
- If you rely on public/private key pairs for credentialing, ensure that you have gone through great measures to protect the private keys.
- Do NOT use the same admin or root credentials on lower value assets such as development servers, test servers, etc., as on live production systems. Oftentimes, these credentials are not as well protected and attackers can obtain credentials from those entities and then turn around and use them to control more important systems.
- PLEASE use two-factor or multi-factor authentication wherever it makes sense, rather than relying on OS-level credentialing (i.e., Active Directory) for administrative functions. I’ve seen so many folks implement bastion hosts combined with solid network controls to protect their critical environments, only to allow for the weakest link to be using the incumbent credentialing system, hence the title of this blog post. Given that administrators most likely already use two-factor authentication to remotely access their environment, there should be little or no incremental cost to make this change. Yes, it might take a few extra minutes for an admin to log in, but it really is an ounce of prevention. Consider implementing two-factor or multifactor authentication on all bastion hosts (jump boxes) as well as for direct server access.
Do you have any additional recommendations to add to the list above? We know that some answers may lie within the tumultuous IAM ever-changing landscape, including Federated Cloud Credentials, SSO, etc.
In summary – the keys to the kingdom lie within the authentication mechanisms employed to protect it. The attackers are going after these credentials 7x24 and have come up with some creative and mind-boggling means of obtaining them. Don’t be a sitting duck – start looking into what you can do to better protect your organization’s credentials.