author photo
By Joseph Carson
Tue | Sep 5, 2017 | 2:19 AM PDT

Cybersecurity is a hot topic these days, affecting more than 3.6 billion Internet users worldwide, including six billion email accounts, two billion smartphones, one billion Apple users, one billion Gmail accounts, and nearly two billion Facebook accounts. All of these connections represent opportunities that hackers can exploit for financial gain or to steal our identities in order to access sensitive or proprietary information.

Examining cyber breaches in the past year, public reports describe more than 500 data breaches, exposing approximately 3 billion information records in 2016. Up to 80 percent of these incidents involve the compromise of passwords or other identity credentials. When our identities are stolen or unknowingly exposed, any attacker can easily bypass traditional perimeter security barriers undetected. And if that identity has access to privileged accounts, hackers can quickly get at critical information assets.     

Unfortunately, many IT users lack a full understanding of how privileged accounts function, as well as the risks associated with their compromise and misuse. That makes them and their organizations much more vulnerable to potential monetary and reputational damage from increasingly sophisticated threats. 

Industry analysts estimate that from 60 to 80 percent of all security breaches now involve the compromise of user and privileged account passwords. In fact, a recent survey of hackers attending the 2017 Black Hat conference in Las Vegas, revealed that compromising privileged accounts and email accounts are the preferred methods for getting at the sensitive data of any organization.

The following steps will explain how outside attackers or malicious insiders can exploit vulnerabilities using examples such as a compromised email account password that escalates into a full-blown breach of network security. By dissecting the make-up of a privileged account hack, it can be shown exactly how cyber criminals target their victims as well as what can be done moving forward to reduce risk and prevent abuse of critical information assets.

Reconnaissance Find Weakest Links

Every day when connecting to the Internet and using social media you are sharing more and more of your personal identifiable information about your physical and digital identity. That includes information such as full name, home address, telephone numbers, IP address, biometric details, locations details, date of birth, birthplace, and even family members. 

The more information that you make available online the easier it is for a cyber criminal to use that personal information to target you and your organization. Cyber criminals and hackers can spend up to 90 percent of their time performing reconnaissance of their targets before acting. That means developing a profile of the target using online resources such as social media, Google “dorking” and other search engine resources to gather as much personal information as possible. 

Hackers make use of both public and deep web searches to collect information on a company and its employees. They are looking for financial details, website archives, technologies used, partners and suppliers, executive teams, organization charts, contact information, email distribution lists, hardware used, templates from documents, signature formats, office locations, domains, already leaked data, leaked stolen passwords. Some may even travel to local restaurants near a company’s offices where potential public Wi-Fi could be used by employees during lunch. In a technique known as passive assessment, all this information can be easily obtained without touching a company’s security perimeter. 

Cyber criminals intelligently comb through data searching for the best targets - those expected to yield the quickest results with the least effort. In creating a digital footprint of potential targets, hackers identify the weakest links in the organization. These are typically employees or third-party vendors. Armed with personal details, email formats, invoice templates, and existing security controls of their intended victims, cyber criminals can then plan their method of incursion.

Trick Users Into Revealing Private Passwords

Gaining access to a company network frequently begins by targeting the email and social media accounts of employees or third-party contractors. In many cases, an unsuspecting employee receives an authentic looking email from a third-party supplier or via a social media message. Known as spear phishing, the urgent message “requires” the employee to click once on a hyperlink. Once clicked, the employee has handed over their secret password and digital identity to the cyber criminal who can then bypass security controls and pose as a trusted employee. 

A secondary victim can also be used to gain access. Take the example of an employee who brings home a company laptop. His 8-year son who plays online games and chats with friends on social messenger about upcoming school projects using his own personal device. Suddenly the son gets a new friend request from an older boy who sends some cool interesting links to new games, fun survey’s and finally sends a link to a new cool app. 

Instead of a new friend, it is actually a cyber criminal who is using the 8-year old as a mule to gain access to an unprotected device on the home network. Once compromised, the cyber criminal or hacker can usually get access to all other devices at home - including audio and web cameras that allow them to listen and watch what the family is doing at home and even compromise work devices brought home that are connected to the network. 

Ultimately it is to use the ability to scan for vulnerabilities on the employee’s company laptop, exploit it, install Malware and then wait for the employee to return to work the next day. The perimeter has now been compromised and the cyber criminal is now on the internal network. It can be that easy. Though usually once the initial gaining access has been done the cyber criminal typically does not act immediately they sometime at this point move into the next target and use this time to collect and learn more about the employee.

Once cyber criminals have access, they can learn about the behavior of an employee such as predictable schedules and operations of the victim. They know when the victim logs on and off, what applications are executed, what is installed, what privileges they have access to, how and when software updates are being deployed and when security scans occur. Knowing the victim’s habits, helps the hacker to remain undetected, and also how to circumvent security controls.   

When Reconnaissance and Enumeration are conducted carefully and extensively, it literally takes 24-48 hours to gain access to a network often via a secondary unsuspecting victim. One thing that the cyber criminal has an advantage that security professionals do not have is a hell of a lot of time. 

Explore IT Environment Under the Appearance of an Authentic User

Once inside the IT environment as a trusted user, attackers perform reconnaissance and learn about the normal routines of IT teams. This includes observing regular schedules, security measures in place, and network traffic flow. Eventually the attacker can get an accurate picture of the entire network and its operations.

By observing and recording normal operations routines attackers are ready to go to the next step. In most cases, cyber criminals begin by looking for well-known system vulnerabilities such as looking for unpatched servers. Often, companies rely only on perimeter facing security systems and applications, yet these are typically not the areas exploited by cyber criminals. The systems and applications most at risk are those on the same network as the unknowingly compromised employee’s computer and digital identity. 

With compromised credentials, the cyber criminal can work his way across the network further and deeper into the victim’s IT infrastructure, creating additional backdoors for future access in case the initial access gets removed either knowingly or unknowingly by the victim. Once inside the company’s network, can move around undetected as an intruder since most cybersecurity controls focus only on protecting the network perimeter.      

Escalate Ability to Exploit by Accessing Privileged Accounts

As noted earlier, Privileged Accounts are the real target of hackers because of the unfettered access they give so escalation from a regular user account to a privileged account is their ultimate goal. Unfortunately, some companies have made this task very easy by granting most employees local admin rights. This is a short step away from gaining full access to the entire network infrastructure.

Some organizations give full admin rights in specific situations just to keep users happy and productive even though it’s not usually necessary. Once granted, however, privileged access transfers to the cyber criminal to further exploit the network. 

Maintain Access

Maintain access to systems once they’ve been breached via a user account is typically quite easy. Hackers can download compressed encrypted tools and utilities from the internet that allow them to avoid security controls. A compromised laptop, for example, can be loaded with these tools, giving ready access waiting to the corporate network through a shared drive. 

Hackers also maintain access by creating new privileged accounts, changing existing passwords on services accounts, and/or installing remote access tools that are hidden behind normal applications used every day by employee. If for any reason the initial compromised access should be discovered and eliminated, cyber criminals can then use one of the many exploits to return and gain access anytime they wish. In many cases, hackers rely on typical troubleshooting or help desk tools for operating systems to provide remote access, remote shells or even malware that calls home to a command and control server on a predefined schedule, waiting for instructions from hackers. 

Conduct malicious activity

With established access and escalated privileges, malicious activity by attackers depends on their motives. For curious script kiddies, showing off their exploits to friends or trying to get to the next level of acceptance within a community may guide their activities. For organized crime, making money takes precedence, and some may even earn cash through hacking as a service, or relying on hacking groups to pay them for their exploits. Hacking by Nation States, which has gained such notoriety, focus on economic, political or intelligence advantages. Terrorist groups have also become a major threat, typically seeking to steal, damage or destroy a perceived adversary. 

Financial gain is the most common motivation, and recent incidents featuring ransomware such as WannaCry and NotPetya illustrate how widespread and lucrative these kinds of attacks can be. Advanced techniques that enable insider trading focus on cyber criminals capturing confidential information to make stock trades based on financial results before they are made public. 

Organizations need to prepare for malicious activity before it occurs by establishing an incident response team and process to deal with a potential breach. How an organization responds to a breach once discovered will often determine whether the business will survive. 

Cover your tracks to remain undetected

Removing any sign or indication that a network has been hacked is the final step in a successful breach. Either the attacker wants to erase all traces of the breach, or they are planning to return later to carry out their malicious activities. In most cases, hackers cover their tracks by deleting logs files or any activity that can be traced back to how they originally gained access. Because a hacker has access to privileged accounts, erasing any trace of malicious activity can be achieved relatively easily. 

However, the hacker’s life can be made much more difficult with automated privileged access management security controls that centralize logs, segregate user permissions so only certain privileged accounts can access those logs, correlate log data to identify tampering with or the deletion of logs. 

Privileged account management becomes the new 'security perimeter'

In today’s hyper connected world, organizations can no longer rely on the traditional security perimeter as their only cyber security protection. The next generation “security perimeter” must focus on Identity and Access Management security solutions. IAM solutions that validate identity and permitted access are required to protect systems and data that can be located anywhere and accessed at any time.

IAM solutions can help a company accelerate new technology adoptions and at the same time help avoid becoming the next victim of cyber crime. Here are several steps you can take now to keep from becoming the next victim:

  1. Educate key stakeholders on Identity Access Management.
  2. Discover Identities and Privileged Accounts.
  3. Automate the management and security of privileged accounts.
  4. Adopt and implement policies.
  5. Get better visibility of Identity and Privilege Account usage and compliance.