In the war for credentials, PAM might be your business’s most valuable asset

PAM Asset, Data, In the war for credentials, PAM might be your business's most valuable asset

Mark Harrison, Head of Cyber Security, MTI, takes us on a deep dive into Privilege Access Management (PAM) and the value it holds for businesses.

In the current remote-hybrid working world, thinking about an organisation’s credentials and access management is a more challenging task than it was previously. In any organisation, privileged accounts are everywhere, but some are not so obvious.  For example, the CFO could authorise or request a payment to be made; marketing accounts that can update a website and social media; HR accounts that can alter payroll information; finance accounts that can approve purchase orders or contractors / 3rd parties.  A privileged account is not only an IT-related account.

The threat to privileged credentials?

A significant number of security breaches and failures are caused by poor management of identities, access rights and privileges combined with the attacker’s determination and ingenuity to obtain valid credentials.  The recently released “Verizon 2021 Data Breach Investigations Report” is validation that credentials are still one of the most sought-after data types, with 61% of all breaches involving compromised credentials in some way.  

Any organisation that has conducted Red Team Pentation Tests and Simulated Ransomware Attacks will undoubtedly have seen several sets of valid user credentials compromised – usually within the first few days of the assessment.  –  This allows the test team to establish a foothold on the network, or cloud environment, with which they will further their attacks.  Both penetration testers and attackers do this because it is much simpler to log on to something with valid credentials and more likely go unnoticed than launching a full exploitation attack looking to compromise software.  Credentials can also be reused to connect to other parts of the network without carrying out multiple types of overt attacks to move laterally.  Gaining access to administrative-level credentials makes things even easier; this often allows an attacker to obtain a total compromise with just a single account.

Verizon’s report also shows incidents of both phishing and ransomware attacks increased over the last year, with Human-Operated Ransomware attacks particularly have intensified during the Coronavirus pandemic.  Since we know attackers and criminal gangs are specifically targeting privileged credentials, ensuring these are managed and secured effectively is a key step in reducing risk and the attack surface of any organisation.

Privilege Access Management (PAM) is typically the solution to address this problem and is a holistic approach that covers people, processes and technology – reducing risk by preventing the malicious use of privileged accounts and credentials.  A solid PAM program is essential for protecting organisations against security breaches emanating from poor password and identify management. 

The keys to the kingdom?

The ability to access and make changes to an organisation’s IT infrastructure means privileged credentials should be viewed as critical assets.  A set of compromised credentials in the hands of an attacker can be used to comprise the most hardened of systems. 

Avoiding this scenario requires a comprehensive understanding of privileged accounts within the organisation, a clear view of access rights and dependencies and an analysis that shows what levels of risk each account presents.  This is by no means easy to achieve, with the most recent Thycotic PAM Maturity Assessment revealing that more than half of organisations have no idea how many privileged accounts they have or where they’re located.  This should not be used to reflect a failure of an organisation but more to underline how complex the challenge of identifying and then securing privileged accounts is. 

The lack of correct privileged access management leaves organisations open to the most used pathway for threat actors gaining access to a network:

  • Compromising an end-user account: This is often achieved using phishing emails, telephone social engineering, malware or good old-fashioned password guessing attacks.  The attacker usually gains access to the user’s email account and can send emails internally, appearing to come from a trusted source.  Often, email rules are created to redirect emails outside of the organisation.  Other actions may be logging on to the Virtual Private Network (VPN), SharePoint, OneDrive or other SaaS-based services.  A typical attack scenario to contemplate is: if a legitimate user account uploaded a word document with malware or ransomware embedded in it to your SharePoint site, would you detect it?  What if other users then downloaded it?
  • Accessing a privileged account: Attackers will nearly always target privileged accounts, either directly or once they have compromised a low-level user account and gained a foothold.  Using legitimate administrative user credentials means they increase the chances of gaining access to other parts of the business and data undetected or without investing any additional effort. A simple log on with an administrator account often bypasses all security measures.  Before launching any significant attack, this stage is used to install backdoors, call-backs and other unwanted things to ensure they retain access and can return in the future.  A little-appreciated fact is approximately 30% of enterprise-level organisations (1000 users or more) are compromised on average 25 times in the 12 months following their first cyber-attack; primarily as attackers do not give up their access to a decent network lightly (they often sell this access to other groups).
  • Gaining total network access: Finally, often with the use of privileged credentials, the attackers plan and execute their attack.  Human-Operated Ransomware attacks (e.g. Garmin, Sopra Steria, Irish Health Care, Colonial Pipeline) have rapidly become the standard method of attack.  This means planning the attack in detail, possibly over several months, and then launching it only when the attackers are sure it will work and will put the victim in the position to have to pay the ransom.  Part of this planning is ensuring any defences are bypassed and they remain undetected until they are ready to launch it – having access to privileged accounts is an absolute must when doing this.  The alternative is noisy attacks that can be detected and the inability to profile the network to the required level.

What is PAM?

Privileged Access Management is fundamentally a solution to automatically create passwords, rotate passwords, monitor logged on sessions and to force certain accounts to require approval before they can be used.

The use cases are many, but some of the most common include:

  • Automatically rotate an administrator password every time it is used.  This negates cached passwords, password guessing or attacks once a password is known.
  • Monitor logged on sessions and if risky behaviour is detected – for example, commands sent to the host, files uploaded, or changes made to the operating system – then terminate the logged session, rotate the password and raise an alert to the IT team.
  • Grant access to a particular host but only allow a user to log in at a certain day/time – useful for 3rd party support processes.
  • Have a service account check out a password each time it is required and rotate the password each time.  This prevents service accounts in Active Directory from being created and then never having the password changed as it’s too risky or time-consuming to update the software that uses the credentials.
  • Grant access to a host but completely mask the username and password from the user – again useful for giving contractors access to a host without letting them know the username and password, preventing them from logging on to other hosts.
  • Full audits of every user who has ‘checked out a credential and what actions they performed.  All sessions can be recorded as a video for visibility into everything they did.
  • Require manager approval before a credential can be issued – useful for untrusted / 3rd party access, where a manager grants a password request for a predefined time period. At this point, the session is terminated automatically.

Building your defences with PAM

To be clear from the outset, implementing a PAM solution is not easy – especially if PAM is a new solution to the organisation. However, effective management of privileged accounts is a huge step towards protecting a business and its assets.  It can also be a considerable time saver for users, and IT teams alike when fully implemented. 

For a PAM security solution to be effective, it needs to encompass all privileged accounts.  To do this, all privileged accounts first need to be discovered, dependencies worked out and then correctly categorised (e.g. service account, admin account, hardcoded credential, marketing, finance etc.).

Next, clearly defined rules and controls covering how that credential is managed, restricted and monitored need to be implemented.  Should the account be restricted to certain hours of the day, does the password need to be rotated every time it is used, does the user need to request manager approval from within the PAM solution before they can log on to a host?  Clear and well-documented rules and controls also provide a framework for continuous improvement to enhance IT security across the organisation.

Partner on PAM

While following these best practice approaches is an effective way to approach PAM, and there is a range of powerful PAM solutions on the market, it can be challenging for security teams to know which approach is best.  PAM-as-a-Service can be a good way for organisations to get their PAM programme up and running quickly while minimising the internal resources required to deploy and maintain the technology.  Conversely, PAM in an on-premises deployment puts all aspects of the service fully under the organisation’s control and management.

READ MORE:

Whichever deployment option is decided upon, the discovery work, planning and policy creation is generally the same and is a fundamental prerequisite to having a useful PAM deployment that provides a return on investment and reduces risk.  It’s at this step the right decision should be taken to partnering with a specialist or doing it in-house based upon the internal skills and resources available.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Author