We all like to write and talk about flashy zero-day vulnerabilities. However, a new threat report cautions enterprises not to flatter themselves, because the majority of criminals are not using valuable zero-days exploits to penetrate corporate networks: they’re phishing privileged account credentials from executives and IT staffs, or simply guessing passwords for automated service accounts and, in turn, exploiting that access to gather valuable information.
“Everyone thinks about the zero-day vulnerability, but they’re rarely exploited in a widespread pattern in the wild. They’re so valuable that attackers apply them in very limited way,” said Craig Williams, senior technical leader and security outreach manager for Cisco Talos Security Intelligence and Research Group. “For every zero day you hear about, there are millions of known vulnerabilities that are far more likely to be used against you.”
A report commissioned by CyberArk and based on interviews with a variety of industry experts from Cisco, Deloitte, Mandiant, RSA Security and Verizon claims that attacks leveraging privileged accounts proceed faster and are more difficult to detect than those that rely predominately on malware or vulnerabilities. Some 80 percent of targeted attacks, the experts responded, involve a privileged account being hacked at some point.
On average, the interviewees in this report said attacks often persist for months or years before they are discovered. The average attack, they said, is ongoing for six to eight months before anyone notices. That figure is corroborated by findings published by Mandiant claiming the median number for days in an ongoing attack is 229.
“Privileged accounts even enable attackers to destroy evidence of their activities and establish redundant access points and backdoors that make it nearly impossible to keep them off internal networks,” CyberArk says.
A significant part of the problem relates to inventory. CyberArk data suggest that, on average, organizations have at least three or four times as many privileged accounts as they have employees. Many organizations are not even aware how many privileged accounts exist. While it may seem easy enough to count accounts, the problem is more complicated than that, particularly when organizations must account for the proliferation of corporate data and applications in cloud, as well as mobile and social environments.
Many privileged accounts are provisioned for machines rather than people. IT departments are said to set up “service accounts” to enable machine-to-machine access to software applications, data and computing equipment. These service accounts are often granted broad network access and sometimes the ability to connect to any machine on the network. There are so many of these service accounts at some organizations that many are forgotten about or nearly impossible to effectively monitor.
Interestingly, Christopher Novak, a global managing principal working in investigative response for the Verizon RISK Team notes that phishing, not brute-force nor dictionary attacks, are most commonly used to hijack human accounts, suggesting that weak passwords are not really the problem here. However, he says IT teams frequently assume that service accounts will only be used internally, and many of those end up with default, easily guessable credentials.
“We’ve seen 25 or 30 attacks recently in which attackers used (publicly available) default passwords,” Novak says. “Also, account lockouts are usually turned off for service accounts to prevent breakdowns in dependencies between systems. And because it’s presumed individuals aren’t using [these accounts], analysts dial down the sensitivity on alerts. Service accounts are out of sight, out of mind. So, if a threat actor gets into the environment and enumerates the service accounts, which is easy to do, they can make a lot of headway very quickly with low risk of discovery.”
Furthermore, attackers are displaying increasing levels of sophistication when it comes to exploiting access to privileged accounts. They use these accounts to infiltrate a wide range of systems as a sort of access insurance in case one of their avenues into the network is sealed off. Security investigators in the report said attackers are increasingly hacking embedded devices in the so-called “Internet of Things” to establishing multiple privileged identities in Microsoft Active Directory to ensure redundant points of access.
In the end, CyberArk says companies need to know what privileged accounts exist within their organization and limit to the best of their ability the number of administrative or default or hard-coded credentials, application backdoors and SSH keys they maintain. They also need to make it harder to get privileged access to multiple systems changing default passwords and using different administrative passwords on each system. Privileged accounts that do exist need to be proactively monitored to ensure they are interacting with data assets in normal ways. Firms should also perform regular audits of their information assets and how those assets are accessed, monitor and limit the privilege level of service accounts and apply patches early and often. Beyond that the report urges companies to practice classic defense in depth, because the more overlapping security layers that exist, they say, the more you lower your risks.