Compromise Of Privileged Accounts A Crucial Factor In 100% Of Advanced Attacks

Organisations can significantly reduce the threat of targeted attacks by proactively securing privileged accounts, according the first APT Privileged Account Exploitation research report. Compiled by CyberSheath’s advanced security investigations team and commissioned by Cyber-Ark, the report reveals that the theft, misuse and exploitation of privileged accounts is a key tactic in each phase of an Advanced Persistent Threat (APT) attack cycle.

CyberSheath’s APT Privileged Account Exploitation report compiles interviews with leading CISOs and security professionals at organisations that collectively have more than US$40 billion in annual revenues and more than 170,000 employees around the globe. CyberSheath combined these interviews with the analysis of several high-profile cyber attacks and related industry research from the past year to detail how privileged accounts are increasingly being used in advanced and targeted attacks to compromise organisations and steal data.

Key Findings Of The APT Privileged Account Exploitation Research Report

• The Compromise Of Privileged Accounts Was A Crucial Factor In 100 Per cent of Advanced Attacks: CyberSheath found that the absence of fundamental access control measures was a crucial factor in all of the recent high-profile attacks that were examined, including the South Carolina Department of Revenue, The University of Georgia, the NASA Jet Propulsion Library, Red October, Utah Department of Health, Toyota, The Swiss NDB Intelligence Service, Saudi Aramco, and Global Payments.

• Attacks That Use Privileged Accounts Are More Difficult To Detect, Shut Down And Remediate: Attacks that leverage privileged accounts can delete logs to make forensic analysis more difficult and can be used to install new malware to evade detection and open more doors. In addition, privileged account use appears as normal traffic flow and is not detected by traditional means. Finding illicit privileged account use among legitimate processes is like finding a needle in a stack of needles.

• Attacks That Exploit Privileged Accounts Are More Damaging And Expensive: Eradicating attackers from a compromised network can be extremely expensive and painful. In addition to the high-costs associated with data breaches (the average cost of a data breach is US$2.4M over a two year period), the efforts to remove well-entrenched attackers from a network requires multiple remediation steps that can take thousands of man-hours of work.

• Properly Secured Privileged Accounts Can Significantly Reduce APT Exposure: Locking down privileged accounts and preventing their use in APTs moves up the kill chain and helps thwart attack progression at the delivery stage, as opposed to the command and control stage.

**
Best Practices For Preventing APT Privileged Account Compromise**

• Isolate, monitor and control every access point to all critical business systems

• Change default passwords on all servers, databases, applications and network devices

• Remove hard-coded passwords from scripts, configuration files and applications

• Employ technical means of automatically enforcing enterprise password policies

• Control access by enforcing least privilege

• Use multifactor authentication for access to privileged accounts

• Increase password complexity

• Use a unique password for each local administrator account

• Remove local administrator rights from the majority of users

• Reduce the number of privileged domain-wide service accounts

• Automatically change passwords on a periodic basis and immediately upon suspicion of misuse

• Monitor and record all activities associated with administrative and privileged accounts

• Implement tamper-proof logging, auditing, and alerting on privileged access

“The theft and exploitation of privileged accounts is a critical and devastating part of the APT attack cycle. These accounts provide wide ranging access in the enterprise and enable attackers to easily simulate normal business traffic, making infiltrations extremely difficult to detect. Our examination showed that almost every major cyber-incident in the past couple of years involved privileged accounts. The protection, accountability and management of privileged accounts are the very first steps organisations need to take to stop targeted attacks,” said Eric Noonan, CEO, CyberSheath.