Privileged Attack Vectors: Building Effective Defense Strategies - - PowerPoint PPT Presentation

Privileged Attack Vectors: Building Effective Defense Strategies

Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com

Agenda

• The Threat Landscape
• Sample Cases
• What is Privileged Access

Management?

• Twelve Steps to Privilege Security
• BeyondTrust

The Threat Landscape

The Infonomics of Data Breaches

The Cyber Attack Chain

• 1. Perimeter

Exploitation

• 2. Privilege Hijacking

& Escalation

• 3. Lateral Movement

& Exfiltration

Attacker exploits asset vulnerabilities to gain entry … hijacks privileges or leverages stolen/cracked passwords … and compromises other network resources. Vulnerable Systems Unmanaged Credentials and Excessive Privileges Limited Visibility

How Are Threat Actors Gaining Privileges ?

• Guessing
• Dictionary attacks
• Brute Force
• Pass the Hash
• Security questions
• Password resets
• Vulnerabilities
• Misconfigurations
• Exploits
• Malware
• Social engineering
• MFA flaws
• Default credentials
• Anonymous
• Predictable
• Shared credentials
• Temporary
• Reused

Insider Threats External Threats Hidden Threats

Sample Cases

EMPLOYEES AND OTHER INSIDERS HAVE UNNECESSARY ACCESS

Employees, vendors and other insiders are often given excessive access to systems and data – and that access can go unmonitored.

Source: Verizon 2017 Data Breach Investigations Report

88% of cases, attackers compromise an organization using

definable patterns established as early as 2014

Privilege abuse was behind 81% of insider misuse incidents.

Source: Verizon 2017 Data Breach Investigations Report

CREDENTIALS ARE SHARED AND UNMANAGED

Passwords are created and shared, but aren’t audited, monitored or managed with discipline or accountability.

IT ASSETS COMMUNICATE UNCHECKED

Desktops, laptops, servers and applications communicate and

• pen paths to sensitive assets and data.

Source: Verizon 2015 Data Breach Investigations Report

99% of successful attacks leverage known vulnerabilities

Privileged Access Management

Privileged Access Management

• Provides an integrated approach to

enterprise password management

• Enforces least privilege on all endpoints with-
• ut compromising productivity or security
• Ensures administrator and root compliance
• n Unix, Linux, Windows and Mac
• Identifies high-risk users and assets by

teaming behavioral analytics and risk data with security intelligence from best-of-breed security solutions

• Achieves unified visibility over accounts,

applications, and assets that they protect

ENTERPRISE PASSWORD MANAGEMENT PRIVILEGE MANAGEMENT SESSION MANAGEMENT ADVANCED REPORTING & ANALYTICS USER BEHAVIOR MONITORING ACTIVE DIRECTORY BRIDGING

Privileged Access Management

Twelve Steps to Privilege Security

Step 1: Improve Accountability for Privileged Passwords

Asset Based:

• Privileged account discovery
• Develop permissions model
• Rotate passwords and keys
• Workflow process and auditing
• Define session monitoring
• Segmentation
• User behavior analysis

Step 2: Implement Least Privilege on Endpoints

• Remove administrator rights
• Implement standard user permissions
• Enforce application control
• Eliminate multiple accounts
• Context-aware rules
• Session monitoring
• Privileged file monitoring
• Layered, multifactor authentication
• Auditing of privileged access

Asset & User Based: Windows & Mac OSX (Desktop, Laptop, Notebook, Tablet, Virtual, etc.)

Step 3: Leverage Application Risk Levels

• Limit application privileges to users and

assets based on documentable risks

• Vulnerabilities, unmanaged,

unauthorized, and privileged

• Measure risk for applications executed

by user and asset

Step 4: Implement Least Privilege on Servers

Script & Command Auditing

• Scripts, commands & shells
• Session monitoring
• Keystroke logging
• Application logging

Privileges

• Auditing
• Context aware
• Application risk analysis
• Segmentation

Industry Standards

• Authentication
• Ticketing
• API integration
• Searching
• Alerting

Step 5: Privilege Management on Network Devices

• Default or common passwords that are not configured correctly
• Shared credentials across multiple devices for management simplicity
• Excessive password ages due to fear of changing or lack of management

capabilities

• Compromised or insider accounts making changes to allow exfiltration of data
• Outsourced devices and infrastructure where changes in personnel, contracts,

and tools expose credentials to unaccountable individuals

Step 6: Privilege Management for Virtual and Cloud

Cloud-Agnostic – Private or Public

• License flexibility
• Asset inventory integration
• Docker and container aware
• Discover online and offline instances
• Leverage hypervisor APIs
• Agent technologies
• Respects OA and application hardening
• Fully automated for passwords & API
• Auditing, reporting and change-aware
• Proxy access
• Session management

Step 7: Privilege Management for IoT, IIoT, ICS,SCADA

Zones

Internet Public Private Air-Gapped

Segmentation

Users Servers DMZ Guest Dumb Devices

Device Type & Risk

IoT IIoT ICS SCADA

Communications and Restricted Lateral Movement Privileged Access

Step 8: Privilege Automation for DevOps

• Only allow approved assets; identify unacceptable variations
• Identify security risks and automatically remediate them
• Ensure configuration hardening
• Eliminate all locations for hard-coded credentials
• Platform-agnostic, from cloud to on premise
• Limit all users, including privileged access, in the DevOps

automated workflow

• Provide security and performance visibility to ensure security and

automation success

Step 9: Privilege Management Unification

Correlate Data Between Disciplines Correlate Data for Risks Threat Analytics Pivot Privileged Data Profile Assets, Users, and Applications RBAC and Grouping Workflow and Process Validation Third-Party Integration

ENTERPRISE PASSWORD MANAGEMENT PRIVILEGE MANAGEMENT SESSION MANAGEMENT ADVANCED REPORTING & ANALYTICS USER BEHAVIOR MONITORING ACTIVE DIRECTORY BRIDGING

Step 10: Privileged Account Integration

Step 11: Privileged Auditing and Recovery

• Audit and roll back changes and identify who, what, where,

and when they were performed.

• Restore from the Active Directory recycle bin without having

to extract backups.

• Audit, report, and recover across a complex Windows or

heterogeneous environments.

Step 12: Integrate the Identity Access Stack

Morey J. Haber

• 20+ years security experience
• Articles on Secure World, Dark Reading, CSO

Online, etc.

• Author of “Privileged Attack Vectors: Building

Effective Cyber-Defense Strategies to Protect Organizations” & ”Asset Attack Vectors” (covering Vulnerability Management) – both available from Apress Media

PROVEN

13,000+ customers worldwide; extensive partner community

COMPLETE

Comprehensive, integrated, intelligent PAM

LEADER

Gartner, Forrester, KuppingerCole

INNOVATIVE

30+ years of privilege security firsts + expansive roadmap

Infrastructure Endpoints Secure Remote Access

• Secure credentials with

Privileged Identity and manage sessions with Privileged Access

• Empower and protect your

service desk with the most secure Remote Support software

Password & Session Management

• Gain accountability over

shared accounts

• Eliminate hard-coded

passwords

• Monitor privileged sessions

and user behavior

• Enforce appropriate

credential usage

• Eliminate Admin\root rights
• Enforce Application &

command control

• Efficiently delegate Windows,

Mac, Unix & Linux privileges and elevate

• Enforce appropriate use
• Risk based privilege decisions

Privilege Management

On-Premise

PowerBroker Privileged Access Management Platform

Cloud Hybrid

• Table1. PASM Vendors and Their Key Capabilities

PAM Industry Leader

Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017

Questions?

Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com