This post continues the series in which we discuss the threat of privilege abuse. Previously, we talked about what you should know about the threat of privileged users and three key things you can do now to start to gain the control you need over privileged users. In this post, we are going to talk about why efficient detection of privilege abuse is essential to mitigating damage, what some typical scenarios of privileged account abuse look like, what mistakes on your side can lead to failures to detect abuse and how you can avoid those mistakes.
Typical pitfalls to avoid
Although organizations take security seriously, they often make mistakes that undermine their effort to control privileged accounts and protect critical systems and data. Here are the two most common pitfalls:
Pitfall #1. Blind trust of insiders. Organizations are filled with fear of hackers, but often forget about insiders. Not every insider is malicious, but anyone can make mistakes. Moreover, any user account can be compromised by attackers, turning them into insiders. Accounts with the most privileges represent the most risk. Therefore, it is important to know what privileged users are doing and be able to spot any anomalies in their behavior.
- How to avoid the pitfall: Make sure you automatically track the activity of users, including privileged ones, and get alerts on both violations of security policy and deviations from normal behavior patterns. Make sure you can investigate the activity of any user across the IT infrastructure, especially suspicious actions. Thorough user activity monitoring will also help you spot gaps in your security posture and weaknesses in your security policies.
Pitfall #2. Fail to establish proper control over provisioning and deprovisioning of permissions. As employees come and go, or their roles in the organization change, their access needs also change. Unfortunately, it is common that employees retain all the privileges they’ve ever had, or they still can access their accounts even after they leave the organization. The same is true of contractors and other third parties: They often have more privileges than they need to do their job, and those permissions are not revoked after the contract ends.
- How to avoid the pitfall: Start by getting a complete inventory of user accounts and determining which ones are privileged accounts. Then check whether any users have excessive privileges (stick to the least-privilege principle), and whether any data is overexposed. As a user’s role changes, revise their permissions accordingly. Also, establish a procedure for requesting, authorizing, making and documenting changes, as well as a policy that requires verification for all critical changes. Last but certainly not least, quickly disable accounts that are no longer needed.
Why focus on detection, rather than prevention?
As long as there are privileged accounts, there is a risk that they will be abused, either by the account owners themselves, or by somebody else interested in taking advantage of privileged access rights.
There are critical strategies you can and should implement to make it difficult for an attacker to get inside, such as privileged account management. But prevention measures work only until the moment when an attacker compromises a privileged account. And they don’t work at all if the actor has legitimate access to a privileged account.
What happens after the actor has been authenticated to the system depends solely on how fast you can detect that something has gone wrong
Remember, too, that’s it’s not just outside attackers who compromise valid privileged accounts. There is also the notorious human factor, which includes users leaving passwords in plain sight, helping a colleague access a critical system, and other examples of negligence and violations of security policies. Shake all these up and you get a cocktail of reasons why privileged account abuse is virtually impossible to prevent.
What happens after the actor has been authenticated to the system depends solely on how fast you can detect that something has gone wrong.
Top signs of privileged account abuse
Each user’s behavior is similar every day: They access the same systems and the same information, typically during certain hours of the day, and they get into the habit of doing things a certain way. If you can record this baseline and spot anomalous actions, you have a huge leg up on detecting threats.
You should look for two main things: any deviation from the baseline in privileged account activity and any unusual spikes of activity around critical assets.
The list of suspicious activity may vary from organization to organization, but here are some typical scenarios that can be a sign of privileged account abuse:
- A user accessed, read, changed or copied files that are not associated with their work routine.
- A user copied files to a personal workstation when policy permits working with them only from a specialized system.
- A user accessed critical systems or data outside of normal business hours.
- A user tried to access a system not associated with their work.
- A user account was used to log on from multiple endpoints at the same time, or different users logged on from the same endpoint at the same time.
- There was an unusually large number of manipulations with sensitive data.
- Old accounts became active again.
Attackers are always looking for ways to disguise their malicious behavior as absolutely routine and normal
It is important to keep in mind that while certain actions are inherently suspicious, attackers are always looking for ways to disguise their malicious behavior as absolutely routine and normal. For example, a user (or an attacker using a compromised account) can create an account and add it to a high-privileged group, but wait until later to use that account for personal gain. For this reason, every organization needs security policies that require authorization and review of all critical changes.
The key capabilities to look for
There are many methods and solutions designed to help you detect user behavior anomalies, including user and entity behavior analytics (UEBA) software. How can you tell which ones are good? Look for detection capabilities that enable you to do three things:
- Quickly detect an attack or a violation, before it impacts security or business continuity
- Efficiently investigate alerts quickly and with minimal staff
- Assess the overall risk score for each user so you can spot threats that materialize over longer periods of time and prioritize your responses
The faster you can detect, investigate and stem privileged account abuse, the better your chances of preventing damage and avoiding penalties. Some of the smartest things you can do are to learn from others’ mistakes, and keep your security strategy up to date as your user base, business needs and IT infrastructure change.
Have you ever detected privileged account abuse? What other mistakes should be avoided? What do IT pros need to pay more attention to, when monitoring privileged accounts? Please share your experience in the comment box below.