Introduction

The threat landscape of cybercriminals targeting critical systems and data is evolving rapidly, necessitating a proactive approach to combat their increasingly sophisticated attack methods. A glaring example of the consequences of inadequate security measures was the 2019 Capital One Bank data breach, where over 100 million customer accounts and credit card applications were exposed due to a misconfigured Web Application Firewall. One of the main configuration issues noted with the WAF utilized by Capital One to protect their AWS deployment was the inadequate implementation of least privilege. In this case, the WAF employed to protect the AWS deployment possessed the capability to list and read all files stored within the cloud buckets. These permissions granted to the WAF were beyond the requirements for its intended functions, enabling the attacker to exploit the WAF and retrieve sensitive data from AWS.

Another prime example of privilege escalation is that of the Marriott International cyber-attack that occurred in 2018 in which information belonging to 300 million customers was exposed. The attacker obtained physical access to a device within Starwood (part of Marriott) and installed a web-shell. The device had internet connectivity and administrative privileges as it ran a service enabling employees to modify the Starwood website. Leveraging the web shell, the intruder introduced a remote access trojan onto the system, thereby granting them root-level access to the compromised machine and other interconnected machines within the network. Subsequently, the attacker then utilized software to extract user credentials from memory. This enabled the attacker to elevate their privileges by exploiting higher-level user accounts.

These incidents serve as stark reminders of the pressing need to stay ahead of emerging threats and prioritize privileged access management within organizations. Threat actors consistently seek opportunities to exploit vulnerabilities and gain unauthorized privileged access to systems, highlighting the importance of robust privilege management strategies.

PAM: The Old Way of Doing Things

In many organizations, traditional processes inadvertently seep into project lifecycles, particularly when faced with tight deadlines. Consider the following scenario: a project acquires a solution that requires administrator-level permissions on an account. Although the access control standards dictate operating with the principle of least privilege, implementing this recommendation may be challenging, causing disruptions and delays. Frustrated by the obstacles, the project reluctantly resorts to granting excessive permissions to the account and manages it as if it were a regular user account, thus introducing a significant risk. Unfortunately, such risks often go unnoticed until regulatory audits occur, perpetuating an ongoing cycle of vulnerability. This oversight provides threat actors with a lucrative opportunity to compromise the application or system and allow unauthorized access to data.

PAM: The New Way of Doing Things

This brings us to the crucial concept of Privileged Access Management (PAM). Organizations must proactively define privileged access to effectively understand the objectives of PAM. Privileged access refers to the specialized permissions granted to certain users, enabling them to administer systems, services, and manipulate critical data. These actions inherently pose a high risk, as they can result in data leaks, compromised security postures, regulatory violations, and significant financial implications that can tarnish an organization's reputation.

Privileged Access Management (PAM) encompasses a comprehensive set of processes, strategies, and tools designed to detect, secure, control, and monitor privileged access to an organization's critical data or infrastructure. Various types of privileged accounts exist, such as local administrators, root users, break-glass users, domain administrators, and service accounts with elevated access levels.

Implementing an effective privileged access management framework requires careful consideration of the following key points:

• Define PAM Objectives: Clearly outline the objectives of the PAM framework. Identify the systems, applications, and data that require protection. Consider regulatory compliance requirements, risk management, and organizational goals.
• Discovery: Conduct thorough scans of the infrastructure environment, utilizing robust asset management systems to identify privileged credentials with local administrator or root permissions. It is vital to ensure that all accounts, especially those manually created without formal approval, undergo a rigorous approval process and are diligently tracked in an identity management system. Additionally, privileged credentials associated with application access must be identified, and their permissions well-documented.
• Ensure least privilege: Emphasize the principle of least privilege, granting only the minimum level of privileges required for an account to perform its intended function within the solution's scope. This reduces complexity and the potential for privilege abuse. Determining the specific function of each user and defining the scope of entitlements for their account helps establish a strong foundation for least privilege access.
• Define criteria for privileged access: Establish a comprehensive set of criteria to determine functions that fall under the umbrella of privileged access. These criteria should encompass actions such as modifying or removing system services, variables, time settings, logging mechanisms, local security policies, access controls, and firmware. Additionally, privileges related to executing or uninstalling applications, adding or removing accounts, modifying account permissions or passwords, and manipulating database security should be included. This non-exhaustive list serves as a starting point for establishing comprehensive guidelines.
• Governance: Implement automated access and entitlement reviews to govern privileged access effectively. Store privileged credentials in highly secure vaults with stringent access controls. Grant end-user access to privileged accounts only after thorough approval processes, with time limits, and accompanied by approved change tickets. This ensures traceability of all activities associated with privileged accounts.
• De-provision access: Disable or de-provision privileged accounts or keys that are no longer necessary, preferably through automated processes. Strictly maintain ownership of accounts to prevent persistent access and deter threat actors from leveraging stale accounts for privileged escalation.
• Multi-Factor Authentication (MFA): Enforce MFA for all privileged accounts to enhance authentication security and mitigate credential theft.
• Risk management: Evaluate the risk rating of privileged accounts based on the systems or data they access, data/system size, and the potential impact on the business if compromised. Apply heightened governance procedures, such as password rotation and session management, based on the risk rating.
• Ongoing monitoring: Centralize logging and monitor all privileged account usage and activity. Monitor disabled accounts to detect suspicious or unauthorized activities. Leverage threat analytics solutions to identify deviations from normal usage patterns, indicating potential malicious behavior. Generate alerts for the incident response team to terminate suspicious account sessions.
• Just in Time (JIT) Privileged Access: Implement JIT access to reduce the exposure time of privileged accounts. Users should request and receive temporary access to privileged accounts only when needed, for a limited duration.
• Privileged credential rotation: Rotate privileged credentials by generating new passwords/keys after each use within a specified time limit. Restrict user access to credentials to prevent persistent undetected access.
• Privileged session monitoring and recording: Where insufficient logging and control is not available via other means, employ session management tools to record and monitor all privileged user activities from session initiation to termination. This creates an audit trail, ensures regulatory compliance, and expedites incident response by allowing termination of active sessions.
• Training and awareness: Provide comprehensive training and awareness programs to educate employees on the importance of PAM and their responsibilities in safeguarding privileged access. Update training materials regularly to address emerging threats.

While certain controls may present challenges, it is crucial to establish mature processes for control exemptions and robust risk management procedures to identify and resolve any gaps.

Conclusion

Privilege abuse represents an emerging cybersecurity threat. Inadequate privileged access management practices can lead to data breaches, compromised system security, regulatory non-compliance, and reputational damage for organizations. To mitigate these risks, organizations must define well-structured policies and procedures that encompass detecting privileged credentials, streamlining governance of privileged credential management, monitoring and reporting on privileged access, and conducting consistent risk assessments of data and systems. By implementing a robust privileged access management framework, organizations can bolster their security posture and effectively safeguard critical assets.

‍

References

GDPR Case Study: Mariott International
A Few Lessons from the Capital One Breach and Possible Countermeasures

‍