Skip to main content
main-content
Top

About this book

See how privileges, insecure passwords, administrative rights, and remote access can be combined as an attack vector to breach any organization. Cyber attacks continue to increase in volume and sophistication. It is not a matter of if, but when, your organization will be breached. Threat actors target the path of least resistance: users and their privileges.

In decades past, an entire enterprise might be sufficiently managed through just a handful of credentials. Today’s environmental complexity has seen an explosion of privileged credentials for many different account types such as domain and local administrators, operating systems (Windows, Unix, Linux, macOS, etc.), directory services, databases, applications, cloud instances, networking hardware, Internet of Things (IoT), social media, and so many more. When unmanaged, these privileged credentials pose a significant threat from external hackers and insider threats. We are experiencing an expanding universe of privileged accounts almost everywhere.

There is no one solution or strategy to provide the protection you need against all vectors and stages of an attack. And while some new and innovative products will help protect against or detect against a privilege attack, they are not guaranteed to stop 100% of malicious activity. The volume and frequency of privilege-based attacks continues to increase and test the limits of existing security controls and solution implementations.

Privileged Attack Vectors details the risks associated with poor privilege management, the techniques that threat actors leverage, and the defensive measures that organizations should adopt to protect against an incident, protect against lateral movement, and improve the ability to detect malicious activity due to the inappropriate usage of privileged credentials.

This revised and expanded second edition covers new attack vectors, has updated definitions for privileged access management (PAM), new strategies for defense, tested empirical steps for a successful implementation, and includes new disciplines for least privilege endpoint management and privileged remote access.

What You Will Learn

Know how identities, accounts, credentials, passwords, and exploits can be leveraged to escalate privileges during an attack Implement defensive and monitoring strategies to mitigate privilege threats and risk Understand a 10-step universal privilege management implementation plan to guide you through a successful privilege access management journeyDevelop a comprehensive model for documenting risk, compliance, and reporting based on privilege session activity

Who This Book Is For

Security management professionals, new security professionals, and auditors looking to understand and solve privilege access management problems

Table of Contents

Frontmatter

Chapter 1. Privileged Attack Vectors

Abstract
We see it in the news and on social media nearly every single day—another cybersecurity incident, breach, hack, or attack. From a forensics perspective, the vast majority of attacks originate from outside the organization and, therefore, are initiated by external threat actors. While the specific tactics may vary, the stages of an external attack are similar (see Figure 1-1).
Morey J. Haber

Chapter 2. Privileges

Abstract
Today, privileges based on credentials are one of the lowest-hanging fruits in the attack chain. They are currently the easiest method for a threat actor to own a resource and, ultimately, the entire environment. These threats include
Morey J. Haber

Chapter 3. Credentials

Abstract
By definition, credentials are the evidence of authority to rights, entitlements, privileges, or similar permissions. They are usually presented in written or typed form like an account name and password, and only those accounts, applications, services, scripts, and the like with properly validated credentials are permitted to proceed.
Morey J. Haber

Chapter 4. Attack Vectors

Abstract
An attack vector is a technique by which a threat actor, hacker, or attacker gains access to a system, application, or resource to perform malicious activity. This can include everything from installing malware, altering files or data, or even some form of persistent reconnaissance. Attack vectors enable threat actors to exploit system vulnerabilities, poor configurations, and introduce items like stolen credentials to compromise a system. Attack vectors can include human elements in the form of deception, social engineering, and even include physical traits like fake identification badges. Attack vectors can consist of malware, malicious emails, infected web pages, text messages, social engineering, and many other forms of deception. All of these methods involve intentionally coding software to create a programmatic attack vector (except social engineering) to leverage a resource for malicious intent.
Morey J. Haber

Chapter 5. Passwordless Authentication

Abstract
The concept of a human interface device (HID) has a deep history in keypads, keyboards, and even punch cards, to interface with computing technology. As output improved from fan folder paper to monitors, touchscreens, and other forms of motion-based interactive devices, the need to secure access when using a HID became clearly evident. In addition, privileged access to these devices was not only needed to protect the data and operations of the device, but also its configuration and other resources that could be leveraged from the interface. This includes even simple tasks, such as powering off the asset or inserting a DVD.
Morey J. Haber

Chapter 6. Privilege Escalation

Abstract
Once we have established an authenticated session of any type, whether the session is legitimate or hacked via any of the attacks previously discussed, a threat actor’s typical goal is to elevate privileges and extract data. Figure 6-1 illustrates this based on the models we have been discussing. A standard user typically does not have rights to a database, sensitive files, or anything of value en masse. So, how does a threat actor navigate an environment and gain administrator or root privileges to exploit them as an attack vector? There are five primary methods:
Morey J. Haber

Chapter 7. Insider and External Threats

Abstract
The threats facing an organization can either originate internally through trusted employees, contractors, or temporary workers or through external threat actors attacking and penetrating your resources. Realistically, once either breaches your environment, the attack is internal even though the source of the incident is external. To that end, we need to explore how the personas for both threat actors apply to your organization.
Morey J. Haber

Chapter 8. Threat Hunting

Abstract
If you’ve ever played the game, “Where’s Waldo?” you may already understand how this section relates to Threat Hunting. For those who have not heard of the game, the object is to find a picture of Waldo within a picture filled with other graphics and people. Spotting Waldo is difficult, and identifying him from the crowd is downright frustrating in some of the illustrations and illusions intentionally created by the artist. It is a game of patience, visual acuity, and a methodical review of graphics. To that end, a modern spoof on the game has graphics with nearly every person being Waldo. The objective is to find everyone that is not Waldo. This is a common analogy for false positives when performing Threat Hunting and the reason why this analogy is so important.
Morey J. Haber

Chapter 9. Unstructured Data

Abstract
Not so long ago, it was much easier to protect your data. Perimeter defenses were in place and meant something, and there were limited pathways to access your organization’s data. Data came in from IT-approved, enterprise-controlled devices and applications. It lived on your servers and in storage arrays. It was protected by walling off the outsiders and trusting your insiders. But IT environments have changed in a big way. Now, data is increasingly collected from applications, users, devices, cloud services, and connected hardware, with dwindling amounts of it under enterprise control. New forms of doing business demand easy access from the outside world. With the emergence of the cloud, your data, users, and applications may not even be on the inside anymore. And “insiders” with access to your data increasingly include third parties who don’t work for your organization at all. The approach to managing the granularity of access to this unstructured data at the file or application layer can be done with privileged access management.
Morey J. Haber

Chapter 10. Privilege Monitoring

Abstract
The primary risk for any privileged access activity is the activity itself. As an administrator or root, you must ask the following question: Was the activity appropriate, a mistake, or a threat actor misbehaving using elevated credentials? Unless you are sitting over someone’s shoulder and have the expertise to monitor the activity, there are plenty of gaps in the traditional security model to review this activity and verify every session, every command, and all the information downloaded or displayed on the screen. Reviewing all activity is a daunting task, but luckily, technology and automation exist to help address this challenge. Based on these use cases, let us explore the requirements for any privileged access monitoring performed within an environment.
Morey J. Haber

Chapter 11. Privileged Access Management

Abstract
Privileged access management (PAM) is often referred to as privileged account management (also PAM), privileged identity management (PIM), or privileged user management (PUM). The differences are subtle, and PAM (using access) is favored over the other in the analyst community. The discipline is considered a subset of the identity and access management (IAM) or identity and access governance (IAG) market as defined by leading standards organizations and analysts.
Morey J. Haber

Chapter 12. PAM Architecture

Abstract
A successful privileged access management (PAM) architecture should secure privileges across every user, session, and asset. Traditionally, the first significant piece of a PAM solution that organizations look to implement is an automated credential management solution that provides secure access control, auditing, alerting, and recording for any privileged session. Other central pieces of PAM include least privilege management and remote access management. These three solutions should all be integrated and work together for your entire privilege management universe.
Morey J. Haber

Chapter 13. Break Glass

Abstract
Break glass is an information technology term used to describe the solving of a catastrophic problem as if metaphorically smashing the glass of a fire alarm and instantly getting help. In the case of privileged password management solution, it refers to retrieving sensitive credentials by a human identity when an emergency situation arises, and traditional access methods have failed. In other words, you need a special privileged credential to restore operations and there is no way to retrieve it due to some catastrophic event or outage. A break glass scenario, therefore, bypasses standard operating proceeds and access controls and should only be allowed during the most extreme situations. The method of getting these credentials can vary based on the outage and business ramifications of allowing a user out-of-band privileged access.
Morey J. Haber

Chapter 14. Industrial Control Systems (ICS) and Internet of Things (IoT)

Abstract
Critical infrastructure systems that span manufacturing, transportation, water supply, and energy all depend heavily on information systems for their monitoring and control. Historically, Industrial Control Systems (ICS) relied on physical separation as the primary means for security (segmentation). However, modern control system architectures, management processes, and cost control measures have resulted in increased integration of corporate and ICS environments. While these interconnections increase operational visibility and flexible control, it can also increase risks that previously did not occur with isolated ICS. Through an interconnected network, the ICS system can be exposed to threat actors that have already exploited and compromised the Internet and corporate networking, or by insiders misusing their privileges. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) provides ICS-CERT alerts to assist owners and operators in monitoring these threats and provides actionable guidance to mitigate ICS systems.
Morey J. Haber

Chapter 15. The Cloud

Abstract
The history of passwords dates back to the Roman military. Initially, they were carved into wood and soldiers passed them around via the active guard on duty. They were a shared resource. Today, the most common storage of a password is the human brain, and not physically documented and shared. We assign a password to a system or application, recall it when it needs to be used, and remember it each time we change it. Our brains are full of passwords and, often, we forget them, need to share them, and are forced to document them on Post-it notes and spreadsheets and even communicate them via email or text message (a very poor security practice in itself). These insecure methods for sharing passwords have caused the press to report front page news articles on data breaches and compelled organizations to educate employees on the insecure methods for password storage and sharing. Humans should not be expected to verbally or typographically share a password, nor is it safe to communicate them using traditional business collaboration tools. Therefore, a better method to document passwords is needed that is highly secure, documents distributed access, and promotes sharing and collaboration with minimal risk—no matter where the access occurs, and from virtually any medium. The cloud is ideal for this situation when passwords need to be available outside of the organization, across multiple geographical locations, for small- to medium-sized businesses, and when on-premise technology is incapable or cost-prohibitive for meeting business objectives. Ergo, if the Romans had the cloud, Zeus would have just updated everyone with the proper passwords and not left it to humans to scribe them on wood and accept the risk of physically passing them around.
Morey J. Haber

Chapter 16. Mobile Devices

Abstract
Mobile devices represent a unique attack vector for a threat actor. They have accounts and credentials, but no role-based access, and there are generally only two permission types: user and root. In addition, root is generally not available to the end user, and there is only one account with a single owner and identity operating the device. These are simple facts regarding mobile device design.
Morey J. Haber

Chapter 17. Ransomware and Privileges

Abstract
Let me get this out right off the bat: no one solution is 100% effective in mitigating the risk of ransomware. Some technologies are claiming to have tested hundreds of samples, and that their tool is perfect in stopping all types of attacks. I’m sorry, but that is a falsehood. Why? If any single vendor had a solution that could solve the problem completely, ransomware would not be such a problem.
Morey J. Haber

Chapter 18. Remote Access

Abstract
Driven in large part by the globalization of technology, focus on a healthier work-life balance, and an increase in the number of millennials entering the workforce, we are increasingly seeing companies across the globe offer their employees the option to work remotely. Not surprisingly, a recent survey from Bayt.com found that 79% of professionals in the Middle East and North Africa (MENA) region would actually prefer to work for companies that offer a remote working option. Offering employees the opportunity to work remotely can actually work to the advantage of the organization. According to Gartner, “by 2020, organizations that support a ‘choose-your-own-work-style’ culture will boost employee retention rates by more than 10%.”
Morey J. Haber

Chapter 19. Secured DevOps (SecDevOps)

Abstract
DevOps is a blending of software development and operations, and a set of automated practices to condense release cycles across the life cycle of software development. SecDevOps (also referred to as SDevOps or DevSecOps) extends the methodology by integrating security best practices into the development, quality assurance, and deployment of software in this life cycle. DevOps automation tools use privileged credentials like any application-to-application solution and security cannot be an afterthought. Consider the following DevOps security risks:
Morey J. Haber

Chapter 20. Regulatory Compliance

Abstract
A threat actor does not care about the law, compliance, regulations, and security best practices. In fact, they are hopeful that your organization is lax on many of these specifications and frameworks to leverage them for malicious intent. While regulatory compliance is designed to provide legally binding guidelines for industries and governments, they do not provide the necessary means to stay secure. Compliance does not equal security. Regulatory compliance measures are enforced guidance toward good cybersecurity hygiene, but implementing them without good processes, people, training, and diligence will leave you susceptible to a breach. Therefore, when reviewing leading regulatory compliance initiatives, consider the following:
Morey J. Haber

Chapter 21. Just in Time

Abstract
The utilization of always-on privileged accounts has been the default mode for administrative access for the last 40 years. However, always-on access or persistent administrative credentials (referred to by most analysts as “standing privileges”) represent a massive risk surface as it means the privileged access, rights, and permissions are always on and ready to be exercised—for both legitimate and illicit purposes. And, this risk surface is rapidly exploding alongside the growing use of virtual, cloud, IoT, and DevOps environments in our ever-expanding privilege universe. Of course, cyber threat actors are well aware of what is essentially the overprovisioning of privileges via the always-on and persistent model. With always-on privileged access in hand, a threat actor essentially becomes a malicious insider, and that’s an alarming scenario for anyone.
Morey J. Haber

Chapter 22. Zero Trust

Abstract
By definition, a zero trust security model advocates the creation of zones and segmentation to control sensitive IT resources. This also entails the deployment of technology to monitor and manage data between zones and, more importantly, authentication within a zone(s), whether by users, applications, or other resources. In addition, the model redefines the architecture of a trusted network inside a defined perimeter. This can be on-premise or in the cloud. This is relevant today since technologies and processes like the cloud, DevOps, edge computing, and IoT have either blurred, or dissolved altogether, the idea of a traditional perimeter. Therefore, the concept of a trust zone is important to manage any resources operating and communicating together.
Morey J. Haber

Chapter 23. Sample Privileged Access Management Use Cases

Abstract
A threat actor thrives on the weakness of processes and the inability of an organization to establish best practices or even follow processes. To that end, privileged access management can stymie a threat actor, even if other security best practices are not being fully followed. Consider these top three problems almost every organization faces:
Morey J. Haber

Chapter 24. Deployment Considerations

Abstract
Any time you embark on an enterprise project, the costs, return on investment, risks, benefits, threats, and workflow (to name a few) should be considered. When deploying a PAM solution, the realization that it may impact the entire organization needs to be addressed with everyone who may potentially be impacted—from employees to vendors. This means that not only administrators will be affected but also end users who may lose administrative rights, affecting the rank and file workers and executives, all the way through temporary employees (although I hope your business never gives temporary employees admin rights; sadly it happens). Deciding where to start, how to deploy, how to educate, and the measurable outcome are challenges that must be addressed up-front. If they are not, internal politics, user resistance, and shadow IT may completely circumvent the reasons for embracing PAM in the first place. This chapter covers some of the deployment considerations all executives, security professionals, and operational teams should consider, discuss, and address along their PAM journey.
Morey J. Haber

Chapter 25. Privileged Account Management Implementation

Abstract
Organizations increasingly recognize that properly securing and controlling privileged credentials ranks as one of the best defenses against attacks from external hackers as well as from malicious insiders. For optimal results, a privileged access management solution should protect identities, accounts, passwords, and keys at all stages of the privileged attack vector kill chain (Chapter 1) by implementing comprehensive layers of control and audit. The overall objectives for your implementation should include the following:
Morey J. Haber

Chapter 26. Machine Learning

Abstract
Machine learning (ML) is becoming increasingly prevalent as a tool to solve complex information security problems. It is an approach that allows computers to acquire intelligence in the way that humans do using algorithms based on artificial intelligence. With this, machines can learn from repeated interactions with situations and events to develop correlations and predictions about current and future behavior. Machine learning algorithms are able to discern information from a data series without dependence on a previously determined relationship or characteristics. Learning occurs as it does with humans and animals, and relationships are further strengthened by repetition and reinforcement. This approach has grown in practical terms with the increase in computer processing power and the reduction in compute cost, allowing the aggregation, ingestion, and analysis of very large datasets and events. In this way, machine learning enables a level of learning and intelligence that mimics the ability of a human, since the ability to analyze data at this volume and speed is impractical for the human brain.
Morey J. Haber

Chapter 27. Conclusion

Abstract
Privileges as an attack vector represent the lowest-hanging fruit for a threat actor. While architecting and securing any environment can be relatively complex, these top 20 recommendations can help any organization achieve their goals and minimize risks to the business:
Morey J. Haber

Backmatter

Additional information

Premium Partner

    Image Credits