Cyber-attacks do not always require zero-days or sophisticated techniques. Oftentimes, a successful intrusion comes down to stolen credentials—and when it comes to identities, the more access rights, the better. This reality makes privileged access management (PAM) a critical part of disrupting the tactics, techniques, and procedures (TTPs) used by attackers to compromise networks.
While outside observers may still believe that most breaches are the work of sophisticated hackers wielding zero-day exploits, the truth is that attackers are not all that willing to spend the money it takes to buy zero-days or the time to develop them. Instead, they go for low-hanging fruit such as publicly known vulnerabilities that have gone unpatched, weak passwords, and misconfigurations.
Frequently, compromised credentials are found to be at the center of these attacks. According to a 2019 survey by Centrify, 74 percent of IT decision-makers who said their organization had been breached said the incident involved access to a privileged account. These credentials are often stolen through phishing or malware. When a privileged account is compromised, it allows a threat actor to impersonate a legitimate user or system and perpetrate malicious activity without being detected. The greater the privileges, the greater the potential for a deeper compromise.
Attacks typically evolve in these phases: reconnaissance, compromise, exploration around the network, data exfiltration, and the cover-up. As part of the compromise phase, attackers use several ways to target credentials, including social engineering, phishing, malware attacks. Stolen credentials can also be purchased in the cyber-underground. With the compromised credentials in tow, attackers then use brute force, password spraying, and other tactics to gain access to their targeted environment.
Once inside the network, threat actors will perform additional reconnaissance to identify paths to critical systems, security measures, the location of sensitive data, and any resources of interest. Active Directory is frequently a target during this phase as attackers search for credentials with administrator-level privileges. The final stage of the attacks involves data exfiltration and covering their tracks. This may involve the creation of a backdoor for data theft and later re-entry, as well as the deletion of log data.
Implementing an identity-centric security strategy that promotes Zero Trust principles is a critical step towards limiting the ability of threat actors to pivot around the network and escalate privileges during an attack. Privileged access management (PAM) tools can help disrupt each phase of the attack, enabling businesses to:
- Apply multi-factor authentication (MFA) everywhere
- Enforce the principle of least privilege
- Implement just-in-time privilege
- Monitor privileged accounts for malicious activity
- Vault passwords and secrets
- Control access and authentication to privileged accounts
By studying the TTPs, organizations can successfully target the different states of an attack and make it more difficult for threat actors to infiltrate and hijack their environment. Using privileged account and session management (PASM), privilege elevation and delegation management (PEDM), and secrets management software enables organizations to discover, monitor, and control access to privileged accounts and raise the bar attackers need to clear to compromise their IT environment.