The number of data breaches has skyrocketed in recent years, with global cybercrime-related damages expected to exceed $6 trillion annually by 2021. Just this past month, we faced a major supply chain attack, leveraging SolarWinds Orion software to deliver malware and compromise hundreds of organizations worldwide. While this campaign was allegedly carried out by a nation-state, it followed a common anatomy of a hack that consists of key basic components that are applicable to both external and insider threats.
Ultimately, understanding hackers’ tactics, techniques, and procedures (TTPs) provides a roadmap for aligning preventive measures with threats. Join cybersecurity expert, Tony Goulding, when he navigates through the mind of a 2021 hacker. Register for this webinar to
- Learn about common misconceptions leading to blind spots in organizations’ cyber defense strategies.
- Assess how today’s cyber adversaries are gaining their initial foothold, subsequently elevate control and move laterally, and then exfiltrate data.
- Explore best practices of prevention by establishing multiple layers of security to minimize any risk exposure.
Today’s hacker lurking behind the screen could have skills akin to the infamous Mr. Robot, or the basic knowledge of the Girl Scout who just sold you cookies. By having an in-depth defense strategy in place based on Zero Trust principles, businesses today can protect against any adversary who tries to cross their path.
Tony Goulding, Cybersecurity & Product Evangelist, Centrify
Tony brings over 30 years of experience in security, software, and customer relationship-building to the Centrify team.
Mason Mobley (00:00:12):
Good afternoon, everyone. My name is Mason Mobley with Centrify. Thank you all for joining us today on our webinar navigating through the mind of a 2021 hacker. Unfortunately, we haven't been able to pull our presenter, Tony Goulding's video in, you will get his audio and we will have the slides. So, again, please feel free. We want to keep this interactive. So, if you have any questions, please just add those to the Q and A box and we will answer those. We'll also have a couple of poll questions inserted throughout the presentation. So, when you're prompted to, please feel free to hop in and join us. So, let's get started. Thank you all for holding on. And here we go. As you might be painfully aware of the number of data breaches, has skyrocketed in recent years, we've had global cyber crime-related damages that are expected to exceed $6 trillion dollars by 2021.
Mason Mobley (00:00:59):
Just this past month, we faced a major supply chain attack, leveraging SolarWinds software to deliver malware and compromise hundreds of organizations worldwide. While the campaign was allegedly carried out by nation-States, cyber-attacks are rarely carried out by legions of highly sophisticated coders, gone rogue deploying the most advanced techniques to penetrate organizations, perimeter defenses. Reality paints, a very different picture. Cyber adversaries are no longer hacking and to carry out data breaches they're simply logging in by exploiting weak, stolen, or otherwise compromised credentials. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures. Often call TTPs to gain a better understanding of the anatomy of a hack and what preventative measures you should incorporate into your defense strategy. We've invited Tony Goulding, my teammate and friend; and renowned cybersecurity evangelist from Centrify. He's going to share some of his insights.
Mason Mobley (00:01:57):
Tony has more than 30 years of global information security experience and is a frequent speaker on cybersecurity and risk management strategies. He regularly provides commentary, publishes articles on data breaches, insider threats, cyber warfare, IT security, best practices and other cybersecurity topics and media outlets. Tony. Welcome. Thank you, Mason. Can you hear me okay? I can. You're good to go, Tony. Thank you. Excellent. Isn't work from home fun. So, when I'm just getting a warning here up on my screen, let's hope that that's not going to interfere with the presentation. So, before things crash and burn about me as the video is done, let's get into this. So, it certainly is a pleasure, to share some of these best practices, with the audience today. And we do have a lot of content to get through. So, I hope you've got a Powerade or Gatorade or something for an energy boost, because I know I have. But anyway, let's kick things off by acknowledging a pretty somber truth. And that is that today's security is not secure. And despite expectations that
Tony Goulding (00:03:00):
IT Risk management spending will hit approximately $143 billion. As you see on the screen in 2021, two-thirds of organizations worldwide are still being breached, and even worse than that, they're being breached on average five or more times in a 12 month period. So, let's get an early poll going with our audience. And the question that I would like you to answer is what you see on the screen. What do you think is the primary threat actor for hacking-related data breaches? And please take a look at the answers there, select one answer, and, I'll leave this up for around 20 seconds to give you all time to input your answers. The poll results themselves will take just a little while to populate. I believe we have quite a lot of people in the audience there, so the platform will churn on those and then, we'll come back to the responses after the next slide. So, let's move on
Tony Goulding (00:04:08):
So, who is really behind these attacks? If we listened to, you know, Hollywood storylines, then they tend to make us believe that there are legions of site assault soldiers sitting in dark rooms, attacking their victims. And it's not a room full of state-sponsored attackers. Then it's probably this, this hoodie guy, right. As we all expect, all right, let’s go to the live view here and see what we've got. So, who do you think is the primary threat actor for hacking-related data breaches? And we've got a lot saying state-sponsored attacker and certainly, with the latest and greatest cyberattack that we got, that is believed with SolarWinds. That's believed to have been state-sponsored, but there's also a lot of organized crime as well as internal system administrators with the keys to the kingdom. So, a good set of across-the-board responses.
Tony Goulding (00:05:00):
They're very, very interesting indeed. All let's, let's move on and we'll explore that as we get through some more of the slides. So, the reality is, is very different. I mean, when we do analyze the indictment that prosecutors file against cyber-criminals, then we see that our typical hacker looks more like you and me. So, it could be, your child's teacher. It could be your neighbor's grandmother or just a script kitty who isn't even old enough to drive. Now, according to the 2020 Verizon data breach report, most of these attacks are carried out by external actors followed by inside threat actors. And as you see on the right, when you break down the external threat actors category, just a little further, you, discover that organized crime accounts for around 60% of today's attacks followed by state-affiliated actors at 10%.
Tony Goulding (00:05:56):
And in regard to insiders are trusted systems admins are coming in at about 12% of the attacks, which, you know, frankly is quite alarming because as I mentioned, they really do hold the keys to the kingdom. Excuse me. Okay. So, now we have a better sense of who's attacking us, but besides that, it's also imperative to understand what they're targeting, and historically, please, excuse me. Historically our security has focused on everything that resided inside the network, the typical infrastructure, Windows, Linux, and UNIX systems. Mainly, databases, network devices, and that term inside the network. It speaks volumes because traditionally we relied on a well-defined boundary around those elements and that gave us a sense of physical control and security. And so, we based our security strategy around the idea that the trusted quote, unquote, “good guys and girls were on the inside and the untrusted bad guys and girls were on the outside”. So, that security strategy manifested itself mainly as a collection of perimeter and network-based technologies; such as firewalls and VPNs, and web gateways in order to enforce security along that well-defined boundary.
Tony Goulding (00:07:19):
But as we know, organizations grow, they transform and they extend their IT infrastructure to the cloud. And you may be familiar with the term digital transformation and with cloud, cloud migration. And you may be a knee-deep in one of these cloud migration projects right now. But certainly, as organizations do this, then new attack surfaces are unfortunately exposed systems and data that resided inside the traditional network routes are in the past and now being moved into the cloud. And in fact, according to KPMG's 2020 cloud threat report, 88% of organizations are currently using public cloud infrastructure in one way or another. Why are they doing this? I think we all know the answer to that; the cloud is supposed to help us with agility, flexibility, cost savings, time to market, all of that good stuff. But with that said that there remain a bunch of major concerns about cloud adoption that are rooted in security challenges.
Tony Goulding (00:08:23):
And in fact, 92% of organizations admit that they face a cloud security readiness gap. So, while the organization is on this fast pace to get to the cloud, and to move their workloads and infrastructure to the cloud, 92% of them don't know how to properly secure those assets. And so, yeah, they will end up in the cloud, but potentially with major security gaps. All right, let me take a breath, and let's do another poll. So, on the screen here, I'm curious to know where you sit when it comes to your cloud migration strategy. So, there are the options on the screen, just pick the one that is most irrelevant to you. I'll give you another 10 or so seconds and we'll then move to the next slide before we take a look at the poll results.
Tony Goulding (00:09:25):
Of course, an obvious follow on question for the audience of that poll would have been whether or not you believe you have security buttoned up for your cloud migrations. So, maybe I will add that for the next presentation we give. Anyway, wherever you sit in that cloud migration journey, the analyst from Gartner tells us to expect to have workloads in the cloud sooner or later. And there's, there's really no way to reasonably avoid this outcome. You must be prepared to respond to your CIO or your CEO's mandate for cloud transformation. Now, Gartner foresees that those organizations that are not jumping on the digital transformation bandwagon will lag as it relates to cost optimization and competitiveness. And therefore they will see a direct hit on their business valuation as a result of not doing that.
Tony Goulding (00:10:16):
Let's go back to the poll questions, see what results we have. So, where does the audience come when it comes to cloud migration on their journey? So 25%, a quarter of you have moved workloads to the private cloud, slightly less 16% have moved to the public cloud. So, presumably the private cloud folks believe that they have more control over the entire infrastructure. Then if you put it in the public cloud, 38 to 40% have moved workloads to both. So, I guess that is a combination of the two numbers there. If we add them together, we get about 40%. So, that's probably reflective of that, but a whopping 20% did not start with, hadn't began a cloud migration project yet. So, if Gartner and the analysts are to be believed, then it won't be long before you are engaging on that migration journey, unless you are completely born in the cloud and your infrastructure is already there anyway.
Tony Goulding (00:11:12):
So, migration per say is irrelevant to you, but I believe that the spirit of the question and the way that it's answered is that 20% of you, could be migrating and you haven't started yet. So, that's interesting. All right. And enough from me, let’s move on. So, as I mentioned, just a minute ago, what are the biggest inhibitors of cloud migration is around security concerns? So, the question is, are these concerns justified? I would say not necessarily, but certainly when transitioning to the cloud, everyone involved must understand the cloud security is a shared responsibility between the cloud service provider and you, the customer. So, here on the screen is an example of how a cloud service provider in this case, AWS is typically securing the core infrastructure and services as part of their shared responsibilities.
Tony Goulding (00:12:06):
However, securing things like operating systems, your applications, your data, identities; that all remains your responsibility. Now you can pay cloud providers a little bit more money and have them own a little bit more of that stack. But what you see here is, is pretty much the norm. And I want to reinforce this key takeaway for this slide, that these are shared responsibilities. So, don't believe that the cloud service provider is solely responsible for cloud security, because doing that will ultimately lead to gaps in your own security. And that could result in data breaches.
Tony Goulding (00:12:41):
However, if you did come to this webinar, thinking that it is purely the cloud provider's responsibility, then you're not alone. So, we recently did a survey where 60% of the chorus of the respondents told us that they believe the cloud environments do not fall under their security oversight. And this statistic was from 700 respondents across the US, Canada and the UK. And furthermore, over half of those respondents said that they treat security of their cloud environments completely differently to their on-prem meaning they don't apply a holistic approach to their security policies and their security controls. Now we know from experience that this can lead to increased costs, lots of operational overhead, and potentially security blind spots that increase your individual risks of being breached.
Tony Goulding (00:13:38):
What if we look in the crystal ball into sort of in the near future, unfortunately, we don't anticipate things getting any easier. So, cloud is only one of many attack surfaces that have emerged and this attack surface, as we know, is constantly expanding. And certainly, as I said earlier, it can no longer be defined and properly controlled by a traditional network-centric perimeter. So, aside from organizations moving workloads and infrastructure to the cloud, other dynamics that are contributing to a bigger and expanding attack surface include DevOps, right? With the risk of credentials embedded in code and configuration files, people are moving terabytes of additional data into data lakes in the cloud for things like Hadoop and big data projects. And more and more now what used to be monolithic applications deployed on a single server in the data center is now being decomposed into hundreds of containers and potentially thousands of microservices in the cloud. So, that attack surface is just growing and growing and growing.
Tony Goulding (00:14:49):
And this proliferation, I guess, of compute resources in the cloud, it certainly enables far greater agility and productivity and, time to market an opportunity for you as an organization, but also for an attacker.
Tony Goulding (00:15:07):
Let’s step into the shoes of a typical attacker. How do they go about doing this? Well, we're going to quickly explore some of the TTPs that Mason refers to the tactics, techniques and procedures that they use now for many years, hacks have been glorified. There was a common belief that, most data breaches typically involve, the exploitation of zero-day vulnerabilities and that they require a tremendous amount of code sophistication to kind of break and smash through those impenetrable, network perimeter defenses that we've deployed. However, post-mortem analysis has told us that in most cases, compromised credentials take the center stage as the main vector of attack.
Tony Goulding (00:15:55):
Again, going back to the Verizon data breach investigation report 2020, attackers use a variety of ways to obtain those credentials, the most common one being phishing. So, yeah, Phishing is not dead, it's kind of a gift that keeps on giving--at least, for the hackers, anyway.
Tony Goulding (00:16:19):
I had a rogue build in that slide, which we will ignore. So, the bottom line is that gone are the days when the hackers are charging at the front gate with their guns blazing, just trying to bulldoze their way into the network. It used to be that notoriety was what they're looking for and I think we all know that today hacking is a business. Right? So, some of the reality is, is that they don't hack anymore, or at least not as much, they strive to simply log in, right? They're using compromised credentials. They want to walk through the front door masquerading as a legitimate employee, or for example, a third-party vendor or an outsourced IT contractor. And this statement is certainly backed up by quantitative research. And Centrify again, we conducted our own study and we found that 74% of the respondents whose organizations have been breached acknowledged that it involved access to a privileged account. And this number aligns very well with independent industry analyst reports such as Forrester, you see on the screen here, they estimate that 80% of security breaches involve compromised, privileged credentials.
Tony Goulding (00:17:37):
The research that we did, revealed a few other interesting statistics, many organizations that we spoke to, don't have essential, basic security controls in place that address today's number one cause of breaches, which is privileged access abuse. And this is, this is kind of shocking. But for a little fun, let's quickly see how this audience stacks up. So, let's go to our final poll here and we'll ask the question, and this is multiple choice. So, which of the following apply to your organization when it comes to privileged access, but do you have a vault, right? Have you managed to eliminate, or vault away, your shared privileged accounts, like root and local administrator and Oracle and Cisco and all these other share privileged accounts? Have you only implemented a vault, or have you also implemented privilege elevation?
Tony Goulding (00:18:36):
More of a host based, least privilege, privilege elevation method of privileged access management. Do you have auditing and session recording? Presumably, if you have a vault, you'll have that at the vault. But I guess that question is really more, do you have that at the host level, in case somebody circumvents the vault, right. Have you implemented MFA and maybe you have that in one place, something to think about, but, I wonder who has it at four or five, six different points of access control for privileged users. Or none of the above, which would be a very, very surprising result. So, let's move on to the next slide. We'll come back to, the responses in just a short time. So, the net-net is that these types of shortcomings are going to expose your organization to imminent risk.
Tony Goulding (00:19:24):
And you've got to keep in mind that when a privileged account gets compromised, even if it's just one, right, it can allow the cyber attack to impersonate, a legitimate employee and carry out malicious activity with a lower risk of being detected as an intruder. It's frankly, very hard for technology to determine whether a user is a legitimate employee or a hacker using their account. But it's even harder to determine whether an employee is just doing their job or being a malicious insider. So, it takes only one compromised, privileged credential to potentially impact millions. And that could be the theft of millions of identities. It could be millions of credit card numbers. It could be millions in ransomware, or millions to clean up after the attack. Millions in fines or even in shareholder value. So, this is a very profound statement.
Tony Goulding (00:20:25):
All right, let's go back to the responses here. We have 30%, having a vault. Certainly, our best practices are you're going to get on the PAM journey, start with the vault, but, interesting that it's, only a third of the audience. A lot of you have reduced shared root accounts. That is terrific because reducing your attack surface, trying to align with more of a zero-standing privilege posture is great. About 50% of you have implemented privilege elevation. That's brilliant too. I look at PAM as being a two-sided coin. You've got vaulting on one side, you've got privilege elevation on the other. You kind of need them both, but if I had to choose it would be privilege elevation all the way. Because I believe it can mitigate risks way more than a vault on its own.
Tony Goulding (00:21:11):
30% of you have auditing and session recording, useful for instant response and compliance. And wow, 78% have implemented MFA. As I mentioned, MFA is great. And we'll come to that MFA everywhere is even better. 10% of you have done nothing. Yay. There's always room for improvements. Thanks for those responses. Let's move on to the next slide in the agenda. So, there's endless examples that illustrate how cyber adversaries are getting a hold of our data and exfiltrating it. So, I'm not going to go through all of these, but let me just call out a few examples on the screen. Back in May 2019, Citrix fell victim when attackers, exfiltrated an estimated six to 10 terabytes of confidential internal information. And as a provider of cloud services to the U.S. military, this was particularly notable.
Tony Goulding (00:22:16):
And all the indications are that the hackers objective was to get information about the U.S. government and their contractors. So, how did they get in, again, the evidence points to a tactical password spraying. So, they managed to get a hold of a whole bunch of passwords probably of, uses, from Citrix, but they obtained passwords from other hacked sites. And they're relying on the fact that users are like sheep and they tend to reuse the same ID and password across different sites. And so they fire an ID and a password at this one and hope that it sticks. Another one back in, July of last year, very recently, Twitter, accounts, belonging to people like Jeff Bezos and Bill Gates, President Barack Obama, Joe Biden, and others, President Joe Biden and others. They will use to extort Bitcoins from, from their followers that netted about $120,000, not a huge amount of money in the grand scheme of things, but still a notable hack.
Tony Goulding (00:23:16):
They leveraged social engineering tactics to target a small number of employees using a phone-based spear phishing attacks. So, they knew who they were going after. This allowed them to gain access to Twitter's internal network. And that's where they use employee credentials to give them access to internal support tools, something that is often referred to as, “living off the land”, when a hacker gets in your system and finds a whole bunch of tools. And he goes, Oh, that's great. I'll use these instead of the hassle of trying to get my own on the systems. Anyway, their activities looked just like regular employee activities. And so, they were undetected. Let's do one more, CapitalOne. So, that's roundabout the 10th largest bank in America. They use AWS as their cloud solution. Now for this one, the attackers capitalized on a misconfigured web application firewall.
Tony Goulding (00:24:11):
And so remotely using AWS CLI commands, the hackers were able to remotely pull data from, Capitol One, AWS S3 storage buckets, about 700 folders of customer data were exfiltrated. And once again, the hackers didn't do anything unusual to trigger alarms. Even the, even the transfer of all of that customer data outside of the Capital One environment was in line with the routine network traffic load. And so, they weren't detected. So, there we go. Anyway, let's go to now the anatomy of a hack. How can we prevent things like this from happening? I think one thing, at least for me, is very clear when we're never going to match the hacker's tool for tool as they continue to evolve and develop more and more sophisticated and creative ways to breach our systems, but understanding their TTPs can give us a bit of a roadmap to align our preventive measures with the threats.
Tony Goulding (00:25:12):
But as I already said, we need to embrace the fact that a perimeter-based security that focuses on securing end points and firewalls and networks, it's no longer enough. Now it certainly helps as part of a defense, in-depth strategy, but with over 70% of breaches, as we heard involving compromised privileged credentials, maybe our IT budget dollars have better leveraged with identity-centric security instead of just more and more firewalls. So, identity has certainly become the new security perimeter, and it really is the battleground for mitigating these attacks that impersonate legitimate users. So, that means we need to deploy security controls that enforce a model of least privilege, which in the poll, and glad to see a lot of you are already doing, the consolidates identity silos. Again, a lot of you are doing that.
Tony Goulding (00:26:14):
We want to verify who is requesting access, the context of that request. We want to, in at least privileged model, we want to have people log in with minimum rights and grant them additional privileges just in time, for a limited time using approval workflows. So, let's get into this, anatomy of the hack. So, there are very many, there's a lot of different versions of the cyberattack life cycle or the kill chain, but they all basically contain three major phases and the weekly applicable, whether you're talking about external threat actors or internal attackers insiders, and certainly, in today's climate, we're seeing an uptick in insider attacks. So, that's becoming more and more important. So, I'm going to dig deeper into each one of these three buckets in a second, but before I do, let's actually look at a recent attack that followed exactly this kind of model and a surprise, surprise in the introduction.
Tony Goulding (00:27:18):
You know, Mason mentioned SolarWinds, which was a supply chain attack carried out by a nation-state. So, what exactly happened here? Did they follow that typical three-legged approach or did they do something a little bit different? So, they didn't do anything different, but back around December 13th, SISA the cybersecurity and information, information or infrastructure. I think it's the cybersecurity and infrastructure security agency. They issued an emergency directive advisory and it describes this nation-state attack. Then it infiltrated SolarWinds. It was in their software development pipeline. So, the hackers were able to get sufficient access to systems as well as a legitimate Solar Wind certificate that enabled them to digitally sign some backdoor code. So, then they added that back door code to the SolarWinds Orion IT management software, which is a very commonly used product.
Tony Goulding (00:28:18):
Now, when that was downloaded to customer systems if they had checks in place to verify that this thing was a SolarWinds, digitally signed and approved piece of software, it passed because the hackers had used the SolarWinds digital signature to actually sign their backdoor code. So, then this Trojan-ised, Orion software allowed the attackers to deploy highly stealthy malware on the customer's networks. Now, as of today, SolarWinds has not yet said, I'm not even sure they know, but they haven't yet said how hackers breached their network. So, the initial vector, of breach, there are speculations, however, and security experts are pointing to a spear-phishing attack against SolarWinds developers as being the highly likely cause of that initial compromise. But again, I want to stress that, this is just speculation. So, SolarWinds may not be a household brand, but certainly, its IT management software is used by more than 300,000 customers around the globe.
Tony Goulding (00:29:26):
And so, you know, that makes this cyberattack one of the biggest in recent history. Now as you see in the diagram on the right there of those 300 customers around 18,000 may have been caught up in the initial wave of this attack. So, why did they pick on SolarWinds Orion? It turns out that it's common for network administrators to configure the Orion software with very pervasive privileges, right, almost full rights. And that allows it to bypass firewalls and other security measures and basically, you know, be smooth in its operation, but unfortunately making it an ideal target for hackers. So, once again, this is believed to be a full credential-based attack. Now, I have a slide on the screen here for those of you who want to dig in a little deeper into the details of SolarWinds.
Tony Goulding (00:30:16):
This slide captures the main steps showing how they pulled it off. So, you'll be able to download a copy of this presale. You can revisit this at your leisure, but how was this attack discovered? So, it turned out that it was FireEye, which is a leading cybersecurity firm. You may recall in the press slightly before the SolarWinds disclosure on December 8; FireEye, disclosed that it was hacked by a nation-state advanced persistent threat group. And as part of our attack, if you recall, they stole the red team's assessment tools, the ones, the tools that FireEye used to probe their customer's security. Now, FireEye was eventually alerted to this when the attackers, I guess, stupidly, but shout-out for MFA, attempted to access, the FireEye environment using an unknown device and an employee's compromised credentials.
Tony Goulding (00:31:15):
So, the MFA kicked in and the employee was alerted by receiving an MFA request. Maybe something like a push notification on their device and raised the alarm. So, kudos to the employee, kudos to MFA for sure. The subsequent in-house investigation by FireEye revealed this SolarWinds vulnerability and that led to the public disclosure. So, that's how that came about. So, going back to those three steps of the kill chain. Let's now map what we know of this SolarWinds attack to the three main cyber attack lifecycle phases that we saw a few minutes ago, compromise, explore and exfiltrate. So, let's start with, compromise. So, most of today's cyberattacks, they are front-ended by some kind of credential harvesting campaign. And the common methods you see on the screen here include social engineering, password sniffing, phishing, malware attacks, or various combinations of these, but cybercriminals are not always interested in doing all of that hard work.
Tony Goulding (00:32:22):
They can easily buy millions of stolen credentials on the dark web for pennies on the dollar, and then they can use various techniques like basic brute force or credential stuffing, or password spraying. As we heard on the earlier slide, to gain access to that target environment. Now, again, since they've using legitimate user credentials, unless these already been flagged as compromised, then the attackers can bypass even the most hardened security perimeters. And so, what we tell organizations is they need to change their mindset. They need to apply a zero-trust approach to security. Now with zero trust, this assumes that the attackers are already inside your network, right? There are no trusted insiders and untrusted outsiders. They're already here. And so, we don't want to leave privileges standing around. And so, we want to get them off the playing field. We want to give administrators zero administrative rights.
Tony Goulding (00:33:23):
So, they use their own account, minimum rights. And when those accounts, rather than if but when those credentials are compromised or abused, then the threat actor has no administrative rights. They can't do much with that account. And again, this assumes our traditional perimeter is just dissolved away and, and these attackers are already around. So, that's what we're trying to, compensate for in that mechanism. Now, what steps can you take to minimize this initial, cyber exposure? So, as you see here on, the build, security awareness, there's no substitute for that. Humans are fallible security awareness training is always appropriate. We are, myself included, we're all a weakest link. So, while you may not deter a disgruntled inside of this can certainly help avoid common mistakes. Now, most organizations continue to shed privileged accounts like roots and local administrators. These should be vaulted access to them, should be granted in a very controlled, and approved, and audited fashion.
Tony Goulding (00:34:33):
And ideally never permit them to be used except for emergency, break glass situations. Right? So, keep them vaulted away, cobwebs, let them stay there. And then as far as the third thing here is concerned, leverage enterprise directory identity. So, this kind of follows from the last best practice where instead of administrators routinely using routes or local administrator to log in, again, something that broads them, it gives them broad, broader set of permissions. Instead, the administrator uses their individual enterprise account routinely, for example, an active directory account, right? So, by doing that, we can ensure that all privileged activity is attributed back to that person. So, our audit trails all say Tony, instead of root, or Sue, or Administrator, right? So, they're no longer anonymous. It also prevents unintentional mistakes. I no longer come in the morning at 9:00 AM and log in as root and stay logged in as root all day.
Tony Goulding (00:35:32):
And if I happen to delete a bunch of sensitive files, because root allows me to do that, well, that's not a good thing, right? So, we can avoid unintentional mistakes, but it also reduces that potential fallout. If that account is compromised right, and critically, it prevents a common tactic used by hackers, which is lateral movement. So, if my limited rights account is compromised, they're not gonna be able to use that to move from server to server in the network, trying to find the crown jewels, right? So, this is good. We can, we can try and consolidate identities instead of me as an Admin, having a local account on every Linux and UNIX box that I use to log in, we can get rid of all of those local privilege accounts. So, we get rid of the sprawl, we reduce our attack surface.
Tony Goulding (00:36:23):
So, moving on to, the second of the three, we can look at what bad actors do to locate those crown jewels. What are the tactics that they employ there? So, once inside the target environment, they use whatever privileges, that compromised account provides them, to get the lay of the land. And obviously if that account is a super-user account, then they have ultimate power. But, living off the land, as we see here means I think I mentioned this earlier. It means leveraging whatever IT tools are already installed. So, for example, instead of having to download and install their own tools that might require elevated privileges and might set off alarms; then they can just live off the land. A goal here is to, for them, is to identify things like regular IT schedules to find out what security measures are in place, looking at network traffic flows, and to scan the network, to get an accurate picture of what systems are there, what resources there, privilege accounts, services, all of that good stuff.
Tony Goulding (00:37:29):
And again, moving laterally is an objective to access critical systems like domain controllers and Tier one servers. That's certainly a major goal because if they can compromise a domain controller in a windows state, then basically they own the network. Now of course, downloading their own tools to better take advantage of things like unpatched vulnerabilities is also a typical move. So, to, come on window paint, so to dramatically limit hacker's ability to, to do that reconnaissance and to move laterally, um, you should be considering the following privileged access management best practices. So, the first one here, and not necessarily in this order, but applying MFA everywhere. So, NIST, I think it's 800 dash 63 or one of the other ones and this prescribes different levels of MFA. They refer to as authenticator assurance levels or AAL. These are great best practices.
Tony Goulding (00:38:31):
If you haven't read it, please do. And we'll make sure we get the proper reference out to you. But these different assurance levels, one, two and three are for different sensitivities. So, AAL two requires two factors and it provides a high level of confidence that the user is the legitimate owner of the credentials that they're using. Now, this should be the minimum for all administrators, right? It just should. There's no reason not to do that. Then there's enforcing just-in-time privilege. So, when we're talking least privilege, if you recall, Admins are not given access to vaulted super user accounts, except in emergencies. So, instead they use their own personal, low privileged accounts, and they request elevated access just-in-time, only when necessary using some kind of self-service workflow. And then the final best practice here is provide just enough privilege. So, again, in a least privileged model where admins have effectively zero administrative rights, they request just in time access to perform tasks, maybe triggered for example, by a help desk ticket, but the incremental rights that they get should never be broad. They should be aligned to the task at hand. So, only give them the necessary rights to perform that task. Nothing more and make sure that your PAM solution can automatically revoke those permissions once the task is complete and that will help maintain a lower overall attack surface. So, these three best practices are going to help prevent the reconnaissance step and help prevent lateral movement. Should an attacker manage to get a foothold inside your environment.
Tony Goulding (00:40:12):
Here's another three, but also support that lateral movement. So, to prevent lateral movement, specifically least privilege ensures that those compromised accounts are of little use, which is something that I mentioned earlier. So,
Tony Goulding (00:40:29):
A modern PAM solution allows you to define logical perimeters around each system. That's something that Centrify, we refer to as zones, right? So, you can set up a zone that has a collection of computers that require similar degrees of security. And then you can centrally manage these zones of computers and assign users and Admins to those zones to control, or certainly in policy, define who can log into what system when and with what rights and this type of zone technology, can apply security policy holistically. So, you don't have a different mechanism, a different policy engine for windows and a different one for Linux, a different one for UNIX. You want it to be consistent. And certainly if you've got stuff on-premises and stuff now in the cloud, you don't want to have to be going to the cloud and implementing a different policy engine, right?
Tony Goulding (00:41:21):
You want a centralized back model for that. And those policies need to be enforced by controls that exist at the house level. You cannot do effective privilege elevation unless you have a security control on the host that permits only legitimate users to log in and to run specific commands in applications with privilege. Okay, then there's this concept of a clean source. So, especially with remote access, even outsourced IT access when you're accessing privileged resources, it's absolutely critical that we don't introduce infections, right? So, typically we remote, we do a VPN login we're on the network with network-attached. So, any infections on my workstation have a chance of spreading to the internal infrastructure. So, in this diagram, you see the use of something that we call a gateway connector, which is a proxy, but it, its goal is to isolate the internal infrastructure from the external workstation.
Tony Goulding (00:42:21):
And it mitigates that risk of infection spreading to our internal system. So, users get remote SSH or RDP sessions without needing a VPN. So, this is VPN-less remote access because there are overheads and challenges with using VPNs, right, including being network attack attached and potentially exposing the broader network. So, users can be given choice, right? They could connect to a target machine through a simple browser interface if that's their preferred method. Or if they have a client of choice like petty or Microsoft remote desktop, or a file or a fat client to do something more specific like database administration using toad or SQL managing server, but whatever they want to do, they should be given the choice to establish those remote sessions that all pass through this type of gateway connector proxy to isolate them from your internal systems and guaranteeing a clean source.
Tony Goulding (00:43:20):
And then finally here secure remote access. So, again, we've seen a big uptick in the latest pandemic, the beauty of a properly designed modern PAM solution is that it not only enables remote staff to access resources 24 by seven, but it's perfect for outsourced IT or outsource development users, because as a SAS service, it's accessible from anywhere, right. And leveraging this type of gateway connector, proxy architecture that can ensure secure remote access to all of your infrastructure; whether it's in the data center, the DMZ, multiple cloud VPCs or even multiple cloud providers, right? And so it, it alleviates the need for the VPN. It reduces complexity reduce costs, um, and also for it, the need for other tools like Cisco NEC, to ensure that, that your outsourced it user workstations have appropriate AAV and anti-malware software installed and up to date, right?
Tony Goulding (00:44:22):
So, with this type of architecture, this kind of hub and spoke type of architecture, you can also shut off all inbound firewall ports that you might typically leave open to remotely access your cloud hosted assets in your VPC. So, in your VPCs, your easy two instances, for example, they shouldn't, they should not, they should not need public IP addresses, right? So, that gateway connector is the proxy. And it's the choke point through which all external connections flow. So, they won't need the IP addresses that are public. You've got this, this trusted intermediate that is providing a clean source, as well as brokering or all the remote connections through to the right, to the targets. It's not putting you on the network as a VPN would do. It's surgically placing you on the host itself, right?
Tony Goulding (00:45:13):
So, that is important. So, that's kind of reducing a lot of vectors of attack. All right. So, we are, the clock is ticking. We did start a little late. So, even if people on the line need to drop at the top of the hour, we will continue to close this out because the recording will be then complete if you want to come back to it. So, exfiltrating and, and cover up. So, to prevent an attacker from, hang on a second, where am I in my slides here? Oh yeah. Yeah. So, what happens when attackers try to exfiltrate the data and basically when they tried to cover up their tracks? So, once the attacker has figured out where the valuable data lives, they find the crown jewels, they're going to look for ways to elevate privileges in order to exfiltrate that data, right.
Tony Goulding (00:46:02):
And they're also going to want to conceal their activity. Ideally, they'd like to do this quietly over weeks or even months to avoid detection. And again, milk this for as much as they possibly can. Now, DevOps is a common targets. So, certainly attackers like to troll through source code and configuration files for embedded credentials. And often as I said, they're going to lay low for quite a while and return later. And so, a common step is to create backdoor accounts. One example of that would be SSH public, private key pairs. So, later they can just SSH, again, assuming that they can actually get a foothold, which they already have, they can SSH to other boxes in the network, at will at any other time and avoid further suspicion. They could either create a new account, as a backdoor account or potentially just add, an SSH private key to an existing accounts, authorized keys file, but that's just one example of many approaches.
Tony Goulding (00:47:07):
And some of these approaches require elevated privileges. So, as a basic user, if they've compromised, an account with minimum rights, then they wouldn't necessarily be able to create a new user on a box, but things like, or even having, SSH keys to an authorized keys file for another user, but to creating an SSH key, doesn't require privileges. So, some of these things can actually be achieved without privileges, but the bulk of them do require privileges. So, how do we go about solving this? Well, once an attacker has identified where that valuable data resides, again, they're going to look for elevated privileges to exfiltrate the data and one method to avoid that as MFA, right? So, here. Notice we're looking at, NIST assurance level three, which is a level above what we had earlier.
Tony Goulding (00:48:02):
This provides a very high confidence that the user is the owner of the credentials. Now AAL three requires a physical hardware based authenticator, something like a YubiKey or a duo, a dongle USB dongle. And, in addition, being able to apply MFA at multiple access control decision points. I mentioned this earlier, a lot of PAM vendors will only support MFA, let's say, on login to evolves, right. But there's, you know what, that's good, but what about password checkout from the vault? What about initiating a remote session from the vault? What about if they're bypassing the vault altogether and they're going directly to the box and they're trying to log in directly to the box, maybe MFA, ATS serve a login. What if they're on the box and trying to elevate privilege, maybe we want to apply MFA or privilege elevation as well. So, there's multiple, MFA touchpoint security layers that can help mitigate these risks.
Tony Goulding (00:48:58):
If you're able to apply them, then there's an end-to-end auditing. So, it's almost goes without saying, but feeding events into a SIM solution, like Splunk can alert on suspicious activity, but it's also important to have session monitoring, right? This allows you to visually watch in real time activities during a session and terminate, something that you might deem suspicious, right? And it also catches those sessions in video for subsequent analysis. So, it could either reach for compliance, right? To prove that your controls are in place and they're being effective, or it could be used for incident response, but session recordings are very valuable. And then the third on this is leveraging machine learning technology. So, this is a more advanced, more modern approach where we're analyzing user behavior. So, you know, MFA is a great security control, but when figuring out, you know, or figuring out when to apply it can be hard and leaving it up to humans to configure all the right rules and policies can be challenging.
Tony Goulding (00:50:05):
It can be certainly time consuming, required care and feeding, and it can result in blind spots. So, as an alternative, or maybe in addition to machine learning, it can observe legitimate user behavior and then create a baseline profile of that behavior constantly updating it. But during an access attempt, it can automatically compare the user's current context to the baseline and pop out a risk score. So, then your policy job, the job of creating policies, is more trivial. Your policy could be very simply three policies. One could say, you know, if it's a low risk, just let the user in--single sign-on. If it's medium risk, maybe we'll prompt them for a second factor. If it's high risk, perhaps we'll deny access and send an event out that will be captured by Splunk and alerts, everybody to go running and figure out what's what's going on. Right? So, that can be a lot easier than, than the static policy-based approach to figuring out MFA controls.
Tony Goulding (00:51:10):
Let's wrap this up and kind of join the dots. So, we began with this slide and we discussed some, PAM best practices to help mitigate risks at each step now to establish deterrence and to minimize your risk exposure during the first of the steps during the compromise phase, organizations should consider what you just see popped up on the screen. So, MFA at major access control decision points and at a higher assurance level for administrator accounts, you want to vault shared privileged accounts, take them off the playing field emergency use only you want to consolidate identities. So, get rid of those local accounts that all of our Admins have, eliminate them if you can't eliminate them, vault them. Sure. But instead have them log in with just a single enterprise account that is going to be typically AD and that will reduce your attack surface.
Tony Goulding (00:52:05):
It gets rid of all of those factors of attack and then secure remote access to prevent attackers using the VPN to walk in through the front door as a legitimate user. VPN-less, remote access, to enable that as well as to enable a clean source, if they're not network attached, it's going to be harder for viruses and malware to automatically jump across the divide. Then for the explore phase, we want to limit an attacker's ability to do reconnaissance and to move laterally. So, again, MFA everywhere, but this time, but potentially you might consider, assurance level three. So, maybe assurance level two for the front door and assurance level three for internal accesses, like checking out, roots, account passwords from the vault or privilege elevation; hardware authenticators come into play there just in time access. We want to have minimum rights. But allow an Admin to legitimately request additional rates to perform a task, typically driven by a help desk ticket.
Tony Goulding (00:53:06):
And then through workflow have that approved. This could be workflow built into the PAM solution, or it could be workflow initiated from a third party like service now, for example. And again, secure mode access instead of VPNs, right? I'm enforcing zero standing privilege is posture. We want to eliminate or vault shared privileged so that if somebody does get that foothold, they’re sniffing around for privileged accounts, we don't want them to find any; zero standing privileges and then establishing zones. So, you will want to be able to manage all of this stuff, right. We're talking about rules and roles and users and policies and machines, and sure AD is good at doing it for windows, right. But what about the rest of our environment? Well, yeah, you need a centralized management platform with policy control that covers windows, Linux, UNIX containers on premises, DMZ the cloud, the whole shebang, right.
Tony Goulding (00:54:02):
And that could still be AD-centric, or it could be a kind of a cloud centric type of approach. And then finally for that last column here to prevent data exfiltration. So, certainly for DevOps, you want to vault secrets and credentials. Don't have them embedded in code where they can easily be discovered and use to elevate privilege that can then be used to exfiltrate data, use machine learning and behavioral analytics, right? It may be too challenging to maintain a comprehensive set of static policies to try and figure out when you should ask a user for an additional factor to prove they really are legitimate; use machine learning and behavioral analytics to cover some of those gaps, advanced monitoring and alert and alerting. So, stuff goes on the host. If all you have is a vault and you hand over a password and somebody logs in, then the vault out of the equation, you need host level stuff you need, fine-grained monitoring, keep an eye on changes to things like, the Etsy file system on Linux to make sure that, an attacker isn't dropping some malware or some tools into that folder or other folders and trying to, initiate some kind of attack and enforced host based session, file and process auditing.
Tony Goulding (00:55:18):
You need that forensic level of detail. You need session recordings for compliance as well as for incident response. So, applying all of these best practices, layering, these security controls, the goal is that it will help you break the kill chain of multiple places and improve your risk posture to prevent data breaches. So, with that, let me hand it back to Mason.
Mason Mobley (00:55:43):
Hey Tony, That was a lot of information. There were several questions that I've actually sent over in the chat window that we'd like to address for those that are still here. A number of people asked, if the sites would be available for download, I said they would post event. A good way for, a number of you to get better understanding of zero trust is to download some of the content that's here. We have Gartner reports as well, as far as reports, Gartner’s report, this is the best practices for privileged access management through four pillars of PAM. And then also we have, our eBook on zero trust privilege. So, to close out the session, Tony, if can you see those questions that were just put into the team chat for you to address?
Tony Goulding (00:56:28):
Yeah, let me just take a peek here. I know we have a few minutes, maybe answer two or three, so all right. Here’s one we're currently using a password vault. Is that good enough? That's a great question. So, I think I would say probably not, but then it really just depends. So, it depends on the organization. So, as an organization, it's kind of incumbent on you to assess. The importance of those assets how sensitive they are, what would be the risk to your business if they were compromised? So, do your own risk assessment, determine your risk tolerance, determine, the gaps that exist should an asset or a system be compromised. And then you can say, you know what, a vault is good enough to mitigate those risks or not as the case may be.
Tony Goulding (00:57:20):
But certainly I encourage you to understand the role that a vault plays, to all intents and purposes of vault is about protecting shared privileged accounts, right? You put root in there, you put Administrator, you put Oracle, you put SD, you put all of the shared privileged accounts in the vault. If you can't delete them and that's where they should stay. So, you're protecting access to these shared privileged accounts. Now, if somebody does need to use it, they check it out and then they go on and they log in and they're off to the races. And that's where the vault stops, right? It's really just protecting access to them as accounts, right? But with elevation, you're protecting the machine. Typically, you're putting a client on that machine. That's part of privileged elevation, and that client is establishing a trust relationship with something else. It could be with active directory where the policies live, or it could be a PAM cloud platform where the policies live.
Tony Goulding (00:58:20):
So, you're getting that trust. And the reason why that's important is because you can then go beyond just login. You can do elevation, which is an authorization type of step and allow the machine to protect itself. So, when someone knocks on the front door with a privileged account, the machine through the use of a local client can talk to the platform and say, should I trust this login? Yes or no. Right. And if it's no, then you don't let them in. If all you have is a vault, you don't get that extra level of trust. So, again, you're protecting access to the accounts, but for all, you know, the person knocking on the front door to log in is an attacker who has acquired and compromised that account. It's still a legitimate account, but you can't distinguish between an attacker and a legitimate internal IT Administrator. So, I would encourage you to, definitely to recognize the difference between the vault and privilege elevation and how far each of them goes, and that will affect your ability to constrain and mitigate risk in your environment.
Tony Goulding (00:59:43):
We have a mix of windows, Linux, and UNIX managing all. This is on, sorry. It says managing all this on premises is already complicated. How can we do that when we go to the cloud? So, I did cover a fair bit of this, but let me, let me kind of circle the wagons again and give you a slightly different perspective. So, I would say a priority would be to find a vendor with a modern PAM offering. And that means they have a code base that supports both cloud native operations. So, if, as an organization you prefer, you can consume that as a SAS service, or if you prefer that same code base works on premises, right? So, there's no difference in functionality or code. They update one, it updates the other, it's all nice and consistent. And so, if you want to manage it yourself, you can then put it on premises and have at it, it's in your own infrastructure, right?
Tony Goulding (01:00:38):
And that would inherit all of the performance and scalability, goodness of the SAS variant. So, the SAS variant is built for the cloud for elasticity and all that good stuff. You get a lot of those benefits, if that PAM vendor has the same code base that you can use on premises, I would say you also need a vendor that, that again has both sides of the PAM coin. I mentioned that earlier, vaulting being one and privilege elevation being the other, we believe they go hand in hand, they have different use cases. They address different needs. As I mentioned, bolting is more about protecting those shared privileged accounts. Privileged elevation is more about protection at the machine level, ensure that privileged elevation is not a poor stepchild of the vault, right? In other words, that it's getting real love from the PAM vendor from R and D, it's constantly being updated.
Tony Goulding (01:01:32):
It's, fully functional. It's, it's a main selling point for them, right. They're getting good revenue from it because if it's not, if it's a poor child, then you may get a great vault, but you don't get the other side of the coin in spades. Right. And then finally, I would say, ensure your PAM stack can support hybrid use cases. So, again, amongst all this, we've been talking about hybrid on premises and in the cloud. So, perhaps starting with your on-prem workloads, you may prefer, the PAM solution, centralize its policy management in AD in other words, leveraging AD to manage users, roles, and computers across your entire on-premises windows, Linux, and UNIX estates. Right? But as you start to migrate workloads to the cloud, you may prefer the option of managing them and their access and their policies from a cloud platform, but the PAM vendor hopefully provides.
Tony Goulding (01:02:31):
Right. So, in other words, weaning those cloud workloads off AD from an access control perspective, right. Using a cloud platform, in place of that. And you need a PAM vendor that does both right. That in order to successfully balance the two and ultimately maybe wean yourself off AD if that's your plan, right. How are we doing, Mason? We're good. We're a few minutes over, maybe one more. All right, let me grab one more. We're a smaller business with most of our infrastructure in the cloud. So, kind of the opposite is what we just heard, especially for development. Can't we use AWS tools, for PAM? Interesting questions and certainly all of the service providers let's take AWS as an example here, because you mentioned it, but AWS IAM tools are free and you can certainly create and manage a silo of privileged identities in AWS, along with, group based policies to control access.
Tony Goulding (01:03:36):
But you know, think about complexity if, and when you move to, the clouds. So, now let's say you have VPCs in Microsoft Azure, and you have them in Google. They also have free tools. So, now it's become a lot more complicated to manage users and roles and rights, cross cloud platform. You're also replicating directories. So, you may have an enterprise directory with your users in, but now you've also got local users in AWS and Azure and maybe Google as well. So, you're, you're now going the opposite way to the best practice of identity consolidation. You're adding more silos of identities and every one of those increases your attack surface. Every account you have is a vector of attack. Potentially. Now best practice is to strive for a single set of policies that are centrally managed that have security controls that protect access, not only across your IT infrastructure, right, your windows or Linux and UNIX systems, your apps and network devices, but also across your cloud providers.
Tony Goulding (01:04:45):
So, again, going with AWS, you want your PAM to be able to manage AWS users and resources, native ones, just as an active directory, can centrally manage users and computers across your windows systems and automate, automate. Let me get my teeth in, automation plays a big role in that, right? So, automatic discovery to find in vault, way AWS IAM users, especially that AWS account owner or the root app, that is the keys to the kingdom, right? Discovering virtual instances and taking them under management, controlling login to the AWS management console, using sample-based Federation and MFA, for stronger authentication and better identity assurance, managing AWS access keys. For those, IAM accounts used by DevOps, et cetera, et cetera, right? These are all functions that your PAM solution provider should give you that you won't necessarily get certainly not cross cloud platform from individual cloud platform providers.
Tony Goulding (01:05:51):
And then there's easy two instances, right? We haven't even got to them, right? You're running easy, two instances and containers that are running your business apps. And that contains sensitive data in the shared responsibility model. You have to protect them AWS. Isn't going to do that right. Best practices. What I mentioned to least privilege that incorporates privileged elevation, vaulting doesn't help with that. Don't get me wrong. We, again, we need a vault, but with privileged elevation, you're putting a thin client on the box. You're controlling access to it, and you're controlling what the user can do when they've logged in the cloud platform provider. Isn't going to do that. They're also not going to have session recording and auditing on that box except for the native OS level stuff. So, anyway, I kind of going off the rails a little bit there in that response. So, I'll leave it at that. All right, Mason.
Mason Mobley (01:06:46):
All right. That is great. Tony, thank you so much for, yeah. For sharing your expertise. And we're going to wrap now. If you've got any questions, also feel free to reach out to me directly at firstname.lastname@example.org. And again, we thank you for your attendance, Tony. You've been awesome. I appreciate you.
Tony Goulding (01:07:01):
Talk to you soon. Hey, welcome. Take it easy. Thanks folks. Take care. Thanks everyone. Bye. Bye.