Want to stop cybercrimes tearing through your network? First check your privileges

Your most powerful admins are the weakest links. But CyberArk are here to help

Got Tips?

SPONSORED The consequences of cybercrime are ever more costly, with Accenture’s Ninth Annual Cost of Cybercrime Study showing the average financial impact per company rose by $1.4m to $13m in 2018.

If the first half of 2020 is any indication, this number will continue to rise as attackers amplify their campaigns to take advantage of emerging opportunities, like those associated with changing work environments, and continue to target organizations’ weakest links.

As more companies move workloads to the cloud, adopt collaboration tools to support remote workforces, and increase automation capabilities, attackers are simultaneously and consistently refining their own strategies to exploit areas of business transformation.

Maintaining business continuity and resiliency in the face of this dynamic threat landscape starts with understanding the mindset of an attacker. Their motivations may vary - from financial gain and espionage to business disruption – but the attack cycle remains relatively constant.

Motivated attackers will initially use fairly standard means to gain a foothold on a network, like phishing or exploiting a known software vulnerability. But once they’ve wormed their way in, they’ll typically seek to exploit privileged accounts with broad and powerful administrative access to carry out reconnaissance or to maintain persistency on the network to launch further attacks. If they don’t achieve this privileged access, the vast majority of attacks simply won’t proceed beyond nascent stages.

So, gaining privileged access is a top priority for attackers. The problem is rapid business transformation led by investments in digital technologies has contributed to privileged account sprawl across cloud and hybrid environments, opening up even more potential access points. Critical business processes, applications and cloud instances, for example, all have associated privileged accounts required to maintain and help protect them.

Securing privileged access helps shrink the attack surface by breaking the attacker tool set and restricting the spread of an attack. When attackers find their lateral movement is limited, they are forced to use tactics that are “louder” and therefore more easily identifiable, so organizations can be alerted and work to stymie the attack before the business is dramatically impacted.

So, how to use this knowledge against attackers? CyberArk Labs has analyzed common cyber attack vectors and tactics, and has identified four ways that prioritizing privileged access management can better arm businesses to defend against them.

Stopping privilege escalation

When attackers first gain access to the network, they will use a variety of techniques to escalate their privileges in order to gain higher level permissions and begin lateral movement.

The software and applications organizations rely on to run their business can be riddled with misconfigurations and vulnerabilities, especially if basic upgrades and patching aren’t done consistently. A study by the Ponemon Institute in 2019, found 60 per cent of data breaches involved unpatched vulnerabilities. To the attacker, the vulnerability itself represents an “open door” allowing them to gain that initial foothold. The critical step is how attackers can use that initial entry to escalate privileges and facilitate lateral movement across increasingly distributed and decentralized networks.

Privilege escalation is the most critical link in the attack chain as it allows an attacker to accomplish several steps, including gaining network persistence, building-in additional backdoors and, ultimately, accessing critical assets. A modern privileged access management program enforces the principle of least privilege to ensure users only have the access required to perform their functions – and nothing more. This helps limit super-user and administrator permissions – further reducing the overall attack surface.

Preventing lateral movement

Lateral movement is a tactic – often interconnected with privilege escalation – designed to allow attackers to enter and control systems on a network with the goal of spreading an attack or establishing long-term persistence.

Attackers use lateral movement to move beyond their original foothold to find valuable information, get access to business-critical systems or execute an attack. Exploiting privileged access is the way to facilitate this movement. By escalating privileges, attackers can effectively move from place to place including from on-premises environments into and across cloud environments, and vice versa.

Managing privileged access is one of the most effective ways to stop lateral movement by securing the access points attackers need to move across a network, thereby helping to block the progress of an attack.

Slowing the spread of ransomware

Ransomware continues to be one of the most common, and costly, cyber attacks. Cybersecurity Ventures estimates that the global cost of ransomware attacks will top $20bn by next year and predicts that ransomware attacks will target businesses every 11 seconds.

While ransomware attacks typically start on an endpoint, the goal is to encrypt files, applications or systems so that attackers can hold an organization hostage until a ransom is paid. One laptop isn’t going to get the criminal a payday, but compromising an entire network certainly can.

The leap from endpoint to network is a critical aspect of the ransomware strategy, so today’s interconnected businesses make ransomware attacks a real concern for organizations of all sizes. But while ransomware is damaging, sound privileged access management can limit its spread and keep it contained to the initial infection point. CyberArk Labs’ research, which has tested 2.5 million variants of ransomware, showed that removing local admin rights, combined with application control on endpoints, was 100 per cent effective in stopping the spread of ransomware.

Preventing account takeovers

Account takeover (ATO) attacks are sophisticated, targeted and designed to give the attacker as much control over an environment as possible by stealing and exploiting legitimate user credentials. Attackers prioritize privileged credentials in ATOs – especially accounts with “always on” access. These powerful accounts can enable attackers to move through a network and achieve full compromise of an Active Directory, the domain controller and even entire cloud environments.

Privileged access management solutions - especially those that include just-in-time access controls - can dramatically reduce the attack surface by securing authentication credentials that are spread across environments. A just-in-time approach helps provide the appropriate levels of access to the right resources for the right amount of time, eliminating the always-on accounts that attackers covet. This all makes the life of the attacker much more difficult by preventing privilege escalation and severely restricting lateral movement.

The compromise of privileged accounts lies at the core of the cyber attack cycle. To learn more about how privileged access management can help break the cycle and help protect organizations’ most critical data, infrastructure and assets, download a complimentary copy of the Gartner 2020 Magic Quadrant for Privileged Access Management1

Sponsored by Cyberark

1- Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Biting the hand that feeds IT © 1998–2020