Who's Spying on Your Privileged Accounts
- 31 July, 2015 11:46
News about the infiltration of Kaspersky’s network highlights the fact that these days, no-one and no company is out of bounds. For hackers and other attackers even security companies are fair game.
One of the first things most people ask following an attack is: Who was responsible? It's a natural question but one that is very hard to answer. Attribution of an attack is a difficult part of deconstructing a breach. We can see the signatures in malware and identify the networks used to support the attack. But in the end, we're almost never 100 per cent certain of attribution.
Perhaps the more relevant question is: How? In the case of Kaspersky, the motivation seems to have been espionage. According to sources, the malware used to execute the attack was an updated version of Duqu, which features code directly derived from Stuxnet. Duqu is the alleged culprit used to spy on Iran’s trade relationships and efforts to develop nuclear material.
The idea of cyber attacks as a form of international or business espionage may raise images of Maxwell Smart, Napoleon Solo, The Prisoner and other staples of 1960s cold war television programming, but the threat, unlike the characters, is very real.
Information systems, with their wealth of intellectual property, market and business data, are a veritable treasure trove for cyber spies. All that is required is to gain access. And one of the best ways to achieve this is by leveraging privileged accounts or credentials. Privileged accounts provide complete, anonymous access to, and control of, all parts of IT infrastructure, industrial control systems and critical business data. They exist throughout every business -- in fact it’s challenging to find any part of the enterprise that isn’t managed by privileged or administrative accounts.
This makes privileged accounts the ultimate intelligence asset for cyber espionage campaigns. Once an attacker gains access to an account, they can anonymously study a company's security arrangements and explore systems, taking all the time they need. With this access attackers can remain virtually undetected, gradually siphoning information as part of their corporate espionage campaign. They can create short cuts that facilitate future attacks on the organisation, implant malware for financial gain, or, as occurred at Sony Pictures, the attacker may simply destroy a company’s ability to do business.
Stop Lateral Movement
The Kaspersky attack highlights how attackers use lateral movement to navigate across the network, accessing different machines and devices. The fact that the attackers used multiple zero day exploits (valuable currency in the hacker world) to facilitate this movement is a sign of how critical it was to the overall attack.
The way this type of lateral movement is achieved is by exploiting privileged accounts. The attacker gains access to a privileged employee's machine or device, then gradually expands access to target systems and databases by escalating credentials.
The lesson here is if you can prevent movement by locking down privileged accounts, you can isolate the attack. Without the ability to escalate credentials the attacker remains confined to the breach point, thus minimising the amount of useful information that can be stolen and the damage that might otherwise be inflicted.
Privileged accounts haven't always received the attention they deserve. Given the increasing incidence of breaches as a form of cyber espionage, it might be time for the C-suite and company Board members to re-assess the way privileged accounts are secured, managed and controlled to ensure a breach in one area doesn't ultimately lead to access to the entire enterprise's assets. After all, proactive security starts by assuming the attackers have already made their way inside the network. After that, the challenge is to minimise losses by preventing the criminals from achieving the kind of lateral movement that proved so damaging for Kaspersky and many others.
