Stopping Attacks Before They Stop Business Jeff Vealey – Customer Success Technical Advisor CyberArk Software

State of play There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging in to one category; those that have been hacked and will be again. FBI Director Robert Mueller 2012

Recent history

Cyber Attacks Are a Daily Event

Cyber Security and Privileged Access “APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.” “…100% of data breaches involved stolen credentials.” Mandiant, M-Trends and APT1 Report

Privileged Account Definition and Scope Any account which has the ability to access and update the configuration of a critical system or impact it’s operational service Routers, Firewalls, Hypervisors, Databases, Applications Routers, Firewalls, Servers, Databases, Applications Laptops, Tablets, Smartphones Power Plants, Factory Floors Privileged Account Definition WiFi Routers, Smart TVs

Privileged Account Security: the new security layer PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING PRIVILEGED ACCOUNT SECURITY

Typical processes that attackers expose… Local admin accounts set to the same password Unmanaged SSH Keys used for interactive sessions and applications Separate, named domain accounts created for each admin Workstation users granted local admin rights Non-expiring passwords for critical accounts Standing Access – network, access and authentication Hard-coded credentials for applications in code, scripts and appliances Excessive Permissions for specific roles, like; DBA, Developers, etc. Lack of visibility around who, why and is it legitimate access

Data Breaches - Real Life Example

How did the attack start? ABC Company How did the attack start? Step 2: Executive user with local admin Privilege discovered. Pass the hash attack starts Step 3: Hash of helpdesk user who remotely assisted executive 3 days prior extracted and used. Step 1: Attackers used Phishing Scam to detect local admin users.

Step 6: Golden Ticket Attack Performed What happened? Step 5: Authenticated to multiple servers using those privileges until they gained domain-admin level access Step 6: Golden Ticket Attack Performed Step 4: Using the helpdesk users password hash, Server Access was finally gained Domain Admin accounts Local Admin accounts Used system access to: Write own Kerberos Tickets Exfiltrate Data

Comprehensive Approach Required

Stats

Privileged Account Statistics Of Advanced attacks exploit Privileged Credentials. 100%

Privileged Account Statistics Shared by who? What happens when people leave the organization? Of Privileged Account Passwords are shared. 51%

Privileged Account Statistics Current processes are making it easier for attackers to move around the infrastructure. Of Large Enterprises take 90 days or longer to change Privileged Passwords. 53%

Privileged Account Statistics There is more than 1 way to underestimate this. Amount, Scope, Power, Same/Similar Passwords Of Large Enterprises do not know, or have underestimated the magnitude of their Privileged Account Security problem. 86%

Privileged Account Statistics Remember the breach for a US health insurer? 70 million credit card details were stolen because of 1 unmanaged credential. Of Privileged Accounts across Enterprises are either unknown or un-managed 67%

Privileged Account Statistics Truth? Are these numbers correct? ??%

Privileged Account Statistics Of Advanced attacks exploit Privileged Credentials. 100%

Compliance View

Compliance and Regulation PCI SOX

Reduce Risk of Privileged Account Exploits

Implement a standardized privileged access strategy For each layer: Why is Privileged Access needed? Who needs Privileged Access? Which entities are used to authenticate? Can approval workflows be enforced? What controls are in place right now? APPLICATION DATABASE OPERATING SYSTEM NETWORK INFRASTRUCTURE

Example Controls… Ref Process Description Priority C1 Inventory and reduce the number of privileged accounts in your organization Knowing how many accounts are present in the environment and where they are is a critical first step in making informed risk decisions and protecting the accounts. Once inventoried, privileged accounts should be reviewed and unnecessary accounts should be deleted to reduce the overall number of accounts requiring management.   C2 Prohibit standard user accounts from having privileged access. Utilising separate accounts for general and administrative use enables organizations to identify misuse or abuse of privileged accounts. In addition, enforcing least privilege is a significant step an organization can take towards improving the security of their network environment. C3 Create a process for on- and off-boarding employees that have privileged account access. Employees should understand the responsibility that comes with privileged access and be trained in existing corporate policies before administrative access is granted. Access should routinely be reviewed to ensure privileged access is still required. The off-boarding process should include disabling all employee privileged accounts and changing passwords to any shared accounts the employee had access too. C4 Eliminate the practice of accounts that have non- expiring passwords. Passwords should be changed on a regular schedule to reduce their vulnerability to password cracking tools and password sharing between employees. C5 Store passwords / keys securely It is imperative that organizations store their privileged credentials in the most secure, encrypted vaulting system available. The use of envelopes, binders, spreadsheets, flat files, etc. for the storage of privileged account information should be eliminated.

Restrict Lateral Movement – Define the Target Operating Model Tier 0 – Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers Tier 1 – Server admins: Direct or indirect administrative control over a single or multiple servers Tier 2 – Workstation Admins: Direct or indirect administrative control over a single or multiple devices Source – Microsoft Mitigating Pass The Hash and Other Credential Theft V2

Privileged Account Security

Privileged Account Security - Critical Steps Discover all of your privileged accounts Protect and manage privileged account credentials Control, isolate and monitor privileged access to servers and databases Implement least privileges access for server and workstation access Use real-time privileged account intelligence to detect and respond to in-progress attacks

First, understand the Current Position

Protect and Manage Privileged Account Credentials Protect the Privileged Credentials – Secure Digital Vault Implement strong credential access workflows Simplify policy management - “master policy” function

Isolate malware from the target system Control, Isolate and Monitor Privileged Activity Establish a single point of control for privileged sessions Isolate malware from the target system Monitor and record command level activity

Use Real-time, Privileged Account Intelligence Privileged account intelligence detects attacks Privileged Credential Access Vault access intelligence Privileged Session Activity Privileged session intelligence Full integration with existing SIEM solution Detect Malicious Activity Real-time, integrated with SIEM Full forensics capabilities Complete, indexed record of privileged activity Detect anomalies in day-to-day activity

The Standardized Approach for Privileged Access Real-Time Threat Detection Detect Attempts to Circumvent Controls Privileged Account Management Enforce account management on all privileged accounts Global IT Environment Privileged Access IT Admins Applications 3rd Parties Secure App2App Authentication Directive Implements the new concept Target Operation Model for Risk Mitigation. Standardize Privileged Access for all accounts; human and non-human IDs Benefits: Mitigates risk by reducing the attack surface within the heart of the enterprise Implements a standardized workflow for privileged access; central control and audit Provides full accountability, forensics and threat detection.

So….in summary…

Stop looking for the next big thing….it is already here.

Privileged Credentials are the biggest problem in Security

The time is now to act or you are increasing your odds of being the next attack

Otherwise…..

They will find your passwords…

They will gain access….

They will penetrate deep in your network….

And you are you left to call???

These guys? Probably not.

Thank you