Privileged Accounts: Discover / Protect / Monitor Jason Bresnan Sr. Solutions Engineer, CyberArk Software

The New Cyber Battleground: Inside Your Network Over 90% of organizations have been breached In the past: “I can stop everything at the perimeter” Today: “I can’t stop anything at the perimeter” Information security focus shifts to inside the network Over 35% of breaches are internal – driven by malicious and unintentional insiders Compromised credentials empower any attacker to act as an insider The new battleground for cyber attacks is not outside the perimeter, it’s actually inside your network. With today’s advanced attacks (example malware and phishing) make it easy to breach the perimeter. Therefore, protecting the perimeter is not an effective strategy. Strategies must move inside the organization, assuming the attacker is already there. And, attacks aren’t always coming from the outside. While not as common as external attacks, internal breaches typically have a much bigger impact (think Snowden). Regardless of how the attack originates, once an attacker is inside the perimeter and has access to a privileged credential (password or SSH key), the attacker (or malicious insider) has full control of the network including desktops, laptops and servers, security solutions, domain controllers and databases and applications. In essence, a compromised credential means you have completely lost control of your infrastructure and the tools you have invested in to protect the network. And lastly, because privileged accounts are powerful and pervasive, they are an important aspect of many compliance regulations. Failure to meet compliance requirements can lead to brand damage and significant costs due to failed audits. Additional facts: Visa report: Mitigating Large Merchant Breaches, January 2014: based on forensics reports from a sample of 11 large US merchants the experienced a data breach, 9 had compromised privileged credentials Compliance and audit requirements focus on privileged accounts Privileged accounts provide access to the most sensitive and valuable assets Information exposure damages brand reputation and customer confidence *VISA 2014, IDC 2012, and Ponemon Institute 2011

What’s your approach to Privilege Account Security?

An Attacker Must Obtain Insider Credentials “APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.” “…100% of breaches involved stolen credentials.” Privileged Accounts Are A Built in Vulnerability It’s been well documented that privileged accounts are required to carry out a breach. Put yourself in the hacker’s shoes…need access to a particular network segment or want to change firewall rules to enable external communication? Want to gain access to the domain controller? Want to dump the database table to capture a competitors customer list? Unprotected, unmonitored privileged accounts are the way to go. The quote here from Mandiant says that 100% of the breaches they investigated involved stolen credentials. And, whenever possible, the attacker goes after the privileged credential, because those are the ones that provide the access they need, the control over the IT infrastructure. *Mandiant, M-Trends and APT1 Report **Credentials are not just passwords, but any means to gain privileged access, including SSH Keys, Application/Access Keys, Automation/DevOPS Secrets, etc.

Privileged Credentials are Everywhere Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Power Plants, Factory Floors Routers, Firewalls, Servers, Databases, Applications Organizations typically have 3-4x more Privileged Accounts than employees WiFi Routers, Smart TVs Typically, the number of privileged accounts in an organization is three times the number of employees. Think about this – how many desktops do you have, servers, databases, network devices, pieces of infrastructure…? Laptops, Tablets, Smartphones

Hijacked Credentials Put the Attacker in Control Compromised Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Power Plants, Factory Floors Enable attackers to: Bypass security controls & monitoring Access all of the data on the device Disrupt normal operation of the device Cause physical damage Routers, Servers, Databases, Applications Firewall WiFi Routers, Smart TVs Laptops, Tablets, Smartphones

You’ve either been breached, or don’t know you’ve been breached... What's it like when you have access to something that you shouldn't? First couple of times, it's very adrenaline filled. [Then] you start doing companies and you start doing servers, there's much more of a thrill, much more of adrenaline. Nowadays, it's like, "yes you did it," and then that's really where the work starts, because getting in, getting through the perimeter, is just half the battle. Traveling to other computers, being able to plant malware that'll go under the radar of any kind of security product that they have -- that's where the real game starts. How many companies would you say you've breached? Probably tens of thousands. Sometimes when you compromise something, you have access to a lot of other things in that same IP address space. You might have gained access to one thing, and a thousand other companies are available in the same address space. Once an attacker is inside, they’re impersonating authorized privileged users, so they can operate undetected for months. Mandiant determined that advanced attackers are on the network for a median of 146 days before being detected. (Mandiant M-Trends 2016) That’s leaving a huge window of opportunity for attackers to gain the access they require to steal critical data and cause irreparable harm to an organization. Widening that window even more -- once an attacker is detected, it can take security teams a very long time to respond. According to Verizon (Data Breach Investigations Report 2015), 64% of attacks took days or longer to contain. That means that even when the organization is aware of an in-progress attack, they either don’t have the information needed, or means to be able to contain the threat from spreading further in the network. *Un-named hacker, CNN interview

How Are Privileged Credentials Stolen? Keystroke Logging Password Guessing/Cracking Memory Scraping Password Spreadsheets Social Engineering Hard Coded Application Credentials “Prominent malware families […] are designed to capture keystrokes from an infected device. All those efforts to get users to use special characters, upper/lower case numbers and minimum lengths are nullified by this ubiquitous malware functionality.” “Mandiant’s Red Team, on average, is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment”

Privilege Escalation Enables Asset Escalation

Attackers stay under the radar Once inside, attackers operate undetected for months Advanced attackers are on the network for an estimated 146 days without being detected Once detected, security teams take a long time to respond 64% of attacks took days or longer to contain Once an attacker is inside, they’re impersonating authorized privileged users, so they can operate undetected for months. Mandiant determined that advanced attackers are on the network for a median of 146 days before being detected. (Mandiant M-Trends 2016) That’s leaving a huge window of opportunity for attackers to gain the access they require to steal critical data and cause irreparable harm to an organization. Widening that window even more -- once an attacker is detected, it can take security teams a very long time to respond. According to Verizon (Data Breach Investigations Report 2015), 64% of attacks took days or longer to contain. That means that even when the organization is aware of an in-progress attack, they either don’t have the information needed, or means to be able to contain the threat from spreading further in the network. *Mandiant, M-Trends and APT1 Report

Identify risks to better protect sensitive data Know where your most sensitive data lives Know who has access to your network Network Perimeter Internal Users Internal Users PCI Environment Remote Users Remote Users Critical IP Before you can effectively protect critical systems, you must first identify your risks. Not all systems and users are equal, and some require stricter controls than other. As a first step, you should evaluate your network environment to determine: Where your most sensitive data lives. Not all enterprise data is created equal. Access to systems that contain highly sensitive information, such as PCI data or business-critical intellectual property, should be more tightly controlled than access to systems with other, less confidential data. Next, you need to understand who has access to your network. You know that some of your internal employees have privileged access to your IT assets, but what about remote users? These can include, for example, third-party vendors or consultants, over whom you have little control. Once you understand where your data lives, you’ll want to identify the most sensitive the most systems. - those which, if, compromised, can result in severe damage to the organization. And you’ll also want to identify your highest risk users – those who you don’t necessarily trust and whose endpoints you cannot control. Then, you’ll want to take extra steps to protect those systems and control those users. To understand why added controls are necessary, let’s looks at recent attacks trends. Identify to the most sensitive systems and highest risk users Take extra steps to protect these systems and control these users

The Cloud AWS/Azure management consoles * AWS Secure Token Services * AWS Access Keys * Cloud automation / provisioning * Amazon AMI’s – Running CyberArk in the Cloud The traditional way a hacker will try to compromise an organisation is to try and compromise as many machines in as short an amount of time as possible. Sometimes they’ll target users with phishing attacks via email and by social engineering attacks. When cloud computing comes into the mix it offers attackers a real gem of a password they want to get their hands on. Cloud providers issue you with an administrative account – a “root“ account if you will. This is designed to be used to get you setup on your new cloud platform, and its then never used – only for breakglass access. I wonder how many people still regularly use this account. CyberArk can store this password out of the box and by using the Privileged Session Manager we can securely proxy this highly critical account when it’s needed to be used for breakglass reasons. Let’s have a look at how this works.

Public cloud Old Way – “Hack a System” Hypervisor / Management Console / APIs Old Way – “Hack a System” The traditional way a hacker will try to compromise an organisation is to try and compromise as many machines in as short an amount of time as possible. Sometimes they’ll target users with phishing attacks via email and by social engineering attacks. When cloud computing comes into the mix it offers attackers a real gem of a password they want to get their hands on. Cloud providers issue you with an administrative account – a “root“ account if you will. This is designed to be used to get you setup on your new cloud platform, and its then never used – only for breakglass access. I wonder how many people still regularly use this account. CyberArk can store this password out of the box and by using the Privileged Session Manager we can securely proxy this highly critical account when it’s needed to be used for breakglass reasons. Let’s have a look at how this works. New Way – “Hack a Cloud Console”

Application architecture is getting pulverized The traditional way a hacker will try to compromise an organisation is to try and compromise as many machines in as short an amount of time as possible. Sometimes they’ll target users with phishing attacks via email and by social engineering attacks. When cloud computing comes into the mix it offers attackers a real gem of a password they want to get their hands on. Cloud providers issue you with an administrative account – a “root“ account if you will. This is designed to be used to get you setup on your new cloud platform, and its then never used – only for breakglass access. I wonder how many people still regularly use this account. CyberArk can store this password out of the box and by using the Privileged Session Manager we can securely proxy this highly critical account when it’s needed to be used for breakglass reasons. Let’s have a look at how this works.

What’s in your DNA? FREE tool to gain visibility of the privileged account environment Discover all accounts (privileged and non-privileged) Identify privileged accounts and service account credentials including: Password hashes and age SSH key trusts Embedded & hard-coded credentials in web servers Golden Ticket attack risk Easily view results in the Executive Summary Dashboard Enhance insight with visual maps of password hashes and SSH key trust relationships DNA gives a bird’s eye view of your organization, by discovering all accounts on Windows, Unix and Linux machines, both Privileged and non-Privileged. DNA doesn’t only discover accounts, but it discovers SSH keys, both Private and Public Embedded credentials in Windows Services, Scheduled Tasks, and IIS related service. DNA also discovers hard-coded credentials in IIS related files, such as web.config. DNA scans sudoers files on Unix/Linux to find escalation of privileges and analyzes them to discover whether this privilege escalation is actually a misconfiguration and is, therefore, insecure and puts the organization at risk. Configuring the sudoers file is a process that is very error-prone. An example for an insecure privilege escalation is when an administrator wants to elevate the privileges for certain commands but de-facto has given full root privileges. Keeping track of breaches and attackers carry out cyber attacks, we saw that Pass-the-Hash is a very common and dangerous attack. PtH is a vulnerability that is inherent in Windows, which Microsoft has tried to fix in recent patches for Windows 8 and 2012, but have essentially opened up new holes. A hash is a representation of a password. Attackers can steal passwords, and use them to log in to machines and carry out a credential theft or impersonation attack. Attackers can also steal hashes. They can’t use it to get the original password, but apparently it’s possible to simply pass a hash from one machine to another and use it to log in. This enables the attacker to fully impersonate the account that the hash belongs to. What’s worse is that attackers can stay under the radar, since they aren’t really “logging in” to a machines, but rather just passing it the hash. This action isn’t necessarily written in logs, and that means that you’ll never know it happened. [.. THIS WOULD BE A GOOD PLACE TO MENTION THAT PTA CAN FIND CERTAIN TYPES OF ATTACKS…] DNA discovers hashes on Windows machines and correlates them to the accounts that they belong to, exposing the accounts that are currently at risk of a PtH attack. CyberArk has developed this technology first, which is patent pending. DNA helps you understand the current risk in your organization and helps you focus on the most critical accounts at risk At the end of the scan, DNA generates two things: a report and visual maps Report: DNA generates a detailed report that includes all the data you will need. First, you have the Executive Summary Dashboard, that you can use to get a clear understanding of the findings. Secondly, the data that DNA summarized for easy viewing in the Executive Summary Dashboard, is available for you. You can use this data to delve deeper and understand the risk in your organization. This data includes: A list of all scanned machines, and a list of all accounts that can access to them. Their privileges on each machines Data about accounts, such as: password age, last login date Whether an account can be accessed using SSH keys (Public) Whether an accounts can connect to other machines using SSH keys (Private) Whether an accounts is vulnerable to a PtH attack Maps: Since a picture is worth a thousand words, DNA generates visual maps for PtH and SSH Key trusts. Using these maps it’s very easy to understand the sprawl of the risks and focus on the machines and accounts that are truly important. Finally, DNA is a free tool! It’s easy to use, its results are easy to understand, it doesn’t require any installation and it doesn’t consume significant resources. So the challenging question is – “why should I NOT use DNA?”