Footprints in the Sand

SummaryThis white paper demystifies attack surface management (ASM) and why it should be a required layer in your security control stack. The fact is indisputable. There is a direct linkage between identity risk and breaches attributed to service and privileged account sprawl with the problem only worsening. As a result of the pandemic, employees have moved from their cubicles to their home offices while companies have moved assets and sensitive data into multi-cloud environments leaving a trail of identity breadcrumbs everywhere for adversaries to pick up and use.

Author InformationAlissa Valentina KnightPartnerKnight Ink1980 Festival Plaza DriveSuite 300Las Vegas, NV 89135ak@knightinkmedia.com

Publication InformationThis white paper is sponsored by Illusive.

Initial Date of Publication: October 2021Revision: 1.0

Starving adversaries from being able to live off the land using attack surface management

TABLE OF CONTENTS

05 06 07§ Overview § Reducing the number of

privileged accounts§ Identity Risk by Example

2 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

3

TABLE OF CONTENTS

08 10§ Solving the Problem With

the Wrong Tools§ Demystifying Attack Surface Management

12§ Solving the Problem With

Attack Surface Management

OVERVIEW

According to Centrify’s Privileged Access Management in the Modern Threatscape survey published in 2019, 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access credential abuse. It’s no wonder since there’s been a five-fold increase in identities in the last decade alone (Identity Security Alliance, 2020)

The fact is indisputable. There is a direct linkage between identity risk and breaches attributed to service and privileged account sprawl with the problem only worsening. As a result of the pandemic, employees have moved from their cubicles to their home offices while companies have moved assets and sensitive data into multi-cloud environments leaving a trail of identity breadcrumbs everywhere for adversaries to pick up and use.

These breadcrumbs include things such as service accounts capable of performing interactive logins over RDP, shared domain administrator accounts, cached privileged credentials on endpoints, policy gaps between on-prem Active Directory (AD) and Azure AD, and more.

While other security controls focus on detecting the symptoms of what happens when these connected and identity breadcrumbs are left scattered across a network, attack surface management (ASM) attempts to focus on preventing the cause by proactively reaching out to endpoints and disposing of cached credentials and Kerberos tickets, as well as stale and cached connections so they can’t be used by an adversary when a breach occurs.

4 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

Attack Surface Management is the proactive elimination of sensitive resources found on endpoints that an adversary uses to live off the land and

move laterally. These resources, such as cached credentials, enable adversaries to move deeper into the network in an effort to find what they’re ultimately there for. By starving them of their ability to harvest privileged credentials and connection cache, they’re unable to move beyond their initial foothold in the network lowering the mean time to detection (MTTD) and mean time to response (MTTR).

IDENTITY RISK BY EXAMPLE

CNA Financial is among the largest insurers in the United States. In May of 2021, it was widely publicized that CNA had suffered a massive breach falling victim to Phoenix Cryptolocker, which it paid $40 Million in ransom in order to recover from and is believed to be the largest ransom payout to date.

The Phoenix Cryptolocker ransomware, believed to be operated by Russia-backed Evil Corp, leverages a credential stuffing attack packed with usernames and passwords from previous breaches in order to attempt access to a network over RDP. The details of the compromise indicate that the CNA breach was attributed to yet another identity-based attack where stolen credentials were used to gain a foothold on the network, which the adversaries likely then used to escalate privileges to Domain Admin once there.

Like all breaches, reconnaissance is the calm before the storm. The now infamous JBS Foods breach that followed shortly after the Colonial Pipeline breach began with RDP service mapping of the JBS network in Australia. While it couldn’t be confirmed, indicators published by SecurityScoreCard provide evidence to the use of compromised JBS credentials of its Australian employees and traffic to RDP ports of in its IP space that didn’t belong to known JBS assets.

Reconnaissance of JBS began in February of 2021 followed just one month later by data exfiltration of more than 5 TB of data from March to May 2021 that began in Australia when the adversaries then moved laterally to JBS Brazil. The REvilRansomware Group armed with the SodinokibiRansomware in the breach would later be implicated in the attack. (SecurityScoreCard, 2021)

5

REDUCING THE NUMBER OF PRIVILEGED ACCOUNTSOrganizations are attempting to address thischallenge by reducing the number of privilegedaccounts in their Active Directory (AD)environment, also reducing the number of serviceaccounts. While this is good cyber hygiene, itdoesn’t effectively reduce the risk as IT still needsto perform their break-fix job function to supportusers by remoting into endpoints to performadministrative functions as well as their day-to-dayjob of care and feeding of maintaining systems.

Terence Runge, Chief Information Security Officer(CISO) for Reltio who also served as Senior Directorof Enterprise Security for SalesForce agrees thatthese attempts are ineffective. “Reducing thenumber of administrators and privileged serviceaccounts won’t be an effective measure againstthis problem. Even if you take these measures, ITstill has to perform their job function of break-fixissues and other routine care and feeding ofendpoints. Additionally, the secure storage ofprivate keys, cached connections, and even userswriting passwords into files on their host willcontinue to be a problem that reducing thenumber of privileged user and service accountsdoesn’t address.”

Additionally, attempting to do this doesn’t addressthe mistakes made by organizations of hard-codingcredentials in their Github repos leading toaccount takeover (ATO) of cloud workloads anddatastores, users writing passwords into files ontheir systems, developers hard coding credentialsin their source code, or users storing precomputedprivate keys in their home directories withoutpasswords used for key-based authentication toservices like secure shell (SSH).

6 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

7

FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

Solving the Problem With the Wrong Tools

IDENTITY AND ACCESS MANAGEMENT AND PRIVILEGED ACCOUNT MANAGEMENT SOLUTIONS

Identity and Access Management (IAM) is acategory of solutions that creates and maintainsthe separation between “church and state” whereusers can login to the applications and access thedata they need to perform their jobs withouthaving to need elevated privileges to perform thefunction. IAM essentially couples authentication(something you know, something you are,something you have) with authorization(something you’re allowed to access).

Whereas IAM authenticates and authorizes, PAMlimits those number of authenticated andauthorized individuals to just the bare minimumnumber who need access to perform their jobs.

The reasons these solutions are failing to solve thisproblem is they don’t eliminate privileged accountsprawl across systems, users from storing theirpasswords in files on their systems, the necessityfor local administrator privileges, in-app storedcredentials, developers hard-coding credentials orkeys in their source code, or users savingconnection profiles in apps along with theusername/password for the account. Furthermore,IAM solutions don’t support every connectionoption an organization might want to integrate.

Gary Hayslip, CISO for SoftBank Capital tried thisand also saw no measurable decrease to anexploitable attack surface. “IAM and PAM willperform as described but it won’t completelyaddress the problem. It’s like a game of ‘wack-a-mole.’ You can use IAM and PAM to cover some ofthe holes but it doesn’t cover them all. IAM andPAM can’t see into cached privileged identities, it’stypically built for provisioning, and can’t supportall service account types. Additionally, visibilitygaps are typically created by tools since manywhitelist privileged account activity. Taking realmeasurable steps towards managing identity riskcan only be done by instrumenting your network

with an ASM tool that’s continuing to identify andtake action on the trail of credentials, kerberoast-able accounts, and connections left cached onhosts and in applications in normal every-day use.”Hayslip went on to say that even the adoption ofsoftware-as-a-service (SaaS) solutions creates thepotential for what he calls ‘shadow SaaS accounts’that also offers another method of dataexfiltration.”

8 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

9

Demystifying Attack Surface Management

RISE OF ATTACK SURFACE MANAGEMENTAttack Surface Management (ASM) is a newmarket of products designed to identify “shadowIT” and other assets that have vulnerabilitiesaffecting the integrity of a network. These assets,especially when unknown to the cybersecurityorganization, create an attack surface that’sexploitable by adversaries.

ASM is the more complete approach than theprevious approaches proven through recentlypublicized breaches and many of the ASMsolutions are not created equally. Illusive forexample, couples ASM with deception technologybetting as Sun Tzu once said, that the enemy willattack and that through its technology, anorganization can make its network unassailable.Using Illusive’s approach to ASM, a company caneradicate three categories of threats created by anorganization not adopting ASM:

• Unmanaged• Local administrators• Legacy applications and shadow SaaS

accounts• Accounts not in MFA/PAM

• Misconfigurations• Shadow administrators• Kerberoastable services accounts• Identity and password re-use

• Exploitable• Cached credentials• Stored cloud tokens• In-app stored credentials

By adopting ASM over alternative approaches tomanaging the identity risk problem, organizationsstop playing “wack-a-mole” with the bread crumbsleft across endpoints that adversaries use to pivotand escalate privileges once they have a footholdthat eliminates the symptoms that result in thiscausal problem, such as ransomware infectionsand leak-and-lock scenarios where victim’sexperience data loss and are ransomed in order toget their data back.

Chris Hetner, former security advisor to thechairman of the Securities and ExchangeCommission (SEC) and global CISO to GE Capitalagrees with ASM no longer being a nice to have ina company’s effort to reduce its attack surface andis more necessary than ever in order to make itselfmore resilient to cyber attacks. “By reducing yourattack surface through ASM, organizations canlower their MTTD/MTTR by eliminating thesehidden threats by instrumenting their networkwith an ASM solution automates the necessaryeffort of cleaning up the threat created byprivileged account sprawl and cached connectionsacross the network. It’s a critical and necessaryapproach to creating a hardened securityarchitecture.”

10 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

Attack surface management is quickly gaining cross-industry groundswell as CISOs rush toward rapid adoption of ASM solutions to

tackle the identity risk challenge, looking for solutions that offer the greatest number of features and capabilities to reduce their attack surface.

11

Solving the Problem With Attack Surface Management

Unknown Identity Risk DiscoveryYou can’t treat a risk that you don’t know is there. Thebiggest challenge organizations face is finding theirprivileged account sprawl is — well — finding them. AnASM solution should offer the capability to identify thesebreadcrumbs on the network and clean them up, a sort-of“iRobot” for your network that is continuously findingthese crumbs and vacuuming them up off endpoints.

In the recently highly publicized breach in the supply-chainattack on SolarWinds that affected 100 companies andtook months of coordinated planning happened simplybecause a highly privileged account password was leakedon the company’s Github repository and was capable ofmaking changes to SolarWinds source code for its productwhere the backdoor was inserted. Had the company knownthis credential was being leaked and even shared betweenmultiple people, it could have quickly addressed theproblem by changing the username and password used toaccess its source code repo.

Identity Policy Violation MitigationIf you don’t know a set of user credentials is in violation ofyour security policies, you can’t do anything about it. AnASM solution should be capable of proactively identifyingidentity policy violations before they are exploited. Today,the idea of a castle protected by a moat securityarchitecture for a network no longer works. Data is noweverywhere, on-prem, in the cloud, and on users’ mobiledevices. It can’t be controlled; therefore, security shouldbe built around your crown jewels where it lives. An ASMsolution should be able to identify unauthorizedconnections to your crown jewels, identify risk andunwanted applications on endpoints, and eliminate usercredential violations.

In the SolarWinds breach, the company was unaware ofthe password violation with the account using the weakpassword of “solarwinds123” that gave access to theirsource code repository. Later, the Cybersecurity andInfrastructure Security Agency (CISA) announced that theadversaries behind the Solarwinds breach had used bruteforce attempts (credential stuffing) attacks against victimsin order to further compromise more companies inaddition to the backdoor they placed into the Solarwindsproduct.

Knowing these accounts with weak passwords exist is afundamental requirement of any ASM solution to deal withprivileged identity sprawl, shadow administrator andservice accounts, and other identity risks to anorganization.

Protect Privileged AccountsASM solutions should be able to use active protectionagainst the abuse of privileged credentials, whether it beuser or service accounts and take active measures againsttheir unauthorized use. Employing active defensemeasures, such as planting deceptive credentials onendpoints and deceptive cached connections allowsorganizations to lower the MTTD/MTTR of threat actorswho’ve established a foothold on their network and areattempting to move laterally in the environment.

Had SolarWinds identified the “solarwinds123” accountbefore the actors in the breach, they could have removedthe account and created individual accounts needingaccess to the source code repository to move away fromthis shared account and then planted the solarwinds123account as deceptive credentials in the environment, beingalerted to its use and got ahead of the breach.

12

An effective approach to ASM should include detection, mitigation, and active defense to ensure that identity risks are proactively

identified, cleaned up, then proactively used to deceive adversaries attempting to use them once in the environment. This approach provides an organization an automated approach to continuously cleaning up the environment of identity risk while hunting for threats using these credentials using deception — a lethal three-pronged approach to attack surface management.

In a recent example of an organization with roughly 2,500employees who deployed ASM to take these sameproactive measures of identifying and eliminating theiridentity risk identified 1,500 domain administratorcredentials, 300 helpdesk administrator credentials, and220 unauthorized connections to their crown jewels thatwere cached on endpoint systems. They now have adoptedASM moving forward to take proactive measures againstidentity risk before it’s used in a breach against them.

PRIVILEGED ACCOUNT MANAGEMENT FAILSIn 2010, I worked alongside Mandiant’s incident responseteam in a combined effort with Accenture who providedproject management in an incident response effort thatlasted for several months of an APT group in a largebiotech compromise.

What follows is a step-by-step account of the breach andwhat TTPs were used by the APT actors in the incident andhow the PAM solution they were using failed them.(APPENDIX: A)

ReconnaissanceAt the beginning of the forensic investigation, it wasdiscovered that the APT group had specifically targeted thebiotech company in search of its cancer treatment drugs ithad brought to market. The initial reconnaissance that hadbeen identified before the foothold had been establishedon our network by the APT group were web requests madeto our web site whereupon the group was actually readingour press releases. The activity had stopped on a pressrelease announcing our partnership with a company wehad established a virtual private network (VPN) to over asite-to-site VPN tunnel. This was before the concept“supply chain attacks” really became a colloquial term usedas frequently as it is today.

We believe they used this information to determine thatthe best way past our perimeter defense was to come inthrough the side door using our suppliers. This of coursewas combined with other traditional recon activity, such asport sweeps of our internet-facing assets, which yieldedthem little to no exploitable vulnerabilities that would givethem a remote shell.ExploitationSeveral days later, we began seeing a spike in brute forceactivity of legitimate user accounts originating from oursupplier’s network in our Security Information and EventManagement (SIEM) platform. The amount of accountlockouts that we handled at the helpdesk at the time hadmore than doubled from historical levels indicating thatpassword spraying was occurring.

Post ExploitationThis rise in account lockouts also had been combined with

a rise in the amount of network traffic utilization across ourinternal core indicating there had already beenunauthorized access established by the APT group on ourinside network where they had successfully movedlaterally from our supplier’s network into our internalnetwork. This rise in network traffic utilization of ourbandwidth indicated by the MRTG graphs generated fromour switches also provided indication that they were usingstaging server(s) to copy data to for preparation forexfiltration using password encrypted RAR files as well asoutlook PST files.

Despite the fact that we had implemented an enterprisePAM solution, a leading solution in the market today, it didnot protect us against the cached credentials on endpointsfor users that had local administrator privileges as well asthe cached RDP sessions stored on hosts that IT used toconnect to endpoints for break-fix issues.

Eventually, the lateral movement by the APT group ledthem to an account with Domain Administrator privilegesand access to our Active Directory server which resulted inthem dumping all of the accounts from AD for offline bruteforcing.

This was a complete compromise of the network, as well astheir access to our email server and sensitive data stores,such as servers containing our intellectual property/druginformation of products the company had brought tomarket and were actively still developing.

This was a clear example of how hubris and overconfidencein our security controls can lead to a rude awakening whenwe think a security control covers all of the potential TTPsused by an adversary during a breach.

CONCLUSIONHistory has taught us over the last two decades of detailsmade public across high profile breaches how littlePAM//IAM solutions alone don’t prevent lateral movementwithin a network once a foothold has been established.Credential and connection cashing left as breadcrumbsacross endpoints in the network is not addressed by thesesolutions that only ASM solutions can address. You can’tprotect what you don’t know you have.

Shadow IT is a continuing pervasive threat in today’senterprise, compounded by vulnerabilities present inendpoints that create an expanding attack surface thatdoesn’t ebb, which is solved only by ASM.

13 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

14

APPENDIX A: Tactics and techniques used in the biotech compromise

• 2021 Data Breach Investigations Report | Verizon. Retrieved October 2, 2021, from https://www.verizon.com/business/resources/reports/dbir/

• Kass, H. D. (2021, May 24). Insurer CNA Paid Hackers $40M for Ransomware Decryption. MSSP Alert. https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/cna-payment-40-million-dollars/

BIBLIOGRAPHY

15 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIP WITH ILLUSIVE

ABOUT KNIGHT INK

Firm OverviewKnight Ink is a content strategy, creation,and influencer marketing agency foundedfor category leaders and challengerbrands in cybersecurity to fill currentgaps in content and communitymanagement. We help vendors createand distribute their stories to the marketin the form of written and visualstorytelling drawn from 20+ years ofexperience working with global brands incybersecurity. Knight Ink balancespragmatism with thought leadership andcommunity management that amplifies abrand’s reach, breeds customer delightand loyalty, and delivers creativeexperiences in written and visual contentin cybersecurity.

Amid a sea of monotony, we helpcybersecurity vendors unfurl, ascertain,and unfetter truly distinct positioningthat drives accretive growth throughamplified reach and customer loyaltyusing written and visual experiences.

Knight Ink delivers written and visualcontent through a blue ocean strategytailored to specific brands. Whether it’s afirewall, network threat analyticssolutions, endpoint detection andresponse, or any other technology, everybrand must swim out of a red sea ofcompetition clawing at each other formarket share using commoditizedfeatures. We help our clients navigate toblue ocean where the lowest price ormost features don’t matter.

We work with our customers to create acontent strategy built around their blueocean then perform the tactical stepsnecessary to execute on that strategythrough the creation of written and visualcontent assets unique to the companyand its story for the individual customerpersonas created in the strategy setting.

Contact UsWeb: www.knightinkmedia.comPhone: (702) 637-8297Address: 1980 Festival Plaza Drive, Suite300, Las Vegas, NV 89135

16

ABOUT ILLUSIVE

Firm OverviewIllusive discovers and mitigates privilegeidentity risk policy violations to disruptthe lateral movement that ransomwareand nation-state attackers use to accesscritical assets. Despite significantinvestments, it’s still difficult to see andstop attackers moving inside yourenvironment. Illusive enablesorganizations to create a hostileenvironment for attackers by discoveringprivileged identity risks, mitigating policyviolations, leveraging deceptive controlsto detect attacker actions associated withidentity risk not easily mitigated, anddelivering on-demand visibility intonefarious attacker activities.Illusive was founded by nation-stateattackers who developed a solution tobeat attackers. We help companiesprotect their critical assets, including thelargest global financials and globalpharmaceuticals. Illusive has participatedin over 130+ red team exercises and hasnever lost one!

17 FOOTPRINTS IN THE SAND | BROUGHT TO YOU IN PARTNERSHIPWITH ILLUSIVE

Knight Ink1980 Festival Plaza DriveSuite 300Las Vegas, NV 89135ak@knightinkmedia.com