Privileged Attack Vectors:

Building Effective

Defense Strategies

Morey J. Haber

Chief Technology Officer

mhaber@beyondtrust.com

Agenda

• The Threat Landscape

• Sample Cases

• What is Privileged Access

Management?

• Twelve Steps to Privilege Security

• BeyondTrust

The Threat Landscape

The Infonomics of Data Breaches

The Cyber Attack Chain

1. Perimeter

Exploitation

2. Privilege Hijacking

& Escalation

3. Lateral Movement

& Exfiltration

Attacker exploits asset

vulnerabilities to gain entry

… hijacks privileges or

leverages stolen/cracked

passwords

… and compromises other

network resources.

Vulnerable

Systems

Unmanaged Credentials

and Excessive Privileges

Limited

Visibility

How Are Threat Actors Gaining Privileges ?

• Guessing

• Dictionary attacks

• Brute Force

• Pass the Hash

• Security questions

• Password resets

• Vulnerabilities

• Misconfigurations

• Exploits

• Malware

• Social engineering

• MFA flaws

• Default credentials

• Anonymous

• Predictable

• Shared credentials

• Temporary

• Reused

Insider Threats External Threats Hidden Threats

Sample Cases

EMPLOYEES AND OTHER INSIDERS

HAVE UNNECESSARY ACCESS

Employees, vendors and other insiders are often given

excessive access to systems and data – and that access

can go unmonitored.

Source: Verizon 2017 Data Breach Investigations Report

88% of cases, attackers compromise an organization using

definable patterns established as early as 2014

Privilege abuse was behind 81% of insider misuse incidents.

Source: Verizon 2017 Data Breach Investigations Report

CREDENTIALS ARE SHARED

AND UNMANAGED

Passwords are created and shared, but aren’t audited,

monitored or managed with discipline or accountability.

IT ASSETS COMMUNICATE

UNCHECKED

Desktops, laptops, servers and applications communicate and

open paths to sensitive assets and data.

Source: Verizon 2015 Data Breach Investigations Report

99% of successful attacks leverage known vulnerabilities

Privileged Access

Management

Privileged Access Management

• Provides an integrated approach to

enterprise password management

• Enforces least privilege on all endpoints with-

out compromising productivity or security

• Ensures administrator and root compliance

on Unix, Linux, Windows and Mac

• Identifies high-risk users and assets by

teaming behavioral analytics and risk data

with security intelligence from best-of-breed

security solutions

• Achieves unified visibility over accounts,

applications, and assets that they protect

ENTERPRISE

PASSWORD

MANAGEMENT

PRIVILEGE

MANAGEMENT

SESSION

MANAGEMENT

ADVANCED

REPORTING &

ANALYTICS

USER

BEHAVIOR

MONITORING

ACTIVE

DIRECTORY

BRIDGING

Privileged

Access

Management

Twelve Steps to Privilege

Security

Step 1: Improve Accountability for Privileged Passwords

Asset Based:

• Privileged account discovery

• Develop permissions model

• Rotate passwords and keys

• Workflow process and auditing

• Define session monitoring

• Segmentation

• User behavior analysis

Step 2: Implement Least Privilege on Endpoints

• Remove administrator rights

• Implement standard user permissions

• Enforce application control

• Eliminate multiple accounts

• Context-aware rules

• Session monitoring

• Privileged file monitoring

• Layered, multifactor authentication

• Auditing of privileged access

Asset & User Based: Windows & Mac OSX (Desktop, Laptop, Notebook,

Tablet, Virtual, etc.)

Step 3: Leverage Application Risk Levels

• Limit application privileges to users and

assets based on documentable risks

• Vulnerabilities, unmanaged,

unauthorized, and privileged

• Measure risk for applications executed

by user and asset

Step 4: Implement Least Privilege on Servers

Script & Command Auditing

• Scripts, commands & shells

• Session monitoring

• Keystroke logging

• Application logging

Privileges

• Auditing

• Context aware

• Application risk analysis

• Segmentation

Industry Standards

• Authentication

• Ticketing

• API integration

• Searching

• Alerting

Step 5: Privilege Management on Network Devices

• Default or common passwords that are not configured correctly

• Shared credentials across multiple devices for management simplicity

• Excessive password ages due to fear of changing or lack of management

capabilities

• Compromised or insider accounts making changes to allow exfiltration of data

• Outsourced devices and infrastructure where changes in personnel, contracts,

and tools expose credentials to unaccountable individuals

Step 6: Privilege Management for Virtual and Cloud

Cloud-Agnostic – Private or Public

• License flexibility

• Asset inventory integration

• Docker and container aware

• Discover online and offline instances

• Leverage hypervisor APIs

• Agent technologies

• Respects OA and application hardening

• Fully automated for passwords & API

• Auditing, reporting and change-aware

• Proxy access

• Session management

Step 7: Privilege Management for IoT, IIoT, ICS,SCADA

Zones

Internet

Public

Private

Air-Gapped

Segmentation

Users

Servers

DMZ

Guest

Dumb Devices

Device Type & Risk

IoT IIoT ICS SCADA

Communications and Restricted Lateral Movement

Privileged Access

Step 8: Privilege Automation for DevOps

• Only allow approved assets; identify unacceptable variations

• Identify security risks and automatically remediate them

• Ensure configuration hardening

• Eliminate all locations for hard-coded credentials

• Platform-agnostic, from cloud to on premise

• Limit all users, including privileged access, in the DevOps

automated workflow

• Provide security and performance visibility to ensure security and

automation success

Step 9: Privilege Management Unification

Correlate Data Between Disciplines Correlate Data for Risks

Threat Analytics Pivot Privileged Data

Profile Assets, Users,

and ApplicationsRBAC and Grouping

Workflow and Process Validation Third-Party Integration

ENTERPRISE

PASSWORD

MANAGEMENT

PRIVILEGE

MANAGEMENT

SESSION

MANAGEMENT

ADVANCED

REPORTING &

ANALYTICS

USER

BEHAVIOR

MONITORING

ACTIVE

DIRECTORY

BRIDGING

Step 10: Privileged Account Integration

Step 11: Privileged Auditing and Recovery

• Audit and roll back changes and identify who, what, where,

and when they were performed.

• Restore from the Active Directory recycle bin without having

to extract backups.

• Audit, report, and recover across a complex Windows or

heterogeneous environments.

Step 12: Integrate the Identity Access Stack

Morey J. Haber

• 20+ years security experience

• Articles on Secure World, Dark Reading, CSO

Online, etc.

• Author of “Privileged Attack Vectors: Building

Effective Cyber-Defense Strategies to Protect

Organizations” & ”Asset Attack Vectors”

(covering Vulnerability Management) – both

available from Apress Media

PROVEN

13,000+ customers

worldwide; extensive

partner community

COMPLETE

Comprehensive,

integrated, intelligent PAM

LEADER

Gartner, Forrester,

KuppingerCole

INNOVATIVE

30+ years of privilege

security firsts +

expansive roadmap

Infrastructure

Endpoints

Secure Remote

Access

Secure credentials with

Privileged Identity and

manage sessions with

Privileged Access

Empower and protect your

service desk with the most

secure Remote Support

software

Password & Session

Management

Gain accountability over

shared accounts

Eliminate hard-coded

passwords

Monitor privileged sessions

and user behavior

Enforce appropriate

credential usage

Eliminate Admin\root rights

Enforce Application &

command control

Efficiently delegate Windows,

Mac, Unix & Linux privileges

and elevate

Enforce appropriate use

Risk based privilege decisions

Privilege

Management

On-Premise

PowerBroker Privileged Access Management Platform

Cloud Hybrid

Table1. PASM Vendors and Their Key Capabilities

PAM Industry Leader

Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017

Questions?

Morey J. Haber

Chief Technology Officer

mhaber@beyondtrust.com