26
June 2015

How Osirium defends against real world attacks

Andy Harris

Verizon’s 2015 Data Breach Investigation Report gives an in-depth analysis of 2,122 confirmed data breaches and nearly 80,000 security incidents in 2014. From this data we can see the real-world attack vectors and how effective they are against organisations. In this blog, we take these attack types and discuss how Osirium effectively counters them.

What the report shows

Verizon’s report shows how the actors executing cyberattacks have been changing over the years. Looking at nearly 80,000 security incidents, the bulk of threats (approx 80%) are external, there is a growing but significant threat from partners (1.5%), and the rest constitute of internal threats. When data on actual successful breaches are looked at, internal attacks have a higher success rate.

Most of the attacks aim to gain access to the data to exfiltrate the privileged credentials, however some methods use a Command and Control process to gain proxy access to privileged accounts. The common factor is that they all make use of privileged accounts. Privilege is always needed to gain access to commercially sensitive data.

It is still the case that most credentials are simply stolen (approx 45%), with methods including shoulder surfing and exfiltrating password text files and spreadsheets. Phishing accounts for just over 20%, whereby a user is fooled into entering their privileged account details. Keylogging (approx 7%) has been on the decline over years but this is matched by an increase in RAM Scraping (just over 20%); a technique of reading data directly from operational memory associated with both hash detection and direct access to credit card details. In the case of RAM Scraping, whenever you map a drive or have a remote session to another machine, a hash of your credentials is held in memory. The hash is based on a one-way algorithm, so there is no mathematical way to go from the hash back to passwords. However, there is generally a one-to-one map between passwords and hashes, for example ‘Password1’ will always map to the same hash. The internet is now a rich source of these hash mappings. If you or your staff are using one of the 3 million commonly found passwords, then a captured hash could point straight to their password.

Brute forcing is not specifically mentioned in the report against the data, however it is on the rise against ‘Point of Sale’ systems (6.8%), and indeed the report shows a shift towards breaking into organisations by hijacking POS devices and using their credentials to compromise payment systems. The point is that devices, as well as humans, can be privileged users.

Devices, as well as humans, can be privileged users.

Human factors

The decline of brute forcing and the increase in stealing credentials could be a strong indicator that the password message is getting through. Given enough motivation and rules, humans come up with good passwords, however they are not so good at remembering them. Our research on our own Privileged Task Automation module shows us that by far the most popular task is ‘Domain Password Reset’. This then drives us humans to find places to store passwords. The criminal community then switches their efforts to the next weakest link, which is where we store the passwords or fooling us into revealing them.

Separating people from passwords

Our PxM Platform separates the user from the privileged device and application they need. This is a very simple and effective approach. The users identify themselves to the PxM Platform and are presented with a list of devices, applications, tasks and roles that have to be assigned. On each choice, the platform performs the Single Sign-On (SSO) or initiates the task. The passwords are never revealed to the user and never cross into the domain of the user’s system. This means:

  • Stolen Credentials are not available at the desktop or any mapped drive
  • Phishing Attackers cannot phish credentials a user’s doesn’t have or know
  • RAM Scraping is avoided as no hashes are held on the user’s system since Osirium is handling the remote sessions
  • Long and machine complex passwords for all the accounts are created and refreshed, making Brute Forcing difficult
  • The need for VPNs is avoided by giving third parties and contractors access to only the systems they need and only within the role assigned to them, protecting against Third Party Compromise.

Dealing with the Insider and Third Party threats

People need privileges to get work done. Quite often some of the most privileged tasks are outsourced (e.g. system management and anti-malware management). In many cases these outsourced tasks are outsourced again to niche specialists, or wherever the IT labour is cheapest. Now the contract is the only basis of trust you have with your outsource suppliers.

Many of the task outsourced are repetitive, for example AV tools updates and help desk functions. Whilst the tasks themselves would require considerable privilege it’s not always necessary to grant them to operators. Osirium’s Privileged Task Automation module allows you to package and parameterise tasks.

At the end of the day, there are always some users that will abuse the privileges granted to them (55% of insider attacks according to the Verizon report). After the PxM Platform has helped to deliver a ‘least privileged model’ there is still a chance that the remaining privileges will be abused. As a deterent, the PxM Platform has Privileged Session Management. This records sessions along with keystrokes and therefore clearly assigns who did what and where on your systems.

This functionality is wrapped up as Third Party Access Protection, and means that:

  • Operators are not granted the privileges that could be stolen in the first place, instead tasks are automated, and privilege is elevated only when needed
  • There is no longer direct access to the applications since the PxM Platform starts them on behalf of the users. Background processes cannot be started or used since the secure tunnels that Osirim provides would not be available. The only option is to take over the foreground process which is directly under the eyes of the user.
  • If a privileged user knows that all their actions are recorded they are much less likely to transgress in the first place, acting as a deterrent.
  • There is no opportunity to network scan as the PxM Platform prescribes exactly what systems and which roles can be used.

If you’d like to find out about the PxM Platform, Contact us.