26
June 2015

How Osirium’s PxM Platform defends against real world attacks

Andy Harris

There is a serious threat against privileged accounts. The Verizon 2015 data breach investigation report gives an in-depth analysis of 2,122 confirmed data breaches. This also included and estimated 80,000 security incidents in 2014. From this data we can see the real-world attack vectors and how effective they are against organisations.

Here we take each of the threats in turn and show how the PxM Platform counters them. Before we start, the report shows us how the threat actors have been changing over the years. It shows that the bulk of threats (approx. 80%) are external, there is a growing but significant threat from partners (1.5%) and the rest are internal. These are the figures based on the near 80,000 security incidents. Actual breaches show that internal attacks have a higher success rate.

The 2015 report differs from the 2014 format. This year Verizon have chosen to show methods used to gain access to the data. Most of the methods exfiltrate the privileged credentials. Yet some methods use a Command and Control process to gain access to privileged accounts.

Privileged Accounts – the common factor

The common factor is that they all make use of privileged accounts, which is plain to see. Privilege is always needed to gain access to sensitive data.

It is still the case that most credentials are stolen (approx. 45%). The methods would include:

  • Shoulder surfing and exfiltrating password text files and spreadsheets.
  • Phishing (over 20%) breaks out as a separate item. But in this case, it means fooling the user to enter their privileged account details.
  • Keylogging (approx. 7%) has been on the decline over years but this matches an increase in RAM Scraping (over 20%). This is a technique of reading data from operational memory. It also associates with both hash detection and direct access to credit card details.

RAM Scraping

To expand a little on RAM Scraping; whenever you map a drive or have a remote session to another machine a hash of your credentials saves. The hash is on a one-way algorithm so there is no mathematical way to go from the hash back to passwords. But, there is generally a one to one map between passwords and hashes. For example ‘Password1’ will always map to the same hash. The internet is now a rich source of these hash mappings. So, if you or your staff are using one of the 3 million found passwords then a captured hash could point straight to their password.

This year, brute forcing is not mentioned against the data-based attacks. But, it is on the rise against ‘Point of Sale’ systems (6.8%). Indeed, the report shows a shift towards breaking into organisations by hijacking POS devices. It also shows that they are using their credentials to compromise payment systems. The point here is that devices as well as humans can be privileged users.

Human Factors

The decline of brute forcing and the increase in stealing credentials is a strong indicator that the message is getting through. Given enough motivation and rules, humans come up with good passwords. Yet they are not so good at remembering them. Our research on our own Privileged Task Management module shows us that by far the most popular task is ‘Domain Password Reset’. This then drives us humans to find places to store passwords. The criminal community then switch their efforts to the next weakest link… Which is where we store the passwords or even fool us into revealing them.

The PxM Platform separates the users from the privileged device and application account they need.

This is a very simple and effective approach. The users identify themselves to Privileged User Management. They receive a list of assigned devices, applications, tasks and roles. On each choice, the Platform performs the single sign-on or initiates the task. The passwords are never revealed to the user and never cross into the domain of the users’ system.

Stolen Credentials – These are not available at the desktop or any mapped drive.

Phishing Attackers cannot phish credentials a user doesn’t have or know.

RAM Scraping. No hashes will stay on the user’s system since the PxM Platform is handling the remote sessions.

Brute Forcing. The PxM Platform creates and refreshes long and machine complex passwords for all the privileged accounts that it manages.

Third Party Compromise. Avoids the need for VPNs etc. by giving third parties and contractor access to only the systems they need and only within the role assigned to them.

Dealing with the insider and partner threat

People need privileges to get work done. Quite often some of the most privileged accounts have tasks which are outsourced (e.g. system management and anti-malware management). Often these outsourced tasks become outsourced again. Examples would be to niche specialists, or wherever the IT labour is cheapest. Now the contract is the only basis of trust you have with your outsourced suppliers. Many Managed Service Providers realise this and use our Platform themselves. Both to control access to their systems and their customers systems.

Many of the outsources tasks are repetitive. A good example would be AV tools updates and help desk functions. Whilst the tasks themselves would need considerable privilege it’s not always necessary to grant them to operators. The Privileged Task Management module allows you to package and parameterise tasks.

At the end of the day there are always some users that will abuse the privileges granted to them (55% of insider attacks according to the Verizon report). After the Platform has helped to deliver a ‘least privileged model’ there is still a chance that the remaining privileges will be abused. As a deterrent, the PxM Platform comes with Privileged Session Management. This records session along with keystrokes and thus assigns who did what and where on your systems.

This functionality wraps up as Third Party Access Protection

Privilege Elevation. With Task Management, the operators are not granted the privileges in the first place.

Command and Control Crime Ware. This no longer has direct access to the applications since the Platform starts them on behalf of the users. It cannot start or use background processes since the secure tunnels that the Platform provides would not be available. The only option is to take over the foreground process which is under the eyes of the user.

Malpractice. If a user of a privileged account knows that all their actions are recorded, they are much less likely to transgress in the first place.

Third Party Access to unauthorised systems. The Platform prescribes exactly what systems and which roles can be used. There is no opportunity to network scan.