Most common breaches begin with the hacker gaining access to a privileged account, so securing these accounts is critical.
In March, the United States Federal Bureau of Investigation (FBI) notified Citrix Systems that it was likely being targeted by an Iranian-linked hacking group named Iridium. Although details remain undisclosed, Citrix confirmed that the attackers accessed and downloaded documents important to the business.
The attackers used a brute-force technique called “password spraying” to breach the network. Many companies attempts to prevent brute-force attacks by locking an account if repeated access attempts with an incorrect password occur within a specific time span. The “password spraying” method circumvents this traditional lockout security policy by using the same passphrase on many different accounts before circling back through them.
Privileged Access Management
Privileged Access Management (PAM) is the set of processes and technologies an organization uses to secure and manage access to critical assets. One PAM tenant is to properly enforce user account policy. Follow these best practices in order to maximize account security:
- Employ the principle of least privilege; reduce the privilege level of each employee to only what is essential. This strategy facilitates monitoring privileged activity and reduces the number of high-priority accounts to protect.
- Enforce separation of duties; grant users access only in their responsible domains. If an attacker gains access to a privileged account, this will make it more difficult for him to move laterally in the network.
- Disallow account sharing; make use of multi-factor authentication and account activity logging to ensure that each account and its user are held accountable for their actions.
- Refrain from using default Administrator accounts; default accounts are often targeted by attackers. Activity from default accounts is difficult to attribute to a specific employee, making it challenging to determine if the activity is legitimate. If a default account is showing significant atypical activity this is an easy indicator of a possible breach.
- Keep an up-to-date log of privileged accounts; over time employees will change, as well as the list of required privileged accounts. Ensure effective management policies are in place to reduce inactive or unnecessary privileged accounts and to update security teams, especially any outsourced managed security providers, of relevant changes.
- Enforce password policies; users should have complex passwords and be required to change them regularly.
In addition to processes and policies, PAM may include using technologies to enforce security policies and manage privileged accounts. Specifically, local security policies and group policies should be well-maintained on Windows Domains. Services from providers such as Thycotic, BeyondTrust, etc. help advance the level of control in IT environments. These technologies and services offer the following capabilities:
- Whitelist/blacklist specific applications and processes
- Manage administrative rights
- Manage access requests
- Monitor and record sessions
- Store passwords and enforce password policy
While these technologies add additional control, monitoring, and safeguards, many companies unfortunately cannot always afford these often high-priced solutions or have difficulty setting up and managing them. Furthermore, attackers often target other systems not managed by PAM technology solutions or know how to circumvent them (for example, by stealing a corporation’s white-listed certificate and signing their malware with it). Finally, while multi-factor authentication should always be enabled for all capable systems, attackers continue to find ways around it as evidenced by the Citrix attack.
Improving Detection and Rapid Response
Properly securing and maintaining privileged accounts is essential. Unfortunately, advanced hackers continue to discover vulnerabilities, exploits, and tactics to breach well-secured IT infrastructures. For example, requiring users to regularly change their passwords increases security, but many people change their passwords in predictable ways, e.g. changing only a few characters or appending numbers or letters.
Although attackers may create activity or event logs when using compromised privileged accounts to access critical assets and information, the use of legitimate privileged accounts makes it difficult for many traditional security platforms to identify such abuse. For example, file shares are a desirable target for hackers, but also are used for legitimate activity. Organizations need to closely monitor these activities 24 hours a day, 7 days a week.
Blackpoint’s 24/7 Managed Detection and Response (MDR) service keeps a constant watch over all privileged activity occurring on the network. Our live monitoring detects in real-time high-risk, privileged activity and our patented technology allows our analysts to investigate the activity to quickly determine its intent. We can detect unusual lateral movement within a network as well as remote access to critical assets.
When our MDR analysts discover malicious activity they can take immediate response by isolating compromised devices, preventing the attack from spreading across the network. If the attacker is executing a vertical privilege escalation, which is when an attacker compromises a lower-level account and then uses it to gain higher-level privileges, Blackpoint’s MDR analysts can immediately terminate any processes being used to carry out the attack.
To learn more or to schedule a demo of Blackpoint’s technology, please visit