By Morey Haber, CTO & CISO, BeyondTrust
The near-perfect personal attack vector is “shoulder surfing.” If you are not familiar with the concept, it is literally a threat actor looking over your shoulder and observing everything you type, see on the screen and interact with in the physical world, including paper, pens and even removable media.
Shoulder surfing is the ultimate method a threat actor can use to compromise a system because the only method of detection is just to say “no” or obfuscate the screen with a polarizing filter and shield the keyboard from view. Both, however, are not typically present in a corporate environment when dealing with trusted individuals. But what about untrusted identities?
This is where session monitoring fills the gap and provides a valuable tool to determine if remote access is appropriate. This is just like a trusted individual looking over your shoulder to teach or assist you in troubleshooting, configuration or setup of a solution when the knowledge from both (or more) individuals is needed to complete the task. My company provides privileged access management solutions, so I’m paying close attention to the session monitoring space.
But before we dive into session monitoring, we need to draw the analogy a little tighter and translate its importance to the cloud. Over the last decade, we have seen exponential growth in the number of cameras on cell phones, within homes, present within businesses and in the public looking for potential social disruptions. Cameras are similar to over-the-shoulder attacks because they provide a view (with optional audio) of what is occurring within their field of view or frame. Using advanced software, they can identify people (tagging) and suspicious behavior (using artificial intelligence or motion-based detection) and even see in the dark.
When dealing with the cloud, there is no physical presence―it is someone else’s computer, and for the most part, based on Linux. Over-the-shoulder attacks can therefore only occur in the cloud when remote sessions are established. This is where session monitoring comes into play. It is the only way to record (like a camera) the activity of a cloud session, to determine if the activity was appropriate. While this model is also true for remote sessions on-premise, it is the only viable method for the cloud due to the lack of computing ownership, physical presence and methods for interactive session activity available today. These are typically VNC-, SSH-, RDP- or HTTPS-based. Session monitoring provides the future documentation needed to review, analyze and determine if the session was authorized, contained malicious behavior and was appropriately conducted.
So how does session monitoring work? Based on the protocol (this is where Windows or other graphic sessions are different), all text on the screen and keystrokes are recorded (excluding passwords). These are inspected in real-time for critical pattern matches that can perform automated actions like alerting, session pausing and even session termination. The list is typically defined by administrators, but most vendors provide a critical list—out of the box―governing database commands, lateral movement, sensitive operating system commands, and other suspicious behavior.
The data is captured and indexed for future searching and audit reviews and typically processed via a security information and event management (SIEM) or analytics engine for advanced user behavior based on time, data source, concurrent sessions, users, commands and so on. The result is as close to the over-the-shoulder recording as you can provide, for viewing or reviewing at a later time, when no physical presence is possible.
What is often overlooked is the potential sensitivity and security of recorded sessions, just like having cameras in your home. This is similar to the security of preventing an over-the-shoulder attack from occurring in the first place. The access needs to be restricted.
Finally, all protocols implemented for session monitoring are not the same. Text-based sessions like SSH are easily captured and indexed and can be alerted based on characters on the screen or entered on the keyboard. Graphic and web-based sessions are not the same. These remote sessions are typically RDP, VNC or HTTPS (using a browser). Keystrokes and command prompts are easy to capture, but text in a graphics window can be embedded, displayed as graphics or across multiple screens or even rendered with a plug-in like Flash.
This is where session monitoring benefits from monitoring mouse clicks, processes launched and titles in application frames. This data is not as complete as logging everything in an SSH session, but it helps provide the visibility necessary to determine if the remote session is appropriate and if malicious behavior is potentially occurring. It is as close to over-the-shoulder monitoring as you can get for graphic sessions, as well.
The importance of session monitoring is a critical buying need when working with the cloud. It is the only method to observe, document, record and detect inappropriate behavior when access is always initiated remotely. While other techniques can monitor other protocols or API-based access to the cloud, only session monitoring can capture the real-time behavior of interactive users and their interactions. And, if the users know they are being recorded (or shoulder surfed electronically), the deterrent alone may be enough to curb some malicious behavior or even innocent snooping.
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust’s own internal information security strategies. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science in Electrical Engineering from the State University of New York at Stony Brook.