By Raj Dodhiawala, President, Remediant
Lateral movement using compromised admin credentials is integral to almost all ransomware and malware attacks today. Specifically exploiting privilege sprawl—or the always-on, always-available administrative access to servers, workstations, and laptops—has become a lucrative opportunity for cyber attackers, allowing them to significantly increase their rate of success with stolen credentials and elevated privileges and, due to implicit trust between systems, the ease of damaging lateral movement. According to Verizon’s 2021 DBIR report, 74% of cyber-attacks are caused by privilege misuse or compromise, and for every cybersecurity team, that administrative access sprawl and high risk of lateral movement pose as serious, everyday threats to their resilience to cyberattacks.
To prevent lateral movement attacks resulting from stolen and misused privilege access, information security teams are increasingly embracing the Principle of Least Privilege (PoLP), which NIST defines as “the principle that users and programs should only have the necessary privileges to complete their tasks.” It states that for any user or program that needs elevated privileges to complete its task or function, IT teams must enable the least amount of privilege, no more and no less, to get the job done. This directly emphasizes authorization — meaning that escalated user privileges must only be allowed to match the computing goals of the task at hand.
While the benefits of PoLP are obvious, there are several challenges that can often get in the way of achieving them – whether due to the complexity of implementation or the inability to adapt ingrained processes. For example, unlike Linux’s sudoers subsystem, Windows systems do not provide granular controls for the tasks an administrative user can or cannot perform. Group Policies also only go so far, especially since interactions between multiple policies may negate effects to achieve granular control. It’s actually quite common for an enterprise’s Active Directory to have Nested Groups, Domain Admins and Backup Admins, and all other privilege groups containing broad, obfuscated, and over-permission configurations that either contradict or cancel out any least privileged controls in place.
One of the biggest issues with PoLP is that time is not explicitly called out as a privilege, and thus is simply not considered at all when conferring the least privileges. Let’s go back to the always-on, always-available administrative access, but now, the access is constrained to the least computing privileges required for the task at hand. The fact that all systems have standing privileges defeats the goal of granular control, because an administrator on one system labeled trustworthy can, per convenience or with malintent, administer all other systems they have standing privileges on, effectively making the principle of least privilege null and void.
The first step in addressing time is through what Gartner calls Zero Standing Privilege (ZSP), or the removal of all standing privileges and the implementation of Just-In-Time administration (JITA). First, ZSP removes the privilege sprawl. Then, JITA, bolstered by multi-factor authentication (MFA), selectively elevates privileges to the specific system that requires attention, exactly when the administration is needed, and for just the right amount of time necessary to complete the task. If cyber thieves (or insiders) were to get a foothold on a system, the window of opportunity to steal admin credentials would be significantly narrowed, and most importantly, they wouldn’t find a plethora of administrative access available to exploit and use to move laterally within the organization.
By combing the Principle of Least Privilege with Zero Standing Privilege and Just-In-Time administration, companies ensure:
- Measurable reduction of attack surfaces by reducing privilege sprawl, making it less likely, if not impossible, to hack additional privileged credentials
- The prevention of lateral movement, due to the absence of persistent admin accounts on other systems; if a privilege credential attack does occur, it is contained to a single system
- Further reduction of risk by using MFA and on-demand, real-time provisioning, and de-provisioning of access as and when required for the task at hand
- Protection from insider threats by reducing the likelihood and impact of employee negligence or intended error by leveraging unnecessary access
- More effective incident response actions by removing admin accounts during an event, stopping any ongoing incident from installing malware on other systems or proliferating on the network
- Collectively, these benefits enable governance of privilege and increase maturation toward Zero Trust
While the Principle of Least Privilege is an important starting point for organizations, it remains incomplete or is weakened by ignoring the element of time. The practice of Zero Standing Privilege and Just-In-Time administration adds the time-based protective layer companies need at entry points and to prevent lateral movement malicious actors use to readily attack and breach their systems today.
About the Author
Raj Dodhiawala, President, Remediant, Inc. Raj Dodhiawala has over 30 years of experience in enterprise software and cybersecurity, primarily focused on bringing disruptive enterprise products to new markets. Currently serving as President of Remediant, he is bringing focus, agility and collaboration across sales, marketing, finance, and operations and leading the company through its next phase of growth.