Author: Morey Haber, CTO, BeyondTrust
No one wants to respond to a security incident or a breach, particularly at the start of a new year! Instead, the highest priority should be to stop a cyber threat before it compromises the organization. But in reality, preventing a cyber attack from landing is not always possible. The steps for an incident or breach identification―from threat hunting to searching for explicit Indicators of Compromise (IoC)—are well established. While the processes will vary from organization to organization, malware, compromised accounts, lateral movement, etc. will all need to be addressed as a part of any formal clean-up plan.
If a breach is severe enough (for example, including the compromise of domain controllers), organizations may have no choice other than to reinstall the entire environment from scratch. While that is a worst-case scenario, it does happen. In many cases, businesses may choose to scrub servers as best as possible versus performing a complete reinstall. That is a business decision based on risk, feasibility, and cost. It also represents a no-win scenario if the threat is a persistent presence that uses techniques to evade traditional identification measures. If you think that is far-fetched, just look at the history of threats like rootkits, Spectra, and Meltdown that prove that there is always a way to attack a technology resource.
Threat actors are after your credentials
Regardless of your remediation strategy, you can be assured that, via some fashion or another, threat actors will have access to your credentials. This implies that any clean-up effort should not reuse any existing passwords or keys. If possible, you should change (rotate) all credentials across every affected or linked resource. This is where Privileged Access Management (PAM) comes into play. The clean-up or redeployment needs to be protected from password reuse or from a threat actor regaining a persistent presence due to poor credential management, as remediation efforts begin.
Password management is a core aspect of PAM, and includes the automatic onboarding, rotation, session management, reporting, and check-in and check-out of passwords from a password safe. While PAM technology is most prominently used for privileged passwords like administrator, root, service accounts, and DevOps secrets, it can also be used as a least privilege solution to remove administrative rights for applications and tasks. This means that end users would no longer have or need, a secondary administrator account to perform business functions.
PAM’s role in clean-up after a breach
With this mind, how does PAM help with security breach clean-up? During a security incident or breach, you first need to investigate and address the following:
- Determine which accounts were compromised and used for access and lateral movement.
- Determine the presence and resources using any linked, compromised accounts. For example, the same account that was compromised on asset X or application Y is also used on assets A, B and C for applications D, E, and F so they can all communicate.
- Identify and purge any illicit or rogue accounts created by the threat actor.
- Identify, and remove or segment, any shadow IT, IoT, or other resources that was part of the cyber attack chain, to protect against future threats.
- Analyze the accounts that have been compromised and determine the least amount of privileges needed for them to perform their functions. Most users and system accounts do not require full domain or local administrator or root accounts.
- Analyze how data was used/accessed by the attacker during the breach. Was any IoC data captured during the abuse of the privileged account? If data was captured, did it help to identify the threat? If data was not captured, determine what needs to change to monitor future misuse of privileged accounts. This includes privileged account usage as well as session monitoring and keystroke logging, where appropriate.
This analysis is not trivial. Tools are needed to discover accounts, identify resources, determine usage patterns, and, most importantly, flag any potential abuse. Even if all the log data is sent to a security information and event management (SIEM), it still requires correlation or user behavior analytics to answer these questions.
Once you have made the initial investigation, here are the five ways PAM can help after a breach and should be considered an essential component of your clean-up efforts:
- After a discovery, automatically onboard your privileged accounts and enforce unique and complex passwords with automatic rotation for each. This will help ensure any persistent presence cannot repeatedly leverage compromised accounts.
- For any linked accounts, have your PAM solution link and rotate them all together on a periodic schedule; including for service accounts. This will keep the accounts synchronized and potentially isolated from other forms of password reuse.
- When applicable, remove unnecessary privileged accounts all the way down to the desktop. This includes any secondary administrator accounts associated with an identity. For any application, command, or task that requires administrative rights, consider the least privilege model that elevates the application–not the user—to perform privileged management.
- Using PAM, look for IoCs that suggest lateral movement, either from commands or rogue user behavior. This is a critical portion of the cyber attack chain where PAM can help identify whether or not any resources have been compromised.
- Application control is one of the best defenses against malware. This capability includes looking for trusted applications that are vulnerable to threats by leveraging various forms of reputation-based services. PAM can help here too. Decide on an application’s runtime based on trust and known risks before it is allowed to interact with the user, data, network, and operating system.
Privileged access management should not only be considered for new projects and legacy systems to stop privileged attack vectors. It should be considered for forensics and remediation control after an incident or breach. PAM will help stop a threat actor from acting on some of the lowest hanging fruit within your organization―poor password and credential management.
As a security best practice, privileged access should always be limited. When a threat actor gains administrator or root credentials, they do have the keys to your kingdom. The goal is to stop them from obtaining them and “rekeying” the accounts via passwords on a frequent basis, so even if they steal a password, their usage can be limited and monitored for potential abuse. Therefore, after an incident or breach, this helps to ensure that any lingering persistent presence can be mitigated and represents a valuable methodology in the clean-up and sustainment process.
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined Beyond Trust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.