You Have a Standing Privilege Problem and Just Don’t Know It

The year has just begun and as with previous years, many worrying strains of destructive malware have yet again been detected. Unlike ransomware, where you at least have a chance of recovering your data after paying the ransom, the new destructive techniques pose a very real and serious threat to businesses. The recently reported HermeticWiper malware’s mission is to corrupt the Master Boot Record (MBR), destroy any file in its path and use native tools like PowerShell to elevate privileges and propagate across the network to continue the devastation. We now are operating with greater risks and newer challenges from cyberattacks this year than ever before.

Precisely for this reason, it’s important to pay attention to Identity Management Day, which launched last year and takes place on the second Tuesday, or the 12th of April this year. The mission of the Identity Management Day is to educate and increase awareness with business leaders and IT decision makers on the importance Identities, including Privileged Identities and their relevance to good cyber security hygiene. Given that this event is run in tandem by the National Cybersecurity Alliance and Identity Defined Security Alliance (IDSA), important insights will be shared, based on research made around the breaches that occurred over the last couple of years. To give one such example, research by IDSA reveals that 79% of organizations have experienced an identity-related breach and 99% believe their identity-related breaches were preventable.

In fact, almost all cyberattacks follow the Cyber Kill Chain blueprint as illustrated above. Phishing emails remain the top entryway for malware to gain access to a system. Once on the system, an anti-virus software usually fails to recognize the signature of the file or the AV is disabled, enabling the malware to communicate with a C2 (command and control) server. Depending on the purpose behind the malware, additional payloads may be downloaded in order to execute the attack successfully. GlobalData Thematic Research reports that the dwell time has decreased to just under a month in 2020 primarily attributed to the increase of ransomware, where speed is an advantage attackers use to successfully execute the breach. With ransomware, encrypting the sole system where the malware got a toehold is rarely worth the effort for an attacker. So, the key technique exploited here is privilege escalation, which then enables lateral movement and rapid propagation of the malware to encrypt files on more than a single system or preferably, move laterally to discover and encrypt critical data.

Security teams recognize the need to stop privilege escalation and prevent lateral movement. We see time and again that organizations take on complex solutions within Privilege Access Management (PAM) space, in hopes to thwart the spread of such malware within an environment, yet it keeps happening. Why? The gap is quite clear: it’s the unchecked standing privileges that remain strewn across the systems even when credentials are protected in a vault.  To use an analogy to explain standing privileges, consider a hotel where maintenance personnel have a universal key card that allows them to enter any hotel room and perform their assigned activities. If such a universal key card is stolen, then the perpetrator can access any room within the hotel at any time, thus conferring standing privileges to whoever possesses the universal key. To prevent such universal privileged access, first, we need to remove all access by disabling that key on all locks, and then implement a Just-In-Time-Access. This way, a maintenance personnel must request access to the one room which needs attention; its lock is enabled for their key at the right time and just for the right amount of time this access is needed. Thus, if a key card is stolen, then the perpetrator only has access to only one room and only within allotted time, considerably shrinking the attack surface. Outside the time window, Zero Standing Privilege makes the stolen key worthless.

Extending this analogy to enterprise networks, it doesn’t matter what technique was used to gain access to a system and what credentials the perpetrator was able to scrape from the system’s memory. If the credentials do not have a standing privilege on any other system, then the perpetrator cannot log in remotely using common protocols such as WinRM, RDP, or SSH with elevated rights, or at all, depending on what best practices are configured within GPO settings. So, even if a hotel room had another “universal” key laying around, with correct implementation of JITA, this second room key would not work on any door because no locks are enabled. The perpetrator would need to obtain the one key that was enabled to the one system where JITA is enabled, greatly limiting the blast radius of the already reduced attack surface.

Legacy PAM tools such as vaults are great for compliance checks, recording a video session and overall, perform their credential-storing functionality as expected. But when it comes to preventing lateral movement, the credential vault gives a false sense of security for two reasons. First, only the most critical and secondary administrative accounts are vaulted. It’s an essential practice, but it does not address the fact that upon checking out those passwords, the vaulted account itself may still have standing access privilege to tens or hundreds of systems at any time. Second, standard user accounts are foregone completely during the process due to being out of scope and impracticality of vaulting them. The latter is a bigger problem because through nesting of groups that occurs within Active Directory, the standard user account may inadvertently gain administrative privileges to more systems than realized. It’s especially prevalent in organizations, where one or more domain groups are nested within Windows built-in administrators’ group. This way, a potential blast radius of compromised standard user account could put a much greater portion of systems and data at risk. So how do we approach this problem?

The full scope of such privilege sprawl can be addressed with the Zero Standing Privileges (ZSP) model as part of the bigger Zero Trust model. The idea of ZSP is simple: take away the 24 x 7 x 365 login rights of all privileged accounts from all servers, workstations and laptops. You may still want or need them to log in as standard users onto those machines, but when it comes to privileged access, it should be enabled as Just-In-Time-Access (JITA). JITA is the cornerstone of ZSP. A user requests access to a specific machine and only for a specific period. This way, even if a user’s credentials are compromised, the blast radius is reduced to one system, or worse, just a handful of systems that the same user requested JITA access as opposed to hundreds or thousands of systems where the user had standing privileges.

We learned recently that even Single Sign-On (SSO) solutions unfortunately cannot make your environment bulletproof. More than authentication, you truly need to solve for authorization, which is what Zero Trust is about. Just because an admin can authenticate and has the right to privileged access, doesn’t necessarily mean the admin should be authorized, or allowed to do so 24×7, which is what the attackers are exploiting. Introducing complexity through password policies and vaulting is proven not to work. It may in fact work contrary to the best intent, as admins will come up with a predictable system of passwords or worse yet, create secondary accounts for convenience.

Establishing a Privilege Access Management program for cybersecurity requires a methodical approach: after discovering and vaulting the most coveted accounts, it is essential to look at standing privileges across the estate. As headlines continually show us, managing your standing privileges is one of the most critical and effective methods to halt most incidents – and the longer you wait to address it – the greater your chances of becoming a headline.

About the Author: Nurlan Temirbulatov, a Sales Engineer at Remediant, spent the last 5 years working primarily in Privilege Access Management space. Previously worked for BeyondTrust as a result of acquisition of Avecto by Bomgar.  



Let's work together to help everyone become more secure.