Blog
Get a Demo
Contact Us
Get a Demo
Menu
Contact Us
Blog
Get a Demo
Blog-hero

Remediant Blog

Stay up to date with thought-leading expertise

Do we need always-on always-available access? No, there’s a better way.

by David Levine, on Apr 05, 2022

Unfortunately for the security industry, this is the second time this month that I am writing about a highly publicized incident that has taken place using elevated credentials and lateral movement. This time the attack was against the identity platform OKTA. I am saddened by these attacks on many levels, but primarily because these types of attacks are
easily preventable.
Briefly the events of the compromise are as follows:

Beginning on January 16th, 2022, hacker(s) obtained access to Sitel’s internal network over RDP (Remote Desktop Protocol). Later, the hacker(s) apparently used a known Windows user profile service elevation of privilege vulnerability (CVE-2021-34484) to escalate privileges.

Using the newly established privileged user account, the hacker was able to move laterally and terminate the FireEye’s EDR agent.

The next step in the attack was to download and execute Mimikatz. Mimikatz is a well-known open-source tool, often used for credential dumping. Mimikatz also allows users to view and save authentication protocols.

Lastly the hacker(s) found and exfiltrated and document titled DomAdmins-LastPass.xlsx

Similar to the Disk-Wiper attack a month ago, the methods used in the attack and many others are possible due to privilege access. According to the 2020 Verizon Data Breach Report, approximately 74% of breached organizations admitted the breach involving access to a privileged account, now coined privilege misuse.

The MITRE ATT&CK framework defines these types of tactics in the Privilege Escalation technique section.

Picture1

The account or system that an attacker initially compromises is just a jumping-off point for them to spread out. As with this attack, the lifecycle of an attack can be days, weeks, months or even years as the attacker moves throughout the environment and establishes their presence.

Coined by Gartner, Zero Standing Privileges (ZSP) is an emerging, reframed approach to privileged access management. We believe these methods of attacks can be mitigated by adopting a Zero Trust Privileged Access model that constitutes Zero Standing Privilege (ZSP) along with Just-in-time Access (JITA).

We need to ask ourselves why admin accounts need to be persistent, always-on always-available? This is a large attack surface that hackers prioritize in their attacks, like this Okta incident and the HermiticWiper cases. The techniques used are not novel, but rather well-researched and understood. It is time we put a stop to these preventable attacks.

Remediant SecureONE was purpose-built to address this problem and is a force multiplier to Identity & Access Management programs worldwide. The founding team especially had in mind those looking to secure and enable access to global, distributed and always scaling infrastructure. Specifically, SecureONE was developed to: 

  • Rapidly deploy and inventory with no agent
  • Continuously monitor
  • Remove standing access enterprise-wide with a single action
  • Administer privileges Just-In-Time with no shared accounts
By implementing Zero Standing Privileges, Remediant SecureONE stops the attack by mitigating privilege escalation on network, limiting additional credential access, and disallowing lateral movement.

SecureONE provides coverage from many of the Privilege Escalation tactics in the MITRE ATT&CK framework as depicted below.

 

Picture1-1

 

New call-to-action

Looking for more ways to stay up to date?

Follow us on social

Subscribe to Updates