How to Contain a Privileged Access Breach Quickly & Effectively
by Brian Hanrahan, on Nov 23, 2021
It takes just a moment to see that your privileged access controls have been breached. But, after you realize that your IT systems are compromised, you face an incident response process that could last many months.
In this two-part blog series, we discuss that the key to effective remediation starts now—before the breach even takes place. In this first installment of the blog series, we'll cover why having an incident response plan in place now could save you significant lost time and unnecessary damages later.
In the past, we've discussed how to rapidly contain an incident by removing the privileged access that attackers need to maintain a presence and gain lateral movement. We advocated replacing that privileged access with Just-In-Time access. A Just-in-Time access approach gives responders much-needed operating time and space to investigate the remaining components of the attack and eradicate them.
Breaches stem from vectors you trust
Breaches often originate from trusted people or software—and not smartly constructed malware that evades all the best-effort defensive measures you’ve built into your enterprise risk management and endpoint security strategies. It’s not hard to find enterprise IT products with exploitable vulnerabilities, or even products that were shipped to customers with an attacker’s code hidden within them.
Vulnerable software often runs with the highest level of privilege possible on its host system. This enables the scope of the compromise to spread to any user who signs into the system and to the systems those users can access.
Another common vector of attack is people. Although users have grown more aware of phishing tactics, cybercriminals evolve their attacks continually. Someone will always fall victim. Despite well-known best practices, end-users still often have privileged access to their own computers, to provide for a better user experience.
Attackers know this too. And they will quickly pivot from an end-user with access to one computer to IT staff with 24 x 7 x 365 privileged access on many or all computers and network-connected devices.
Lateral Movement: A key attacker strategyAttackers seldom accomplish their goal with access to a single system. Whether attackers gain their footholds from vulnerable software or vulnerable users, the playbook is consistent:
- Establish a beachhead on a vulnerable system
- Elevate privilege on that system
- Compromise additional users
- Execute toward their objective using lateral movement
Containment and eradication requires a multi-faceted approachAn incident response plan targeting breach containment has to consider that the attacker may be using multiple persistence tactics to hide, remain persistent, and move around your environment. You will often need considerable time and money to find and eradicate these tactics.
You may face:
- Lengthy interruption of normal operations
- Some level of ongoing loss of operational integrity
It’s common for responders to identify & block network activity, software, and system configurations implicated in and enabling an attack. It’s also common to address compromised accounts by forcing password resets and multi-factor authentication or even disable the accounts.
While this all makes sense, it does not address the 24 X 7 authorization that enables attackers to gain lateral movement in most environments.
Standing privileged access: A blind spot
Containment and eradication focus largely on the software, systems, and data involved—not the 24x7x365 access that allowed the breach to proliferate from the single system or account where it started.Let’s dissect the attacker’s view of your environment after typical response activities occur:
- network connectivity to known command and control servers may be blocked
- blocking of known scripts, executables, and persistence mechanisms is occurring
- the account credentials previously compromised are no longer valid
While helpful, the lists linked above only account for broadly useful approaches—not the random software vulnerabilities that also contribute to the problem.
Your attackers have that list and more to work with.
When is an attack contained?
Eradication of an attack campaign is never a certainty. But, we eventually reach a point where we’re satisfied that there’s no evidence of further activity, and root causes have been addressed adequately.
Business must go on at some point. However, if attackers can run code on one system in your environment, they can regain a foothold, harvest user credentials, and continue their campaign.
Breaches happen - even when you're careful
Although this very real scenario plays out again and again in corporate networks, an evolved approach to privileged access management can massively reduce the risk. In part two of this blog series, I’ll talk about a different approach to privileged access control that turns the tables on attackers with a persistent foothold in your environment.
Want to learn more about how to discover and remove privileged access, shrink your attack surface, and prevent lateral movement within your network?