by Mahesh Babu, on May 05, 2020
The credential has become a commodity that will be breached. 74% of breached organizations admitted the breach involved access to a privileged account. In addition, The Verizon Data Breach Investigations Report (DBIR) found that out of all attacks, 29% of total breaches involved the use of stolen credentials, second only to phishing. Once a credential is compromised, privileged access management solutions are rendered useless.
The underlying reason behind this (and why administrator credentials continue to be low hanging fruit for attackers) is the access the credentials provide. Specifically, it is the 24x7x365 always on, high levels of access that these administrator credentials provide that can be used to move laterally across a network, steal sensitive data, or deploy ransomware. The average privileged access management or endpoint privilege management solution was not purpose built to address this risk.
This key risk is called “standing privilege” and the emerging security model that addresses the risk is called Zero Standing Privilege.
What is Standing Privilege?
Standing privilege refers to administrator accounts with “always on” 24x7x365 privileged access. On average, at a large enterprise, we find 480 users with admin access to the average employee workstation (at companies with >15K devices).
Figure: The state of standing privilege in the average enterprise environment today (as seen by Remediant)
How does this occur?
These privileges are typically in the form of privileged group memberships or device level permissions that allow the execution of privileged commands. So, even if a user is not explicitly given access to a specific server or workstation, their domain or group level permissions would allow them access to that server or workstation whenever they need it.
Figure: How administrator privileges spread
For more information about how standing privilege manifests itself and proliferates across a network, Dr. Shane Shook from ForgePoint Capital provides a great overview here: https://www.remediant.com/blog/standing-privilege-is-an-apt-factor
Why does this occur?
There are three key reasons why standing privilege is prevalent:
- First, access is given through groups to IT Helpdesk and Server Admins to resolve issues quickly: In most cases, organizations provide this level of 24x7x365 access to enable administrators to do their jobs effectively. The two personas we at Remediant see with this type of access are IT Helpdesk users and systems administrators.
- Second, managing groups at a granular level becomes very complex very quickly, so admins always have more access than they need.
- Third, administrator rights change over time very regularly, and this is something that a lot of attackers know, and a lot of security teams don't know, which is that admin rights can change for many different reasons. New members are always added as Helpdesks and Administrator teams grow. However, old members who leave their teams or the company, aren’t always removed in a timely fashion. Group membership changes, so if an active directory group confers some amount of privileged access and the membership of that group changes, then the amount of privileged access in the ecosystem correspondingly changes. Local accounts might be added or removed, conferring or removing levels of privileged access, and GPOs can change, which can confer privileged access across the entire enterprise for a set of accounts or a set of groups.
What this ultimately results in is an invisible sprawl of administrator access across the enterprise that is available 24x7x365 and more importantly, available to an attacker from the average employee workstation. If an attacker is able to phish their way into an average employee’s workstation, they now have the proverbial “keys to the kingdom.”
Why does this matter?
This standing access increases an organization’s attack surface and can impact the network as follows
- One compromised password exposes the entire network
- Standing credentials are the primary mode of ransomware spread - Each standing privileged account is an opening to move laterally
- Violates principle of least privilege – even with a Privileged Access Management solution in place that touts “zero trust”
This is why 74% of breached organizations admit that their breach involved a compromised privileged credential.
Addressing the problem:
The reason we as an industry have failed miserably at addressing standing privilege is because we struggle to answer two simple questions:
- What admin credentials exist and have standing access? You cannot protect what you do not know exists.
- How do you protect them?
Zero standing privilege is an emerging, reframed approach to privileged access management (PAM) that addresses both questions. Stay tuned for the next post or see what Gartner has to say about Zero Standing Privilege.
Read Part 2: Introducing Zero Standing Privilege