Blog-hero

Remediant Blog

Stay up to date with thought-leading expertise

Why Remove Standing Privilege and Add Just-in-Time Access?

by Brian Hanrahan, on Dec 03, 2021

In the first installment of this two-part blog series, I highlighted a blind spot in many incident response plans that allows attackers to regain a foothold even after they’ve been contained following a breach.

In this final installment of the blog series, the focus will be on two key tactics companies can implement to add privileged access control to their enterprise risk management programs:

  • Removing standing privilege
  • Adding Just-In-Time Access

These tactics turn the tables on your attackers and leave them isolated and unable to achieve later movement within the system(s) they have compromised.

In this second and final installment of this blog series, the focus is on two key tactics companies can implement to add privileged access control to their enterprise risk management programs:

  • Removing standing privilege
  • Adding Just-In-Time Access

These tactics turn the tables on your attackers and leave them isolated and unable to achieve later movement within the system(s) they have compromised.

computer-security-technology

JITA & built-in admin management isolate attackers & contains breaches

At the risk of being repetitive, I’ll say again that attackers start on one system, and then use harvested credentials to gain lateral movement across your IT ecosystem. 

The insidious problem is that credential harvesting typically occurs after the user authenticates, even with MFA security or “vaulted” credentials. It is possible to force MFA authentication and user re-authentication for every system and application being accessed, but this user experience usually isn’t accepted. Instead, we opt for some form of Single Sign-On (SSO) - SAML, OAuth, Kerberos. 

However, there are some key points worth remembering:

  • If the attacker can use a credential-harvesting technique, the attacker can impersonate users that sign in
  • If an attacker can run code in another user’s login session, the attacker can impersonate
    the user

In cybersecurity, we’ve replaced “network perimeters” with SSO perimeters. Today, accounts have access to most systems all the time (without re-authenticating), including when an attacker has “harvested” their SSO credential. 

If the “account“ is an IT admin, the account is often entitled to a great deal of privileged access - such as to all the servers or all the workstations. If the attacker harvests an IT admin’s credentials, they’re in a great position for a full compromise.

If your incident response plan converts 24x7x365 standing administrator access to Just-In-Time Access (JITA), you’ve made it very difficult for the attacker to move beyond any systems where they maintain a foothold. Even though attackers may harvest credentials, the credentials no longer have the standing privileged access that makes them useful for lateral movement.

Your attacker becomes isolated on one host, giving responders more time to investigate and eradicate the campaign more fully.

Ensuring that Windows built-in administrator accounts have unique strong passwords is another key breach containment tactic. This problem has existed since Windows was managed by IT. 

Solutions from Microsoft have proven to be ineffective while other vendor solutions prove to be too expensive to acquire.  This problem can be solved reliably across many thousands of computers in minutes, giving authorized users just-in-time access to the strong, unique local administrator account password for each computer as needed. 

binary-code-data-software

How long does a move to JITA take?

There’s a perception that it can take months or years to remove standing privileged access and move to JITA, but it’s possible to do this within hours or days. We’ve helped multiple customers convert within days while they were battling a breach.

The key elements that enable a rapid deployment are quick visibility to the standing access in place and a simple conversion process. A streamlined experience for users to get privileged access is also essential in eliminating unnecessary training.

The privileged access management process is straightforward: 

  • Discover privileged access accounts across all systems - within a couple of hours
  • Take control of the built-in admin account password - within a couple of hours
  • Configure accounts (usually application/service accounts) that need to retain 24x7 privileged access to retain their access - within hours
  • Assess privileged access risk and prioritize conversion of the riskiest accounts - within hours
    • Convert domain groups like helpdesk, operations, application admins from standing privilege to JITA
  • Communicate the simple step required to activate privileged access Just-In-Time - an email
  • Enforce the desired, authorized privileged access - within a couple of hours
    • Continuous enforcement occurs - forever
Why not be proactive?

Although it’s great to plan out an incident response strategy that cuts off standing privilege to contain an ongoing breach, most organizations will prefer to contain it proactively.


To learn more about effective privileged access breach containment,
schedule a demo of Remediant SecureONE today.

Request a demo of Remediant SecureONE today.

New call-to-action

Looking for more ways to stay up to date?

Follow us on social

Subscribe to Updates