If you look back on the majority of ransomware attacks, certainly in the last five years, the cause has been either a compromise of privilege based on credentials, or an escalation of privilege based on the configuration of those credentials. If the malware uses privileged credentials to take actions, which the credentials are allowed to do, then one of your avenues of detecting and stopping unrecognised logins and unusual behaviour has gone… but how do you control over-privilege? Read on to discover how Zero Standing Privilege can reduce your organisation’s attack surface against ransomware and other cyberattacks.
It’s a privilege to have no privilege
The risks of standing privilege
A privileged account is a user account that is authorised (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorised to perform such as being able to install or remove software or modify system or application configurations. The elevated capabilities and access of these privileged accounts hold a substantial risk over the organisation. If an attacker gets control over those accounts, they can move laterally throughout your organisation.
Standing privilege is privileged access that is always on, on every machine, whether you need that access today, next week, or ever. Think of a hotel maintenance worker, they have a key card that can be used on any room, at any time. If they lose their card or if someone malicious steals their card, they too will have access to any room, at any time. It is the standing privilege that creates excessive access and therefore increasing your attack surface. Companies should make it a priority to reduce the number of accounts that have standing privileges and move towards a zero standing/least privilege model.
Benefits of a least privilege environment
A non-privilege account is the polar opposite of a standing privilege account. Companies should aim to operate with these least privilege accounts 90-100% of the time. These are non-privileged accounts, consisting of two types:
- Standard user account – Role-based access accounts given a limited set of privileges. This includes access to the internet, some applications and resources they need, defined by the requirements of their job.
- Guest user account – These accounts have even less access, limited to the internet and a few applications they need.
Common ways cyberattacks take place
All organisations should aim to move towards a zero-standing privilege model to stop ransomware and other cyberattacks in their tracks. Mapping to the MITRE ATT&CK framework, it is clear that the implementation of Zero Standing Privileges can protect against privilege escalation and lateral movement. See below five ways cyberattacks can take place, and how their kill chain can be interrupted by implementing Zero-Standing Privilege.
- Pass the Hash – A method of using stolen passwords to authenticate as a user without having access to the user’s cleartext password. (See hacking kill chain infographic)
- Mimikatz – An open-source application that allows users to view and save authentication credentials. (See malware/ransomware kill chain infographic)
- Credential Harvesting Malware – The gathering of compromised user credentials shared openly by malicious attackers on sites like Pastebin or the dark web. (See vulnerability exploitation kill chain infographic)
- Phishing – A method of social engineering where an attacker, masquerading as a trusted entity, dupes a victim into opening an email or text message, to steal their data, including login credentials and credit card numbers. (See phishing kill chain infographic)
- Password Spray Attacks – A form of brute-force, trying large numbers of common passwords on a small number of user accounts. Usually, they’ll do some reconnaissance first to limit the number of login attempts to prevent account lockup. (See hacking kill chain infographic)
The limitations of legacy privilege access management (PAM)
Legacy PAM practices violate the principle of least privilege by allowing privileged access to users on a permanent basis. Legacy PAM that uses vaulting and session recording have been prioritised in many organisations, but their focus is on visibility and control of existing privileged accounts and activities, which leaves privilege elevation and delegation approaches almost non-existent.
Say a new employee starts within your organisation and you note that an existing employee who is doing the same role already has these rights, so you put them in the same access group. The problem with that is the existing employee may have been there for 10 years and may have had other roles within the organisation. Therefore, the existing employee already probably has more permission than he needs to start with. By adding them to the same access group, you are giving them far more rights than is needed for any system.
Legacy PAM solutions typically do not look for any standing privileges that already exist in your organisation, leading to excessive privileged accounts. Many privileged accounts have unnecessarily high levels of standing privileges, which organisations struggle to introduce changes to because administrators and IT operations staff are used to having personal privileged accounts they can use at their discretion. Privileged accounts are routinely issued within an organisation, they normally hold excessive privileges, more than they need to do their job. Even when an organisation’s environment is controlled by a legacy PAM tool, the privileges already exist, leaving those standing privileges in the environment. All things considered; legacy PAM solutions just do not provide the key advantages that your organisation needs to reduce its attack surface.
Key benefits of Just-in-Time
The just-in-time model provides users access to the things they need at the time they need them. This approach disarms privileged accounts when not in use, until such time when those privileges are required. It also plans and governs privileged access according to the privileged use patterns and use cases, eliminating excessive privileges. The journey that you should be taking as an organisation is advanced identity access management. Using the Just-in-Time access method will protect your organisation and move towards a zero standing privilege environment.
Reducing your attack surface with zero-standing privilege
The zero-standing privilege (ZSP) model is the purest form of Just-in-Time, which addresses the final guidance of the principle of least privilege “at only the right time”. ZSP addresses removing existing standing privileges, which come in many forms such as continuous privileged groups, static rules and servers account, all of which allow the execution of privilege command. This is key in reducing your organisation’s attack surface as if anything happens, at least it’s contained to a single system, and it cannot move laterally. The proliferation of attacks, such as ransomware or phishing, can be prevented by implementing a zero standing privilege model because, without those elevations, the attacker is not able to do things on that endpoint and then move laterally throughout the organisation.
Remediant brings Zero Trust to the Privileged Access Management market by removing the biggest undiscovered security risk: (24×7/always on/persistent) administrator (rights/privileges/access). Remediant’s SecureONE PAM software delivers Just Enough, Just-in-Time privileged access. This software protects millions of endpoints and has been adopted by major enterprises across industries.
Interested in seeing how Secrutiny and Remediant can help protect your business? Click here to request a demo and we will be in touch soon.