“A determined attacker can easily slide through your perimeter defenses—we need a new approach.”
I hear that sentence a lot these days. In fact, I’ve been hearing it off and on for close to ten years now. Driven by growth in the mobile workforce and expansion of outsourced business partnerships, the cry, “perimeter security is dead…we need a new model,” continues to gain in popularity. Yet in spite of all this talk, out of the $32B security products market last year, (my estimate, but it’s close enough for this discussion), the vast majority of security funding is still spent on perimeter defense. Investment in actual data protection, monitoring and forensics tools, however, pales in comparison.
This past week, with the news cycle instigated by Mandiant’s APT1 report, the focus has again fixated on perimeter security and how organizations should prevent the initial breach.. For example, Network World took email vendors to task for not doing enough to prevent phishing, while on NPR’s All Things Considered, the infatuation with perimeter security was so overt that the only questions on tactics directed to Mandiant CEO Kevin Mandia were those that focused on how an attacker could be so successful merely by spear-phishing.
If you read through the Mandiant report, however, you’ll notice that in addition to phishing, it also covers other critical components of a successful attack. It’s a worthwhile read on backdoors, covert communications, privilege escalation, internal reconnaissance, lateral movement and maintaining presence.
Ultimately, phishing attacks are only the beginning of an advanced threat attack. Think of the home security analogy. A burglar may have gotten in your front door, but he hasn’t stolen anything yet. He still needs to search the house to find where you hid the silver and jewelry. He needs to pick the lock on the closet or crack the wall safe. Then he needs to collect all of the loot and head out the backdoor.
This is why I firmly believe the initial quote at the top of this post. Just like you would do by storing valuables in a safe at your own home, you should assume that there are already attackers inside your network. After all, a determined attacker will get in. Every time. But if you are proactive, and take an inside out approach to your organization’s security, you CAN lockdown the (privileged) pathways to the most sensitive information—which effectively disrupts the cyber attack.
But you need to take that approach. So what’s your plan?
DoE Security Breach Proves No Organization is Immune to Advanced Threats and the Privileged “Insider”
The targeted attack against U.S. Department of Energy, and subsequent loss of contractor and employee information, is the latest example of an advanced threat that continues to plague businesses and critical infrastructure (see our recent blog post on the “Red October”). This attack and breach at the DoE provides a good illustration of the advanced and long-term nature of these type of attacks, which continue to draw the attention of President Obama and his administration (“Executive Order on Improving Critical Infrastructure Cybersecurity”).
Advanced threats are about the long-game – whether targeting critical infrastructure, financial systems or otherwise, attackers are using simple hacking methods, such as spear-phishing, to gain a foothold in an organization. Once inside, the attackers spread throughout the organizations by exploiting privileged accounts, either by exploiting poor password security on these accounts, or by posing as an employee to try and surreptitiously gain additional information and passwords from IT administrators.
The key to this strategy is gaining privileged access – attackers know that administrative and privileged accounts act as a gateway to an organization’s most sensitive data and this is why they’re the primary target of the majority of data breaches. Saudi Aramco. Stuxnet. The Flame Virus. Red October. Subway Restaurants. Global Payments. Utah and South Carolina. U.S. Chamber of Commerce. Pacific Northwest National Laboratory. These attacks follow the same, distinct pattern. Attackers use simple means to breach the perimeter – once inside, they leverage the privileged account, or elevate privileges associated with the account, to gain access to additional servers, databases and other high-value systems only a select few people are actually granted permission to access.
This latest attack demonstrates that these vulnerabilities are not unique to any specific business – our critical infrastructure companies, and the US agencies that are supposed to protect it, need to re-examine their current approach and secure their organizations from the inside out. President Obama’s Executive Order supports this push, as he now officially has called for increased scrutiny into the development of a coordinated framework of cybersecurity policies for critical infrastructure.
At this point though, we all need to assume there are attackers inside our networks – the first step in stopping them, however, is to block the privileged pathway that they’re riding right to our sensitive information.
If you happen to read our blog and industry commentary on a regular basis, then you understand our commitment to highlighting the direct connection between privileged accounts and advanced internal threats and cyber attacks. In almost every cyber attack, there is a link between the pathway used by the hackers and poor security around privileged accounts.
However, while privileged accounts exist everywhere – on servers, databases, network devices, in your telephony system, embedded in applications –in 2011, according to the 2012 Verizon Data Breach Investigations Report, 94% of the data stolen during sophisticated cyber attacks came from servers.
One way to proactively mitigate the impact of these data breaches is to attain separation between sensitive and non-sensitive assets within your network. By creating an isolated zone, organizations can, conceivably, minimize the risk that a potential attacker could access sensitive data.
One traditional approach to creating this separation involves the use of jump servers, also known as jump hosts, golden hosts, jump boxes or bastion hosts. However, much like other conventional security approaches—such as firewalls and other perimeter security initiatives—simply deploying jump servers ignores the impact of the privileged connection. The fact remains that, while isolation of sensitive assets (via a jump server solution) is indeed a mandatory security step to control access to sensitive data, something is missing. The problem, of course, is that if the solution is unable to create the only
control point into the target server (a privileged account), then a malicious insider or external attacker can still hijack the privileged administrator password, bypass the whole jump server solution and cause havoc.
Fortunately, there may be a solution, and it is not simply locking down privileged accounts through proactive management and continuous monitoring. As we outline in a new whitepaper, aptly titled, “Isolation, Control & Monitoring in Next Generation Jump Servers,” unlike homegrown jump servers that still require a privileged credential to access targets system, a new class of Next Generation Jump Servers can effectively be deployed to merge isolation, control and monitoring into a single solution to truly protect an organization’s sensitive business information. Take a look at the whitepaper to learn more and to understand how you can create isolation that blocks the spread of desktop malware and monitors for malicious activity—all while protecting the privileged accounts through pre-defined workflows enforced for every privileged session.
And of course, make sure to check out our integrated solution, Privileged Session Management (PSM) Suite, which acts as a secure proxy that organizations can use to isolate, control and monitor all privileged access to sensitive servers, databases or virtual machines.