1. Privileged Attack Vectors – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_1

1. Privileged Attack Vectors

Morey J. Haber1 
(1)
Heathrow, FL, USA
 
We see it in the news and on social media nearly every single day—another cybersecurity incident, breach, hack, or attack. From a forensics perspective, the vast majority of attacks originate from outside the organization and, therefore, are initiated by external threat actors. While the specific tactics may vary, the stages of an external attack are similar (see Figure 1-1).
  1. 1.

    Infiltration —Insiders and External Threats: The days of a threat actor attempting to penetrate the perimeter directly are no longer the primary threat to an organization. It is more than likely they will execute a successful campaign via attacking misconfigured resources with compromised privileged accounts, or launch a phishing attack to compromise a user’s system, and establish a beachhead inside of an environment. Their goal is to do this all while flying “under the radar” of security defenses and maintain a persistent presence. The days of “smash and grab” attacks have faded away, just like attacks on the perimeter. And, with the expanding remote workforce, infiltration can occur through a combination of attack vectors, leaving an organization exploitable via methods outside of their management controls.

     
  2. 2.

    Command and Control Through the Internet: Unless it is ransomware or self-contained malware, the attacker quickly establishes a connection to a command and control (C&C) server to download toolkits and additional payloads and to receive additional instructions. This allows them to assess the environment and plan their next move.

     
  3. 3.

    Identify Privileged Accounts and Attempt Privileged Escalation: Threat actors begin to learn about the network, infrastructure, privileged accounts, key identities, and the assets performing daily and critical functions. They start looking for opportunities to collect additional credentials, upgrade privileges, or just use the privileges that they have already compromised to access resources, applications, and data.

     
  4. 4.
    Lateral Movement Between Assets, Accounts, Resources, and Identities: Threat actors then leverage the stolen credentials and knowledge of the environment to compromise additional assets, resources, and identities (accounts) via lateral movement. This continues their campaign of propagation and navigation through the victim’s environment.
    Figure 1-1

    Stages of an External Attack

     
  5. 5.

    Probing for Additional Opportunities: While continuing to ascertain other weaknesses like vulnerabilities, misconfigured hosts, and additional privileged credentials, a threat actor’s goal is to remain undetected. If their movement or presence is identified, most organizations will immediately strive to mitigate the incident. Therefore, operating in a stealth mode, the threat actor can identify more targets, install more malware or hacking tools, and expand their presence using additional attack vectors, from vulnerabilities to compromised identities.

     
  6. 6.

    Data Exfiltration or Destruction: Finally, the threat actor collects, packages, and eventually exfiltrates the data or, in the worst case, typically destroys your assets and resources based on their mission (i.e., ransomware). It is important to review that this entire attack chain can be performed by an insider or external threat, as mentioned in step 1. The knowledge of an insider can accelerate all these steps and bypass security controls since they may be considered trusted.

     

There is no one single product in the cybersecurity industry today that will provide the protection you need against all stages in this type of attack. And while some new and innovative solutions will help protect against, or detect, the initial infection, they are not guaranteed to stop 100% of malicious activity. In fact, it’s not a matter of if, but a matter of when you will be successfully breached. And, privileged accounts and their associated attack vectors will always be at the foundation of any successful breach outside of a vulnerability and exploit combination. You can read more about that in Asset Attack Vectors.1

Therefore, you will always need to do the basics—vulnerability management, patching, endpoint protection, threat detection, and so on. But you also need to protect, control, and audit the privileges in the environment. Properly managing privileges can help at all stages of the attack. From reducing the attack surface to protecting against lateral movement, to detecting a breach in progress, to actively responding and mitigating the impact of that breach—this is why I wrote this book. This book examines where these privilege vulnerabilities exist, how attackers can leverage them, and more importantly, what you can do about it. First, we need to understand what privileges really are and who is trying to leverage them for malicious intent.

Threat Personas

Before we get into the gory details about privileges, let’s spend a few minutes on who we are protecting ourselves from. An attack can originate from outside or inside an organization. They may be opportunistic, or well planned and targeted. They may be perpetrated by individuals or groups of individuals. To categorize their motives and tactics, we may refer to the perpetrators as hacktivists, terrorists, industrial spies, nation-states, cybercrime syndicates, or simply hackers.

There are subtle differences between a hacker, an attacker, a threat actor, and the malicious activity that they conduct that warrants proper definitions to be stated for daily conversations. Many times, security professionals will use the terms interchangeably and with little distinction between the definitions. As security professionals, we study recent breaches, we scour over forensic investigations, and, ultimately, wait for the arrests that will follow. Rarely do large-scale breaches go long unsolved. However, these cybercrimes can take years to prosecute based on extradition laws and whether a nation-state was involved. During these events, we learn about incidents, breaches, and whether it was a threat actor, hacker, or an attacker that caused the malicious activity.

The question is: What is the difference? After all, don’t they all basically mean the same thing? The truth is they do not, and many times the various terms are misapplied in reporting a breach or cybersecurity incident. The proper definitions for each of our threat personas are as follows:
  • Threat Actor: According to TechTarget, “A threat actor, also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact – an organization’s security.”

  • Hacker: According to Merriam-Webster, “a person who illegally gains access to and sometimes tampers with information in a computer system.”

  • Attacker: In cybersecurity, an attacker is an individual, organization, or managed malware that attempts to destroy, expose, alter, disable, deny services, steal, or obtain unauthorized access to resources, assets, or data.

Based on these definitions, a breach or incident is typically conducted by a hacker. An attacker can also be a hacker and typically adds a layer of destruction to the situation. A threat actor, compared to a hacker or attacker, does not necessarily have any technical skill sets (see Table 1-1). They are a person or organization with malintent and a mission to compromise an organization’s security or data. This could be anything from physical destruction to simply copying sensitive information. It is a broad term and is intentionally used because it can apply to external and insider threats, including their missions, like hacktivism, without actually performing a hack or an attack.
Table 1-1

Threat Actor Examples

Threat Actor

Example

External

Nation-State Sponsored

Political Activist

Organized Crime

Opportunistic, Financially-Driven Attacker

Terrorist Organization

Insiders

Administrators

Developers

Systems Users

Data Owners

Contractors

Trusted Third Parties

Therefore, hackers and attackers are technical by nature and intentionally targeting technology to create an incident, and hopefully (for them, not you), a breach. They can be lone-wolf actors, groups, or even nation-states with goals and missions anywhere in the world. Their objectives may be to destabilize a business, create distrust between governments and citizens, disseminate sensitive information, or seek financial gains in the form of profiting from stolen data or ransomware.

The difference between an attacker and hacker is subtle, however. Hackers traditionally use vulnerabilities and exploits to conduct their activities. The results may be intentionally damaging, or they may just stem from curiosity. Attackers can use any means necessary to cause havoc. For example, an attacker may be a disgruntled insider who deletes sensitive files or disrupts the business by any means to achieve their goals. Remember, as these insiders have access to the target systems and data, they can simply use their granted access (privileges) to accomplish their goal. A hacker might do the same thing, but they use vulnerabilities, misconfigurations, stolen credentials, identity theft, and exploits to compromise a resource outside of their acceptable roles and privileges to gain access and accomplish their mission.

I believe it is important to grasp the distinctions between attacker, threat actor, and hacker. Security solutions are designed to protect against all three types of malicious personas, and the results will vary per organization:
  • To defend against a threat actor, privileged access management (PAM) solutions can manage privileged access, log all activity in the form of session recordings and keystroke logging, monitor applications to ensure that a threat actor does not gain inappropriate internal or remote access, and document all sessions just in case they do (insider threats).

  • To defend against a hacker, vulnerability management (VM) solutions are designed to identify vulnerabilities such as missing patches, weak passwords, and insecure configuration across operating systems, applications, and infrastructure to ensure that they can be remediated promptly. This closes the gaps that a hacker can use to compromise your environment. Most vulnerability management solutions help organizations measure the risk associated with these vulnerabilities such that they can prioritize remediation activities to reduce the attack surface as quickly and efficiently as possible. It is important to note that hackers can also use techniques associated with privileged attack vectors when the credentials used to secure a resource have been compromised.

  • To defend against an attacker, least privilege solutions and network and host intrusion prevention solutions can be used to reduce the attack surface by removing the level of privileged access threat actors have to resources. This includes the removal of unnecessary administrator (or root) rights on applications and operating systems. These solutions can also perform detailed access and behavior auditing to detect compromised accounts and privilege misuse.

A combination of these solutions not only prevents outsider attacks, but limits privileges to assets and identities, thereby inhibiting lateral movement. This is the basis for protecting against the privileged attack vector and will be discussed in detail in later chapters. In addition, it is also modeled at the highest level as the three pillars of cybersecurity: asset, privileges, and identities. All security products can be classified in one of these pillars, and the most effective solutions gravitate toward the center, with functional overlap in each area. Figure 1-2 illustrates this in the form of a basic Venn diagram.
Figure 1-2

The Three Pillars of Cybersecurity

However, let us not get ahead of ourselves. This concept is more about the solution chosen to solve the problem vs. an understanding of the problem and attack vectors themselves. Let’s start with a review of the basic elements of privilege before formulating our defense.

Regardless of their motives—from financial to hacktivism to nation-state, threat actors, hackers, and attackers will almost always take the path of least resistance to commit their malicious activity. While this path may sometimes leave obvious trails for forensics, the art of the hack is to be subversive without detection (if possible) and perpetuate the activity under the radar of the implemented security defenses. Attackers, like most people, will choose the path of least resistance. Fortunately, the methods for gaining user and application privileges are well known due to various attacks and exploits. This leads us to a formal definition of what is a privilege:

A special right or permission granted, or available only to, a particular person or group to perform special or sensitive operations upon or within a resource. These are typically associated within information technology as administrator or root accounts or groups and any accounts that may have been granted elevated entitlements.

And what is an attack vector:

An attack vector is a path or means by which a hacker, attacker, or threat actor can gain access to a computer or network resource to perpetrate a malicious outcome. Attack vectors enable the exploitation of resources based on privileges, assets, and identities (accounts) and can include technology and human elements.

Now it is time to explore these malicious activities and potential defenses so that privileges do not become a successful attack vector for anyone against your organization. The strategy to protect against them is commonly referred to as privileged access management (PAM). However, in the eyes of the security community and some analysts, you may see this discipline referred to as PIM or PUM (privileged identity management or privileged user management). While similar, there are subtle distinctions, just as with the different types of adversaries we reviewed earlier.