23. Sample Privileged Access Management Use Cases – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_23

23. Sample Privileged Access Management Use Cases

Morey J. Haber1 
Heathrow, FL, USA
A threat actor thrives on the weakness of processes and the inability of an organization to establish best practices. Privileged access management can stymie a threat actor, even if other security best practices are not being fully followed. Consider these top three problems almost every organization faces:
  1. 1.

    Employees and Other Insiders Have Unnecessary Access: Employees, vendors, and other insiders are often given excessive access to systems and data—and that access can go unmonitored.

  2. 2.

    Credentials Are Shared and Unmanaged: Passwords are created and shared, but aren’t audited, monitored, or managed with discipline or accountability.

  3. 3.

    Information Technology (IT) Assets Communicate Unchecked: Desktops, laptops, servers, and applications communicate and open paths to sensitive assets and data.

Even with security best practices, these three deficiencies can often materialize in almost every enclave or implementation. Consider the use cases in Table 23-1 to address these problems in the form of challenges, needs, solutions, and benefits.
Table 23-1

PAM Use Cases





Tasks Require Administrative Credentials

Applications require privileged credentials to operate correctly. Security policies do not provide administrative or root credentials to users to complete their assigned tasks.

Users need to execute applications that require privileges above Standard User.

Implement a least privilege solution to change the privileges of the application, or seamlessly apply privileged credentials to the application.

Users can perform their intended tasks, and security policies are maintained by not providing privileged credentials.

Local Credentials Have Stale Passwords

Local accounts have passwords that are reused, well known, or have never been changed on servers, desktops, laptops, and tablets.

Security best practices and regulatory compliance require privileged password management and that reused, well-known, or nonmanaged passwords are mitigated.

Using a password management solution or agent technology, provides a method to identify credentials used for user logins and services, and place them under management.

Ensures security best practices for credential management and ensures even mobile devices can be managed against password reuse and stale password problems.

Correlation and Consolidation of Account Aliases

Organizations have too many local and directory service aliases for the same identity, making reconciliation difficult.

Organizations and regulations require reliable identification of a user’s activity. With disjointed aliases, this mapping is difficult to maintain.

Utilize a directory bridging technology across all Unix, Linux, and MacOS environments to centralize authentication via Active Directory.

Ensures that an identity’s Active Directory account is the same authoritative account for all platforms and eliminates local aliases.

Correlation of High-Risk Applications and Usage

Threat analysis and vulnerability management programs lack the correlation of vulnerable applications and real-world usage.

Organizations cannot prioritize vulnerabilities based on user behavior and application usage.

Track application usage with granular details and map the results to known vulnerabilities.

Control applications via whitelisting, blacklisting, and greylisting based on vulnerabilities, age, and risk.

Removal of End-User Administrative Privileges

Security best practices, threat reduction, and compliance regulations require the management of privileged rights.

Remove administrative rights from all end users while allowing them to maintain productivity.

Implement a least privilege solution that can target applications and operating system tasks for privileged rights—without providing the end user with administrative credentials.

Risk reduction by avoiding baseline drift, malware mitigation through the removal of rights, lower total cost of ownership, regulatory compliance, and fewer administrative accounts.

Removal of Server Administrative Rights

Security best practices, threat reduction, and compliance regulations require the management of privileged rights and session activity monitoring when accessing servers.

Remove administrative or root privileges from administrators, while allowing them to maintain productivity on server-based operating systems.

Implement a least privilege solution that can target applications, databases, and operating system tasks for privileged rights—without providing the administrator real local or domain credentials.

Risk reduction by enforcing change control, malware mitigation through the removal of rights, regulatory compliance, and full session management.

Removal of Application-to-Application Passwords

Applications, services, and databases need credentials or certificates to operate correctly as their processes need authentication against local or remote resources.

The ability to remove stale and static password assignments within applications and replace them with API calls or programmatic replacements.

Implement a password management solution capable of replacing passwords within applications or substituting API calls within applications to remove user-defined or hard-coded passwords or certificates.

Passwords or certificates used between applications are no longer hard-coded or stale, and can be managed by a password management solution.

Change Control Workflow Requires Approvals

Change control requiring administrative or root privileges mandates approval from team members before execution.

Instrument a workflow that contacts team members, requires approval or denial of privileged access to a host in order to complete privileged tasks governed by change control.

Implement a password management or least privilege solution that has a workflow engine (internally or compatible with third-party solutions) that can track, report, and provide access once approvals have been granted.

Change management, security best practices, and workflow approval and requirements can be met for privileged access.

Reduction of Threats for Infrastructure Access

Nonserver-based infrastructure, such as routers, switches, firewalls, load balancers, cameras, security systems, iDRACs, etc., typically have the same password across multiple devices (password reuse) or have stale passwords, leading to unnecessary risk and exposure.

Provide a mechanism to manage infrastructure passwords, ensure they are all unique, and automatically rotate (manage) them periodically to ensure they do not become stale.

Implement a password management solution that is capable of discovering and classifying infrastructure devices and managing (rotating, etc.) passwords periodically for any managed account.

Risk reduction and consistent security best practices for unique passwords per device and automatic rotation of passwords to prevent leakage or stale passwords from being compromised.

Automatic Login with No Credential Exposure

Provide access to a resource without exposing the credentials. How do you control what happens to a password once it has been released?

The ability to log on to a resource (application, operating system, database, etc.) without exposing the credentials and providing an attacker with the opportunity to copy and reuse the credentials.

Implement a password management and/or a least privilege solution that can automatically pass credentials to a resource for authentication without exposing them to the end user.

Users are logged in automatically, and the session can be monitored for malicious activity.

Document Privileged Activity for Audits and Compliance

Determine what a user did during a session and alert on any potential inappropriate activity, especially when using administrative or shared accounts.

A solution that can record video, keystroke log, and record application activity in a reportable and indexed format for review by security teams and auditors.

Implement a technology that can provide this capability (session record, keystroke log, and application activity) in line with an active session, or using agent or proxy technologies. The results should be stored in a database, encrypted, and protected so that they could be used for forensics or a court of law, if required.

Session activity can be reviewed for mistakes, malicious activity, training, or even breach forensics.

Provide an Access Broker to Cloud Resources

Limit risk exposure to cloud resources by restricting privileged access to only trusted users, resources, and locations.

Implement security processes and technology that can control privileged access to cloud resources, ensuring they do not get compromised from remote threat actors.

Implement a cloud access service broker (CASB) or remote session proxy that can manage connections via user, credentials, location, and even context-aware time of date.

This adds a layer of security for environments to properly access and control cloud resources, while restricting potential lateral connectivity.

Manage Third-Party Access Risk

Ensure partner, contractor, and authorized third-party access into the company, cloud, or other resources is used correctly by nonemployees, even temporarily.

Provide complete context-aware access of users, location, and time and date access to resources. Document all activity for auditing and forensics.

Implement a password management solution that controls and monitors nonemployee access with granularity needed to review any session activity.

Limit the exposure of nonemployee access and mitigate risks from stolen credentials, rogue sessions, and lateral movement by unauthorized personnel.

Break Glass

Provide out-of-band access to systems during a crisis. Note: This is covered in detail in a prior section.

Privileged access can be granted in the event of an emergency.

Implement a password management system capable of releasing emergency (break glass) credentials in the event of a crisis and document all activity and usage to ensure proper resolution.

Ensures that crisis situations can be resolved quickly, even if key personnel are not available, or in the event of a disaster.

Minimize Data Exposure

Controlling access to sensitive data when users or administrators have been granted privileged rights to a system, application, or database.

Provide a vehicle to monitor commands, data displayed, and output for malicious activity that might expose sensitive data.

Implement a password manager and least privilege solution that can perform command-line filtering, alert on activity, and search for displayed results that might indicate excessive data exposure.

Users and administrators can be blocked from issuing sensitive commands and teams can be alerted if data is visible from sensitive sources.

Granular Role-Based Access

Operating systems and applications may not contain granular permission controls to restrict inappropriate access.

When possible, restrict commands, child processes, applications, and operating system functions even when the user is executing with privileged rights.

Implement a technology that can monitor individual commands, child processes, scripts, and applications and perform an action if they are executing, including blacklisting the task from executing.

The results minimize the attack surface for operations that may not inherently have role-based access built in.

Rogue Accounts

Privileged users may have the ability to create rogue local, domain, or application accounts against company policies and security best practices.

Prevent out-of-band access and potential malicious activity by preventing the creation of rogue accounts.

Implement a technology that can monitor local, domain, and application account creation and, based on policy, even deny the accounts from being created in the first place.

Risk reduction by controlling account creation to authorized business processes only.

Service Accounts

Service accounts have privileged access on the local system and, in some cases, such in the case of Windows domain accounts, access to off-system resources. Given the complexity of managing these credentials and the potential impact on operations, they are often configured with nonexpiring passwords and are rarely changed.

An automated method to discover, rotate, and restart distributed service account passwords, while minimizing the impact on dependent applications and processes.

Implement a password manager that can perform centralized discovery, password management, and intelligent restarting of services across the enterprise.

Stored passwords are no longer hard-coded and can be cycled on an ongoing and frequent basis, all while reducing downtime of application and related services. This reduces the risks associated with backdoor access by employees and contractors, as well as with numerous password hacking techniques.

Controlling Access Availability

Administrative accounts are “Always-On” or allow for persistent access creating a risk surface based on time during which a threat actor can exploit an administrative account.

Apply ephemeral properties to administrative accounts and provide access just in time to satisfy business requirements.

Based on business requirements and honoring internal change control and workflow, administrative accounts are only available for a period of time required to complete a task.

The risk surface based on time for administrative accounts, especially those not used frequently, can drastically be reduced.

Dynamic access control is not a specific use case, but may be implemented to provide added security in any of the previously discussed scenarios. Organizations that want to control when a user should have access to specific resources and systems can be limited by the native access models. For example, third-party vendors should not be able to access their passwords after working hours, or server administrators should not have access to the financial application server during month-end payroll processing, or from remote locations.

The bottom line is that many organizations have internal and external entities that need to access the network regularly. There is an issue with this: how can you be sure that the credentials used for access are being properly managed? As seen all too often, hackers will leverage external company credentials to find a route in. Organizations need the ability to overlay a more flexible and dynamic access model on top of the native access constructs of the underlying systems and applications.

Implement a password management and/or session management solution(s) that provide dynamic access policy constructs. Dynamic access models evaluate all the parameters at the point of the access request to make sure the appropriate decision is made regarding access. Evaluation criteria can include:

Who is trying to log on?

What system are they trying to access?

Where are they logging in from?

What level of access are they requesting?

What is the day of the week?

What is the time of day?

Applying context to each access request/session reduces risk by enabling the organization to incorporate best practices to privileged access that can help protect your organization from a breach. For example, if we know that a break glass account is for emergency use only, let’s only make it available outside of normal business hours. Also, if we would normally expect that account to be accessed via a remote worker working from home, let’s also make sure the request is coming in via the VPN concentrator.

Incident Tracking

Remote management and ticketing systems lack the visibility into incidents and unplanned resource allocation.

The ability for authoritative sources for change control and incident tracking to have awareness and approvals of out-of-band access and changes.

Implement a privileged access solution that integrates activity with ticketing, help desk, and other call center solutions for workflow and documentation.

Any and all access is documented with tickets, and a documented process for access can be achieved.

Onboarding of a Remote Workforce

Employee, vendor, or contractor remote access is not managed through established controls and processes.

Establish security controls for remote workers in accordance with established guidelines and access restriction policies.

Automatically onboard accounts and configure them for remote access to internal resources, simulating, as much as possible, an in office experience.

Remote access workers are automatically onboarded to support teleworking and eliminate risk associated with virtual private networking (VPN) technologies.

Onboarding of Remote Access Accounts for Privileged Access

Privileged remote access accounts are not managed through established controls and processes.

Establish security controls for remote access accounts following established guidelines and access restriction policies.

Provides discovery and automatic onboarding of accounts configured for remote access, whether on-premise or from external connections.

Remote access accounts are automatically onboarded for privileged account management and have passwords that are managed, rotated, and tracked for inappropriate access.

Session Management for Remote Access

External connections to on-premise resources, or cloud environments, do not fall under session management policies for auditing and reporting.

Connections established to on-premise resources can originate outside of the perimeter and could circumvent session monitoring policies.

Session management, including session recording, keystroke logging, and lateral movement detection, can be performed at the connection demark, through the privileged session proxy, or at the endpoint itself depending on the compliance requirements.

Regardless of remote access entry point, session management can be enforced irrespective of network path or resource accessed.

Privileged Remote Access

Administrator or root remote access requires user interaction to retrieve credentials for privileged access.

Technology used to retrieve privileged credentials for remote access is susceptible to attack vectors, including screen capture and memory-scraping malware.

Provide seamless privileged remote access to resources, with no user intervention, to retrieve and apply credentials without the end-user exposure to the account.

Seamless connectivity, ease of use, and a mitigation strategy for malware that attempts to obtain credentials from an end user’s asset during a privileged session.

Remote Access Risk Assessment

Remote access is granted to an authorized user regardless of risks and threats associated with the target or source asset.

Creating an asset risk system based on industry standards to measure threats and risks and use the associated data to determine connectivity and privileges associated with remote access.

Provide threat and risk assessment data from configuration and vulnerability assessments to the privilege and remote access engines to determine remote access connectivity state.

Remote and privileged access can be denied to insecure assets or from high-risk sources based on asset cybersecurity hygiene using industry standard scoring.