Four strategies security teams can use to defend against common attack vectors and tactics of privilege escalation, ransomware and account takeovers.

Dark Reading Staff, Dark Reading

October 19, 2020

6 Min Read

The consequences of a cyberattack can be costly. According to Accenture’s Ninth Annual Cost of Cybercrime Study, the average financial impact of a cyberattack rose from $1.4 million to $13 million per attack. If the first half of 2020 is any indication, this number will continue to rise as attackers amplify their campaigns to take advantage of emerging opportunities, like those associated with changing work environments, and target organizations’ weakest links.

As more companies move workloads to the cloud, adopt collaboration tools to support remote workforces, and increase automation capabilities, attackers are consistently refining their strategies to exploit areas of business transformation.

Maintaining business continuity and resiliency in the face of this dynamic threat landscape starts with understanding the mindset of an attacker. While motivations may vary – from financial gain and espionage to business disruption – the attack cycle remains relatively constant. First, motivated attackers will use common means, like phishing or exploiting a known software vulnerability, to gain a foothold on a network. Once that step is achieved, they’ll typically seek to exploit privileged accounts – those accounts with broad and powerful administrative access -- for the purposes of reconnaissance or to maintain persistency on the network to launch further attacks. Without privileged access, however, the vast majority of attacks don’t proceed beyond nascent stages.

Gaining privileged access is consistently a priority for attackers. Rapid business transformation led by investments in digital technologies has contributed to privileged account sprawl across cloud and hybrid environments, opening up even more potential access points. Critical business processes, applications and cloud instances, for example, all have associated privileged accounts required to maintain and help protect them.

Securing privileged access helps shrink the attack surface by breaking the attacker tool set and restricting the spread of an attack. Limiting lateral movement forces attackers to use tactics that are ‘louder’ and more easily identifiable so organizations can be alerted and work to halt progression of the attack before the business is dramatically impacted.

Based on analysis by CyberArk Labs of common cyberattack vectors and tactics, here are four strategies that prioritize privileged access management in order to better arm businesses to defend against them.

Strategy 1: Stopping Privilege Escalation
The software and applications organizations rely on to run their business can be riddled with misconfigurations and vulnerabilities, especially if basic upgrades and patching aren’t being done consistently. According to a study conducted by the Ponemon Institute in 2019, 60% of data breaches involved unpatched vulnerabilities. But to the attacker, the vulnerability itself represents an open door to gain that initial foothold. The critical step is how attackers use their initial position to escalate privileges and facilitate lateral movement across increasingly distributed and decentralized networks.

Privilege escalation is the most critical link in the attack chain as it can allow an attacker to accomplish several steps including gaining network persistence, building-in additional backdoors and ultimately accessing critical assets. A modern privileged access management program enforces the principle of least privilege that helps ensure that users only have the access required to perform their functions – and nothing more. This helps limit super-user and administrator permissions – further reducing the overall attack surface. 

Strategy 2: Preventing Lateral Movement
Lateral movement is a tactic often interconnected with privilege escalation that is designed to allow attackers to enter and control systems on a network with the goal of spreading an attack or facilitating long-term persistence. Attackers use lateral movement to progress from the original foothold to find valuable information, get access to business-critical systems or execute an attack. Exploiting privileged access is the way to facilitate this movement. By escalating privileges, attackers can effectively move from place to place including from on-premises environments into and across cloud environments, and vice versa. Privileged access management is one of the most effective ways to stop lateral movement by securing the access points attackers need to move across a network, thereby helping to block progression of an attack.

Strategy 3: Slowing the Spread of Ransomware
Ransomware continues to be one of the most common and costly cyberattacks. While the attack typically starts on an endpoint, the goal of ransomware is to encrypt files, applications or systems so that attackers can hold an organization hostage until a ransom is paid. One laptop isn’t going to get the criminal a payday but compromising an entire network certainly can. The move from endpoint to network is a critical aspect of the ransomware strategy. Cybersecurity Ventures estimates that the global cost of ransomware will top $20 billion by next year and predicts that ransomware attacks will target businesses every 11 seconds.

Today’s interconnected businesses make ransomware attacks a real concern for organizations of all sizes. But while ransomware is damaging, privileged access management can limit its spread and keep it contained to the initial infection point. Based on CyberArk Labs research, which has tested 2.5 million variants of ransomware, removing local admin rights, combined with application control on endpoints, was 100% effective in stopping the spread of ransomware.

Strategy 4: Preventing Account Takeovers
Account takeover (ATO) attacks are sophisticated, targeted and designed to give the attacker as much control over an environment as possible by stealing and exploiting legitimate user credentials. Attackers prioritize privileged credentials in ATOs – especially for accounts with ‘always on’ access. These powerful accounts enable attackers to move through a network and achieve full compromise of an Active Directory, the domain controller and even entire cloud environments.

Privileged access management solutions – especially those that include just-in-time access controls – can dramatically reduce the attack surface by securing the authentication credentials that are spread across environments. A just-in-time approach helps provide the appropriate levels of access to the right resources for the right amount of time, eliminating the always-on accounts that attackers covet. This makes the life of the attacker much more difficult by preventing privilege escalation and severely restricting lateral movement.

The compromise of privileged accounts lies at the core of the cyberattack cycle. To learn more about how privileged access management can help break the cycle and help protect organizations’ most critical data, infrastructure and assets, download a complimentary copy of the Gartner 2020 Magic Quadrant for Privileged Access Management.1

1- Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About the Author: Lavi Lazarovitz, Head of Security Research, CyberArk 

Lavi Lazarovitz is the head of security research at CyberArk Labs. He and his team focus on offensive security and security innovation. They specialize in spotting security gaps in emerging technologies and developing innovative new security layers and effective mitigations to fill those gaps. Recent research includes acclaimed work on: cloud security, containers and Kubernetes security and authentication and identity security.

 

 

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights