Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

End of Bibblio RCM includes -->

Enterprises Remain Riddled With Overprivileged Users -- and Attackers Know It

Attackers commonly focus on finding users with too much privileged access as their ticket to network compromise. What can companies do?

Recent breaches have underscored the dangers of overprivileged user accounts and software processes, highlighting the need for companies to discover and mitigate the privileged accounts that could be used by attackers to further compromise important systems and applications. 

Last month, the breach of an administrative account at video service provider Verkada left the firm's customers — among them, Tesla and Cloudflare — open to surveillance by online intruders. Verkada's cloud video service appears to have allowed super users unrestricted access to customer video streams and cameras, allowing a single breach to have massive impact. Similarly, through the compromise of the update process for SolarWind's Orion remote management software, attackers gained complete access to customers' systems because Orion, by default, had complete access.

Related Content:

Verkada Breach Demonstrates Danger of Overprivileged Users

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Build a Resilient IoT Framework

The problem is not limited to super user accounts on cloud services. Many workstations and servers continue to have overprivileged accounts that could be abused, and it's not just administrator accounts, says Tim Wade, technical director with the CTO team at threat detection firm Vectra.

"It is important to recognize that privilege exists on a spectrum," he says. "The obvious candidate for concern is associated with administrative rights, but the reality is that even seemingly innocuous access to shared resources beyond necessity can enable attack progress toward its intended target."

While the concept of least privilege is widely understood, users and applications with more rights than necessary continue to be a common problem. More than a third of companies (37%) have detected overprivileged accounts, according to the "Oracle and KPMG Cloud Threat Report 2020." These credentials are in attackers' sights as well, with 59% of the surveyed companies suffering an attack where privileged credentials were phished. While companies often give users too many privileges, often the problem is that applications — especially legacy applications — typically require high-level privileges. 

In addition, while desktop systems, such as Windows and MacOS, have done away with the default administrator account, too many vulnerabilities can escalate the privileges of a standard user account. In fact, 56% of critical vulnerabilities reported in Microsoft software in 2020 could have been mitigated by removing administrative rights, stated access management firm Beyond Trust in a recent report. 

"With Windows, you still have too much power with the default login," says Morey Haber, chief technology officer and chief information security officer at BeyondTrust. "You still have to reduce it to a standard user, and Macs are no better."

Applications that have problematic security architectures and require too many privileges continue to be a problem. The ongoing saga of the SolarWinds compromise is a case in point. 

Between May and December 2020, malicious updates of the SolarWinds Orion remote management software compromised an estimated 18,000 companies. Of all the security issues that cropped up following the breach of SolarWinds and its customers, perhaps the most significant is that once the compromised update was installed, the attackers had access to every device and application in a customer's environment, evading security software because the Orion software is generally whitelisted in the environment.

"The SolarWinds application needs a privileged account to work, that has God-like privileges, and anti-malware allow-listing throughout everything," Haber says. "So you have one credential that allows the whole application to work, and that is really how we got into so much trouble."

To combat privilege creep, companies need to first discover the degree to which administrator accounts, management APIs, and system processes are a problem in their on-premises and cloud environment. Some of that discovery can be done in Active Directory by looking for specific groups or members that have certain rights, such as password-reset authority, administrative access to cloud accounts, or the ability to manage organizational units.

However, this quickly becomes onerous, says Vectra's Wade. In addition, continuous monitoring of the use of privileged accounts requires the ability to look for anomalies in real time.

"Unfortunately, many organizations focus on auditing granted privilege, which, while important, is often resource-intensive and difficult to fully contextualize against the continued needs of the business," he says. "Is this account actually overprivileged in light of evolving business needs? Does the continued business need for these capabilities still exist? Or has it changed? This often means trade-offs of coverage and confidence with respect to managing privilege, which tend to create the gaps exploited by adversaries."

With the increasing adoption of cloud infrastructure and services during the pandemic, privileged user management has become more difficult and harder to monitor in real time. Yet the distributed workforce and services mean that updated monitoring is even more important, Wade says.

"Organizations should identify the subset of critical roles and entitlements to be audited, while deploying dynamic solutions to cast a wider net around observed privilege across the enterprise," he says. "This is a place where artificial intelligence and machine-learning techniques have proved to be particularly useful, and allow an organization to detect and respond in real time to the leading indicators that privilege is being abused."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/8/2021 | 2:33:56 PM
Great article and great points, thank you for sharing your insight.
I am currently working with various vendors who work directly with Microsoft (MSC), the acronym MSC uses is "PIM" - Priviliged Identity Management. This uses a Role Based Access Controls (RBAC) which are a collection of privileges used to allocate permissions to users (U), applications(A) or service accounts(SA).  The term PIM is used to identify specific permissions that are need to access an application or a specific resource. The problems are not necessarily problematic at the user level (U), but at the Service Account (SA), this is where "God-like" privileges are given to the SA, the users are usually placed in a group where RBAC permissions are assigned, the permissions trickle down to the user but from a hierachical standpoint, they are inherited from higher level resources. There is the delimna, we need to be able to control the permissions that are flow down from high-level to the various groups and thus to the user. That is a lot of work and that is why design of the "Infrastructure" and permission structure is extremely important. The OU or Organizational Unit can be segmented in a way that limit inherent permissions (RBAC) by stopping certain OU's from receiving permissions that are not intended.

In addition, from an application standpoint, giving only permissions to the application that are explicitly needed would have helped. Linux provides solutions like SELinux and/or Apparmor. Apparmor, if used with aa-logprof, would give the user an idea of what the applicaiton was accessing, then by creating a profile (solarwinds found under /etc/apparmor.d/), we could limit the application using a "PIM" methodology (only allow specific permissions to the SA or U) without giving the SA "God-like" access.

There are tools out there, we just have to be cognizant of them and their role, this would have helped to isolate and identify an external actor using existing tools (fail2ban (Siem), Apparmor/SELinux (policy control and mgmt), UFW (firewall/IPTables), SSH Keys (ECDSA, ED25519), KMS (Key Management System - KeyVault, CSP Key Mgmt) and/or Group Policies (Windows).

Using Azure AD Privileged Identity Management for elevated access


I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file