A new study recently released by Israeli security firm CyberArk Software has revealed the growing use of privileged accounts by cybercriminals.
The report, entitled "Exploits of Privileged Accounts Shift The Front Lines of Security," included input from six security firms that have investigated threats to enterprise information security. The research found that while hackers often use malware as a means to gain entry into enterprise systems, afterwards attackers will frequently begin abusing privileged accounts in order to remain in the network undetected.
According to CyberArk CEO Udi Mokady, as more devices become infected with malware, users are growing more aware of what an attack looks like, forcing cybercriminals to change their tactics. Because of this, hackers have begun to use privileged systems once they've gotten into a system, which allows them to come and go as they please and create access for additional users that is hidden within the regular traffic of the network.
"This also explains why attacks are so hard to discover and stop," said Mokady in an interview with CSO Online. "An attacker with access to a privileged account can lie there undetected for 200 days or more."
Compromised privileged accounts base of most attacks
The study found that privileged account exploitation occurs in nearly every targeted attack. In fact, compromised privileged accounts are responsible for between 80 and 100 percent of all attacks investigated by cybersecurity teams. As Mokady noted, privileged accounts are an integral part of practically every part of enterprise IT infrastructure, providing cybercriminals with numerous access points that are infrequently monitored. The larger the enterprise, the bigger the risk is of this type of attack happening, since most organizations don't know how many privileged accounts exist on their systems and the more traffic there is, the easier it is for malicious activity to be hidden within.
The report also discovered that attackers are exploiting privileged accounts in a variety of ways, including hacking into devices connected to the Internet of Things and creating multiple privileged accounts to provide redundant access points. One of the accounts most vulnerable to attack is the service account used to communicate between machines.
"Most companies expect service accounts to be used only internally, so they keep the default passwords," said Christopher Novak, global managing principal for investigative response for the Verizon RISK Team, which contributed to the report. "We've seen 25 or 30 attacks recently in which attackers used default passwords. And because it's presumed individuals aren't using [these accounts], analysts dial down the sensitivity on alerts. Service accounts are out of sight, out of mind."
Old views on cybersecurity need to be reevaluated
In an interview with ComputerWeekly, Mokady noted that most companies are only focused on preventing intrusions, instead of finding the hackers that have already made their way inside an enterprise system. He suggested that organizations base their cybersecurity strategies off of the assumption that they will be breached eventually and privileged accounts will be sought out in those attacks.
Organizations interested in implementing stronger network monitoring should consider employing security information and event management. SIEM solutions utilize big data analysis, observing and learning user behavior in order to more effectively detect suspicious activity. Managed SIEM services provide around the clock monitoring of enterprise networks which serves to create a database of activity that is analyzed to create a baseline of normal behavior. When anomalous events occur – such as the misuse of privileged accounts – they are identified and recorded and the information can then be used to mitigate data breaches and create more comprehensive defense procedures.