By Kamel Heus, VP EMEA, ThycoticCentrify
Cyber attacks are familiar to many, as both in fiction and in reality stories of data breaches and hacks are everywhere. However, the fascination with shows such as Mr. Robot and sensationalised news stories have created an out-of-touch stereotype of hackers. In these narratives, the hacker is portrayed as an anonymous, hooded figure with almost superhuman skills, capable of bringing a business to its knees with a few, carefully crafted, lines of code.
However, for a large majority of the time, the reality couldn’t be further from this. Far too often, the hacker causing chaos is known to the victim. It could be the teenage boy next door, the new hire at the firm, or even the waiter at the local restaurant.
A perfect example of this is Twitter’s security breach in the middle of 2020. The attack saw several notable people’s accounts hacked, including Joe Biden and Bill Gates, in a scheme reported to have reaped more than $100,000. The ‘mastermind’ behind this scam? A 17-year-old boy.
Although awareness of the need for cyber security increases, so do the attacks and the costs they bring. In 2015, cybercrimes were costing the world approximately $3 trillion, but by the end of this year that figure is expected to have doubled to $6 trillion. Financial services make up a large portion of this figure, with a report from Accenture finding that the price of cyber attacks are most damaging within the banking industry, costing a single company $18.3 million per year. This is 40% higher than other industries.
The notable increase in attacks is partly due to the changing nature of the breaches themselves. Traditional techniques, such as decrypting code or infiltrating firewalls are no longer the chosen method of attack for many hackers. Instead cyber criminals are simply “logging in”. Now, hacking into websites and intranets, which would have previously been considered secure, can be done by someone with little more knowledge than can be learnt in secondary school IT lessons. Instead of sophisticated techniques and years of hacking experience, all that is now needed are weak, compromised, or stolen credentials.
The ease with which hackers can carry out these attacks has led them to becoming commonplace. In fact, Forrester has estimated that upwards of 80% of all security breaches now involve compromised credentials. The most profitable of these attacks is business email compromise (BEC), which involves the hacker using a company email to defraud the business and steal from their corporate bank account. This scam alone brings in an annual cost of $1.3 billion across the globe. So, with these breaches having such huge financial repercussions, what can be done to prevent them?
Understanding the Attacks
These attacks vary in scale and motivation, but by identifying the following common tactics, organisations can take the first step in stopping the hacker.
Finding Way In
The first step for any hacker is finding the credentials that will allow them to access the system. A frequently used method is social engineering, a common example of which is phishing.
However, hackers also take advantage of schemes such as password spraying, which targets those who have common passwords, or use the same password across multiple sites. Finding leaked information being sold on the dark web is also a very real and easy method for many hackers.
After this, hacking a business or organisation is far too easy. Even the toughest security perimeters are useless against an attacker who is already inside the system.
Once inside the network the priority for any hacker is to understand the system itself and use that to their advantage by expanding their access and finding more privileged information.
A key part to this phase for the attacker is finding security measures, IT schedules, or network traffic flows to gain a full understanding of the network’s infrastructure and how best to navigate it. The ultimate goal is to access and exploit network resources, privileged accounts, domain controllers, and Active Directory. These often hold the privileged credentials.
A Clean Getaway
Finally, after accessing the desired information, hackers will continue to try and elevate their privilege within the network. This allows them to locate and gain access to profitable data, extract it, and cover their tracks. Some will also create a backdoor, for example by creating an SSH key for exfiltrating additional data in the future.
What Can Be Done?
With all of this in mind, what can be done to prevent attacks on an organisation’s privileged information?
The days of hooded figures poring over code and exploiting hidden weaknesses are gone. Today, the greatest vulnerabilities to cybersecurity are seemingly small factors, such as weak passwords and unsecured or unclosed privileged access. While it is still crucial for businesses to invest in features including solid security perimeters, as the threat evolves it is also important for businesses to evolve their cyber security practices.
Businesses should now be focusing on protecting identity, and ensuring that administrative privileged credentials (especially those that are root or shared) are securely vaulted away. However, just vaulting isn’t enough to encompass all possible threats in an age where hackers are constantly adapting their methods and exploiting new attack surfaces, such as cloud and DevOps.
Companies should adopt a least privilege approach based on identities and their respective entitlements, enforced on a person-to-person basis, and also encompassing machine identities. Additionally, it is important to use a system which assesses data requests, verifying who is requesting the information, the nature of the information itself, and the risks of the access environment. Only then can access be safely granted, and even then it should only be given to the target asset, and only for the minimal amount of time needed.
To put it simply, there are three points which are essential to maintaining a secure system when its assumed bad actors are already in the network:
Adopt a Zero Trust approach. This approach refuses to trust anyone by default, even those already inside the system. It works on the assumption that there has already been a breach into the network and therefore maintains strict control over access to all data. Never trust, always verify, enforce least privilege.
Adopt Multi-Factor Authentication Everywhere. Users with elevated privileges are the prime target for hackers and as such, the secure management of their accounts is critical. Multi-factor authentication is an easy tool to implement and adds an extra layer of defense to privileged information by authenticating the user with more than just a username and password, such as with a text code or fingerprint scan.
Utilise machine learning. Machine learning algorithms allow for constant, unbiased monitoring of privileged users’ behaviours and can quickly identify any atypical or risky behaviour. Alerts can then be sent out in real-time or sessions can be auto-terminated if a risk threshold is reached, quickly and effectively stopping any breaches.
In 2021, it is now understood that cyber threats do not just come from elite members of the hacker community and cyber criminals now have a breadth of attack surfaces to pick from. The evolving threatscape demands businesses to protect the cyber identities of those with the most empowered access. For businesses to do this effectively, it is key to adopt a Zero Trust approach and put into place a solid identity-centric privileged access management strategy.