When Breaches Hit Home
March 30, 2018 | Endpoint | Stephen Lowing
Being curious and wanting to understand everything in the world is a good trait for children and young adults, but when it comes to cyber attacks targeting your business, you might find yourself channeling this behavior asking “why” far too many times. Recently, when the latest cyber attack on U.S. infrastructure was on the nightly news, my son started asking all kinds of questions: Why did this happen? Why did they do this? Why don’t we do something to stop them? Why, why, why Dad? At the age of eight, he is asking some really good questions, some that do not have easy answers. For a business, finding answers for these kinds of questions is not so easy either.
Breaches are far too common
Over the last few years, there have been numerous cyber attacks on various institutions and enterprises. Many of these attacks are by individuals or groups, some by nation states or groups backed by nation states. A brief history of the major attacks and use of credentials as part of attacker tactics, techniques and procedures (TTPs) can certainly paint a bleak picture for future outcomes. With an increasing number of breaches in the news, the word “breach” part of the common vernacular. But you know we’ve reached another level when your children start to ask questions about such nefarious actions. Simply put, it hits home. Fortunately, I find solace coming into work, knowing that CyberArk offers solutions that can have a significant and material impact on protecting critical infrastructure from malicious actors. So rather than dwell on the “why” question, a more pragmatic question is “what can you do about it today?” The guidance from the FBI and DHS is clear, but I am referring to practice. Survey results shared in the CyberArk Threat Landscape 2018 report indicate over 86 percent of end users still run with administrative privileges. This reality has a negative impact on any progress against attackers a company might take otherwise
With this in mind, the latest CyberArk Endpoint Privilege Manager v10.2 has key functionality to stop intruders in their tracks. Let’s review a few key additions and enhancements:
Loosely connected devices
With the v10.2 release of the CyberArk Privileged Account Security Solution, CyberArk brings endpoints that operate on the fringe of the network, and those literally off-network, into the fold by offering support for managing local admin accounts exactly as is done for servers and applications in the datacenter. With this use case, we introduce a new integration point with the CyberArk solution specifically the Enterprise Password Vault to manage these local admin accounts. With support for managing local admins accounts and integrated two-factor authentication (such as SailPoint IdentityIQ with a Duo, RSA or Microsoft MFA), a significant amount of the attack risk, as documented in the recent critical infrastructure attacks, could be mitigated by preventing the takeover of privileged accounts, limiting lateral movement and subsequent use for making changes to critical internal systems without a challenge response.
It is inevitable that an attacker will find a way in, given enough time and resources. Plus, one can’t underestimate the human element. We are the biggest risk in the cyber equation, after all. Until cyborgs take over the world, humans will do most of the work in critical infrastructure (as is the case in most enterprises). As a result, they will likely be the target of a phishing attack or watering hole attack and subsequently allow the attacker in. When this happens, preparation is key. The latest release of Endpoint Privilege Manager introduces new credential protections that further mitigate attackers by preventing illegitimate access to the Microsoft Active Directory Data Store (NTDS.dit). This new feature prevents attackers from stealing the Kerberos Ticket Granting Ticket (or krbtgt) account, which is a preliminary step to a Golden Ticket attack, and harvesting all the organization’s user hashes to execute pass the hash attacks and pivot off the endpoint. This new protection (coupled with the multitude of ways Endpoint Privilege Manager can defend against credential theft) reduces the chance of an attacker’s lateral movement across a network.
Windows 10 v1803 – Redstone 4 build
The latest release of Endpoint Privilege Manager also brings in support for Window 10 v1803. Significant changes to the UAC controls improves the foundation for how CyberArk can integrate with Windows 10 through Endpoint Privilege Manager. While Windows 10 is not called out in the latest attacks, keeping pace with the latest security and OS releases, along with instituting least privilege and application security controls, are known best practices.
By utilizing the latest release of CyberArk Endpoint Privilege Manager and the new feature functionality, attackers targeting critical infrastructure are going to have a significantly harder time establishing a presence, performing reconnaissance or performing lateral movement.
Do the latest cyber attacks have you asking a lot of questions about your organization’s security? Get the right answers about how to address attackers by getting a demo of Endpoint Privilege Manager today!