A Long Time Ago, in a Galaxy Far Far Away…There was a Malicious Insider
May 11, 2018 | Security and Risk | Corey O'Connor
On the heels of “Star Wars Day” – May 4th for the uninitiated – and just in time for the next release of the CyberArk Privileged Access Security Solution version 10.3, I’d like to make a correlation between the undisputed leader in the privileged access security market with the greatest epic space opera in film history.
It all started when a mathematician / theoretician / research scientist completed the design for the most coveted intergalactic weapon in history: the Death Star. Despite being held against his will to complete the space station, this researcher became a malicious insider of epic proportions against the Empire. During the development of this galactic super-weapon, he deliberately sabotaged its design by incorporating a weakness directly into the main reactor that had the potential to bring the starship to complete and utter ruin. Just before his untimely death, he reveals the location of the Death Star schematics, in a databank just a few clicks away in the outer rim territories of the galaxy.
At this point in the story, one cannot help but begin to question the internal policies of the Empire. The research facility was bombed by Rebel forces (bad), the entire development team responsible for the Death Star’s completion was totally wiped out (not good), and the Rebels escaped with the location of the schematics (really, really bad). In a very non-traditional fashion, Darth Vader then proceeds to slap the wrist of those responsible for the breach, which in hindsight was a huge mistake as shortly thereafter, an even bigger breach occurs. (Worst. Policy. Ever). Also, shame on Darth Vader for being so soft.
In the privileged access security universe, the databank where the schematics reside is essentially the target system to which an attacker is seeking to gain access. One can conclude that these plans for the Death Star are clearly sensitive assets given the weapons potential to destroy entire planets. Because of this, they put in place many controls to keep these plans as far away from the Rebel Alliance as possible.
Cue the Imperial March
This is the part of the story that draws even deeper parallels. A defector and former Imperial pilot of the Galactic Empire joins the Rebel Alliance and uses stolen access codes (a.k.a. privileged credentials) from an Imperial cargo ship (a.k.a. privileged account) to gain clearance through a planet-wide protective force field (a.k.a. firewall) that sits between them and the databank. Upon requesting access, there’s a bit of push back from the gate control station (a.k.a. Domain Controller) as they were not listed on the schedule (a.k.a Active Directory). The Rebels then proceed to provide the stolen clearance codes and are ultimately given access to enter the single, main gate.
Like many organizations today, the Empire invested heavily in securing their perimeter, with a planet-wide defensive shield (which presumably cost a fortune in Galactic Credits), but it neglected to consider the implications of an attack that’s launched from within. Before providing the clearance codes, the Rebels were worried about being denied access and blown to smithereens, quoting directly from the movie “…assuming the Empire hasn’t logged them (referring to the access codes) as overdue” – this is a clear indication that even the most basic of security controls in the management of privileged credentials were not in place. As a result, access to one of the Empire’s most valued assets was inadvertently provided to Rebel forces.
Fast forward and the shield gate is destroyed, yet another set of privileged credentials are used to retrieve and exfiltrate the schematics to Rebel forces where they identify the space station’s vulnerability, and in just a few short years later, Luke Sykwalker takes it from there and (spoiler alert) blows up the Death Star.
There’s Hope Yet…
Despite being entirely based on science fiction, the attack methodologies that challenged the Empire exist for organizations today. Fortunately, we have advanced cyber security defense solutions in the real world.
The CyberArk Privileged Access Security Solution v10.3 can be used to mitigate the risk of an insider attack like the one referenced in this blog. This version features several new enterprise-ready enhancements and capabilities that:
- Simplify and improve the ease of use with additional user interface enhancements for password management
- Deliver optimized deployment functionality with rapid installation of individual CyberArk components as well as the automatic hardening of those components
- Enhance CyberArk cloud security capabilities with support for Amazon Web Services CloudFormation Templates (CFTs)
- Provide direct access to active and recorded sessions, added support for Windows 2016 Servers (LTSC) and much more!
The one feature most relevant to this story is the enhancements associated with the new CyberArk Privileged Threat Analytics user interface, which provide security operations teams with a modernized, comprehensive view of all privileged, threat-related detection and analytics. Beyond improved internal policy and basic credential management enforcement, advanced analytics capabilities would have benefited the Empire by providing granular, detailed information such as a risk severity score (see Figure 1. below). The scoring is generated automatically and an automated alert is pushed out. If used by Imperial security teams and the necessary action was taken, then the attack would have been prevented from taking place from the earliest stage in the attack chain – which all began with stolen privileged credentials.
|Figure 1. The new CyberArk Privileged Threat Analytics dashboard, integrated with Password Vault Web Access, displays a timeline of security events with associated risk scores for each activity.|
Additionally, everything we do at CyberArk reinforces a ‘trust but verify’ approach that enables users to perform all of their respective tasks without the introduction of burdensome processes that could negatively impact their performance. Existing customers can read the full details in the release notes and upgrade to Version 10.3 in the CyberArk Support Vault.
Visit cyberarkvx.staging.wpengine.com for more information on how to protect your Empire’s most critical resources from Rebel scum.