NOTICE: Investigators Warn of Increase in Service Account Exploits
February 10, 2015 | Security and Risk | John Worrall
“Most companies expect service accounts to be used only internally, so they keep the default passwords…[but] many of our recent investigations have seen exploits in service accounts – probably in 80-90 percent of the cases.” – Christopher Novak, Verizon RISK Team, Verizon Enterprise Solutions
Our recent threat research report analyzes the forensic experiences of the world’s leading cyber threat investigators in remediating the most devastating breaches. The report identifies the commonalities across advanced attacks, enabling organizations to better understand their adversaries so they can build more effective defenses against the latest threats.
In our last blog post, we looked more in-depth at one of the six primary findings in the report, the fact that no industry is safe from attackers. Today, we’re looking at the increasing attacker sophistication related to service accounts.
To read the report for yourself, download it here for free.
Finding #6: Exploits of privileged accounts widen
Privileged accounts are found across the enterprise and are prevalent in even the most unassuming places. In fact, when securing your organization’s privileged accounts, it’s important to remember that privileged accounts ship with every piece of information technology, including servers, desktops, applications databases and network devices.
In the report, experts highlight that attackers increasingly are targeting service accounts. These accounts range from embedded devices in the Internet of Things, to multiple privileged identities used in Microsoft Active Directory to ensure redundant points of access. The increasing sophistication around targeting service accounts points to the fact that hackers are no longer simply aimed at exfiltrating data; their goal is to gain widespread control of entire IT infrastructures.
Christopher Novak of Verizon went on to say, “We’ve seen 25-30 attacks recently in which attackers used (publically available) default passwords… And because it’s presumed individuals aren’t using [these accounts], analysts dial down the sensitivity on alerts. Service accounts are out of sight, out of mind.”
What this means is that while you may have some level of privileged account activity monitoring and security, there is likely an entire portion of your IT infrastructure that remains unprotected and open to attack. Beyond that, if attackers get access to an unmanaged service account, they can more easily navigate throughout the network with low risk of discovery.
When it comes to monitoring, protecting and securing privileged accounts, organizations need to do their due diligence to identify every account that exists, as well as do regular sweeps of new accounts as IT networks continue to expand with the ever-growing list of non-traditional types of Internet-connected devices. The bottom line is: if you can’t account for all of the privileged credentials across your organization, then you can’t expect to be secure. To find out where to start solving your privileged account challenges, check out our best practices guide.