Attackers Are After Privileged Users. Do You Know Who They Are?

July 13, 2021 Corey O'Connor

Attackers are After Your Privileged Users. Do You Know Who They Are?

Attackers have more potential entry points into your organization than ever before. And many are brushing up on their acting skills, getting more creative and increasingly personal to spoof the most unsuspecting employees and launch their attacks.

New IDSA Survey Indicates Decreased Confidence in Securing Employee Identities  

Nearly every part of daily life — at home and work — turned upside down last year. The global shift to remote work and eLearning, large-scale investments in SaaS and cloud services and strong focus on digital transformation has brought a surge in newfound technologies and identities.

According to the “2021 Trends in Securing Digital Identities” survey from Identity Defined Security Alliance (IDSA), 83% of IT security and identity professionals experienced an increase in identities since last year, with one in five (20%) reporting that the number of identities they manage increased by more than 25%. Meanwhile, security teams’ confidence in their ability to secure employee identities dropped from 49% to 32%.

This decrease in confidence in securing employee identities is particularly interesting on several fronts.  First, the survey found that confidence levels in securing privileged users, customers and partners remained fairly steady. And in contrast, respondents reported increased confidence in securing machine identities, such as service accounts and applications. So why are employee identities, specifically, becoming harder to secure? Perhaps it’s because attackers are changing things up.

The New Faces of Privileged Users

One thing that hasn’t changed is the way attackers establish initial entry points into target organizations: credential theft methods like spear-phishing and impersonation are as popular as ever. In fact, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 36% of all breaches last year involved phishing — up 11% from the previous year. Since employees are conducting more and more of their personal lives online, it’s becoming even easier for attackers to gather the necessary information required to execute their social engineering campaigns — monitoring public profiles and social media conversations to collect intel on everything from work routines to personal relationships, beliefs, motivations and more. After sizing them up, attackers often connect with their targets on social media and attempt to gain their trust.

What has changed are the individual targets of these social engineering attacks. Traditionally, adversaries focused their attention on IT admins with highly privileged access. But as the “The CISO View 2021 Survey: Zero Trust and Privileged Access” recently discovered, they’re going after new user populations, from executives and software developers to end-user employees — including business users with direct access to sensitive data or systems the attacker is interested in. Let’s review some of these new user populations and highlight examples of how they can become victims of social engineering attacks:

The Developer

This software engineer leads a team of developers at a leading financial institution, and her impressive list of technical certifications features prominently on her LinkedIn profile page. Outside of work, she’s building a large social media following of coders who flock to her channels for a mix of dry humor and deep programming know-how. A few months ago, a fellow developer connected with her on LinkedIn, referencing their shared interest in Python and Ruby programming languages. They soon became fast online friends. One day, this new friend mentions that a cousin is looking for a development job in the area. The software engineer promises to pass along her information and soon receives the cousin’s résumé in her work email. She clicks on the résumé and skims it before forwarding it to HR. Little does she know that her “friend” is really a cyber attacker who created a fake online persona and has spent months building a rapport with her in order to send that email, which contains malware cleverly disguised in the attachment. The developer’s LinkedIn profile, coupled with her daily social posts, helped the attacker gauge the high levels of access she likely had at her employer organization, and unintentionally, painted a target on her back.

It’s not just human developers that attackers are after. They know privileged credentials and secrets are often embedded directly into code and target application and machine identities as a way to launch attacks that can spread across customer-facing products — and in some cases — infect the entire digital supply chain.

In some instances, attackers are able to bypass the credential theft step altogether by impersonating an executive or third party to make direct requests for funds or data. Consider these next two business user examples:

The Middle Manager

This financial controller works at a large manufacturing organization. It’s Monday morning, and she’s just beginning her day. Coffee in hand, she opens an email marked “urgent” from the CEO of her company’s parent organization, which is located halfway around the world. He explains that the banks are closed for a holiday, and he needs to urgently wire funds to a third party to close a big deal. She’s suspicious, but the email looks legitimate and comes from the CEO’s verified email address.

Suddenly, her phone rings. It’s the CEO calling from overseas to follow up. He explains the situation again, providing all of the necessary information on the company and transaction. The financial controller follows protocol, getting a second team member to review the request and verify the details. Then, they authorize the wire transfer. Just a few hours later, they realize the call was a scam — and the company is out millions of dollars after trying unsuccessfully to cancel the transaction.

The Research Assistant

Working for a prominent biotech company, this researcher is developing a new lifesaving drug. His team collaborates with analysts in a partner healthcare organization, and each team member has access to large amounts of sensitive patient and medical data to fuel their research.

One day, he receives an email from a partner analyst asking him to send over the latest data. Since he works with this analyst regularly, he attaches the requested information without a second thought and hits “send.” However, this highly lucrative intellectual property hasn’t gone to his trusted research partner — instead, it’s now in the hands of a nation-state attacker.

End-Users are the New Privileged Path of Least Resistance to Valuable Systems and Data

Employee or contractors with high-value access are becoming more interesting targets for attackers for several reasons. Like everyone, they want to work smarter — not harder. Rather than breach an arbitrary workstation and then move around the network searching for a particular system, attackers can pursue more direct routes by precisely targeting individual end-users.

Emphasis has also shifted to end-users because it’s becoming more difficult to compromise IT admin accounts. Many organizations are aware that damaging breaches occur when attackers obtain powerful admin credentials and have put strong controls in place through a privileged access management system. What’s more, opportunities for lateral movement within the network are getting harder for attackers to find. As more organizations move to a Zero Trust model, more endpoints connect to resources directly rather than being given broad access.

Protecting End-User High-Value Access

The first step in protecting high-value access is identifying the employees and third parties who directly touch your company’s valuable systems. Depending on your organization, these could be financial systems, customer databases, product development systems or manufacturing processes.

Then, consider all of the ways these systems and data can be accessed by users: through what applications and infrastructure, interacting with which other types of users and using what devices?

From there, focus on implementing a strong mix of Identity Security controls, such as least privilege enforcement and adaptive MFA, along with targeted user training to raise awareness and strengthen security practices.

End User Protection Tips

To further explore the shifting privileged landscape and how to evolve your privileged access control strategy for a Zero Trust model, check out these practical recommendations from CISOs on the front lines.

Previous Article
4 Risk-Based Steps for Securing Developers and Code
4 Risk-Based Steps for Securing Developers and Code

As software supply chain attacks surge in frequency and scale, it’s become apparent that cyber criminals ar...

Next Article
In Kaseya Supply Chain Ransomware Attack History Repeats Itself
In Kaseya Supply Chain Ransomware Attack History Repeats Itself

While many Americans took off early to jump-start the Independence Day weekend, cyber attackers were launch...