OVH Breach – When Outsiders Become an Insider Threat

October 11, 2013 CyberArk

OVH, one of the world’s largest web hosting companies, recently posted a bulletin about a security breach with potential global impact:

OVH highlighted that the breach occurred when a hacker obtained “access to an email account of one of our system administrators,” which they were able to exploit to “compromise the access of one of the system administrators who handles the internal back office.”

This is simply the latest in a long line of breaches that follow the same pattern.  Hackers breach perimeter defenses with ease, usually through simple methods (OVH is speculating that it was either a phishing attack or use of a password stolen from a third party service).  Once inside, they immediately targeted privileged accounts.

The first lesson of this latest attack is that the entry point doesn’t matter.  If we’ve learned anything over the last few years, it’s that motivated attackers will breach perimeter security.

The key to this attack, and to every advanced attack, is what attackers do once they’re inside the perimeter.  They immediately targeted the privileged account of a system administrator.  This is because attackers can NOT achieve their goal of stealing data without first stealing the privileged credentials of an authorized user.

As the research firm CyberSheath outlined in their research – “the compromise of privileged accounts was a critical factor in 100 percent of advanced attacks.”   The reasoning is simple – once these privileged credentials are pilfered, attackers can:

  • Simulate normal business traffic, making infiltrations extremely difficult to detect;
  • Elevate privileges to easily jump from system to system until they reach the information they’re looking for, including high value data;
  • Use the privileged account to delete logs to make forensic analysis more difficult;
  • Use the admin credentials to install new malware to evade detection and open more doors for future attacks;
  • Exfiltrate data without leaving footprints to follow.

This is why all privileged account activity needs to be monitored.  Real-time monitoring of privileged accounts not only provides a complete audit trail of exactly who did what, but also provides real-time, actionable intelligence to incident response teams, enabling them to quickly detect and address malicious activity as it happens.

Previous Article
UK Banks to Be Put to the Cyber Test
UK Banks to Be Put to the Cyber Test

Cybercrime is big business and the greater the financial rewards, the more targeted and persistent attacker...

Next Article
Growing Conversations on Privileged Vulnerabilities
Growing Conversations on Privileged Vulnerabilities

I’ve been presenting about privileged account security for over six years, and in that time,  the number of...