OVH, one of the world’s largest web hosting companies, recently posted a bulletin about a security breach with potential global impact: http://status.ovh.net/?do=details&id=5070&edit=yep.
OVH highlighted that the breach occurred when a hacker obtained “access to an email account of one of our system administrators,” which they were able to exploit to “compromise the access of one of the system administrators who handles the internal back office.”
This is simply the latest in a long line of breaches that follow the same pattern. Hackers breach perimeter defenses with ease, usually through simple methods (OVH is speculating that it was either a phishing attack or use of a password stolen from a third party service). Once inside, they immediately targeted privileged accounts.
The first lesson of this latest attack is that the entry point doesn’t matter. If we’ve learned anything over the last few years, it’s that motivated attackers will breach perimeter security.
The key to this attack, and to every advanced attack, is what attackers do once they’re inside the perimeter. They immediately targeted the privileged account of a system administrator. This is because attackers can NOT achieve their goal of stealing data without first stealing the privileged credentials of an authorized user.
As the research firm CyberSheath outlined in their research – “the compromise of privileged accounts was a critical factor in 100 percent of advanced attacks.” The reasoning is simple – once these privileged credentials are pilfered, attackers can:
- Simulate normal business traffic, making infiltrations extremely difficult to detect;
- Elevate privileges to easily jump from system to system until they reach the information they’re looking for, including high value data;
- Use the privileged account to delete logs to make forensic analysis more difficult;
- Use the admin credentials to install new malware to evade detection and open more doors for future attacks;
- Exfiltrate data without leaving footprints to follow.
This is why all privileged account activity needs to be monitored. Real-time monitoring of privileged accounts not only provides a complete audit trail of exactly who did what, but also provides real-time, actionable intelligence to incident response teams, enabling them to quickly detect and address malicious activity as it happens.