Raise the Stakes with Privileged Threat Analytics

January 7, 2019 Andrew Silberman

Brian Koppelman and David Levien’s 1998 cult classic poker movie “Rounders” begins with Matt Damon’s character Mike McDermott narrating, “If you can’t spot the sucker in your first half hour at the table, then you are the sucker.” It’s a memorable line that sets the tone for the entire film.

A theme reinforced throughout the movie is that contrary to popular belief, poker is more about playing your opponent than playing the cards you hold. Cyber attackers know this quite well and can easily spot the “suckers” – and they routinely target these weak links in cyber-attacks (see lesson 2 below). Security teams are often dealt a tough hand – from preexisting tools that fall short, to budget constraints, staffing deficits and more. Security teams must learn to think one step ahead of their opponents (i.e., malicious attackers, insider threats, etc.), have a sound strategy in place and stick to their game plan in order to successfully beat formidable foes. Following are three lessons security teams can learn from the poker table.

Lesson 1: Threats loom even (especially) when you don’t expect them

In the opening scene of “Rounders,” Mike McDermott becomes enamored with his cards (a full house of nines over aces) and falls into an easy trap set by his opponent, the nefarious Teddy KGB (a ludicrous character portrayed by John Malkovich). Mike inevitably is blindsided and loses all of his money when it’s revealed that Teddy has aces over nines.

It can be easy for organizations to fall into the same trap as Mike McDermott and become complacent in their efforts to secure privileged access. In order to really stay ahead of the game, organizations need a way to detect and respond to anomalous behavior going on inside of their environment. Threats lurk around every corner, attackers are constantly coming up with new ways to break into organizations’ environments with the intent of causing damage. This can be accomplished by having a privileged threat analytics engine in place to complement other tools (like SIEMs and UEBAs), generate risk scores for privileged sessions, and deliver alerts to security operations centers (SOC) if/when suspicious behavior involving privileged access occurs. It’s about as common as a royal flush (roughly 1 in 30,939) that an organization would have dedicated employees sit and watch all video logs of privileged sessions, so having a tool that is also able to prioritize events is an absolute must. Without this privileged threat analytics piece, security teams are left with video recordings that they’ve captured to meet compliance requirements but they aren’t leveraging to detect and prevent attacks that are in process.

Lesson 2: Sharks always exploit the weakest link

In one of the (relatively) light-hearted scenes in the movie that also traces back to the opening line, Mike and his collective group of card shark friends are playing a low-stakes game in Atlantic City. Eventually, an unsuspecting tourist has the misfortune of sitting at their table and is quickly stripped of his money. There’s an easy parallel to be made here between how attackers look for the path of least resistance, repeatedly target the weak link in an organization and often go undetected until their target is breached.

The latest Mandiant M-Trends report states that it takes an average of 101 days from the time of breach to discovery.[1] Sophisticated attacks on Kerberos authentication such as Golden Ticket type attacks against Domain Controllers typically take even longer to detect. Attackers go unnoticed for months on end, and by the time they’re finally discovered, there is very little that security teams can do. Often times, these attacks start with a phishing attack in which an attacker gains entry to a network by getting an unsuspecting victim to click on a link. The attacker then gains access to the network and proceeds to move laterally until gaining access to critical infrastructure such as Domain Controllers.  With a privileged threat analytics tool in place, security teams cannot not only identify when a Golden Ticket is occurring but also take steps to halt the attack such as rapidly changing the password for the KRBTGT account in rapid succession.  (For those of you who are curious, the KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service.  An attacker who gains access to this account can rob an organization blind similar to what happens to the unsuspecting tourist in the movie).

Lesson 3: Study the behavior of your surroundings

The finale of the movie pits Mike McDermott against Teddy KGB, playing in an all-or-nothing game of heads-up poker, where if Mike loses, he faces the direst of consequences. While playing, Mike notices that every time Teddy KGB starts eating Oreos from the tray in front of him, he has a great hand. In poker, this is called a “tell.” Mike gets crushed at the onset, but eventually gets pulled into a hand with a good set of cards (similarly to the opening scene) and is in desperate need of a win. However, he folds because he sees Teddy chomping away at his Oreos. He lets Teddy know that he knows his tell, which completely rattles Teddy and changes the course of the game. (**Spoiler**) By taking this path, Mike eventually comes out on top.

For security teams, the lesson is to always pay attention to your surroundings – from humans accessing critical systems to applications communicating with other applications, or some combination of the two. For instance, if a machine that contains sensitive data is being accessed during irregular hours, and/or from an irregular IP, an alert can be sent to the SOC to prompt further investigation of the event. In some cases, administrators may opt to set policies to automatically suspend these sessions until they can be verified. Having tools in place that pay attention to privileged behavior can help organizations to develop a baseline for what’s “typical,” rapidly flag things that seem to be out of the ordinary (an attacker’s tell) and provide the ability to quickly respond to the threat. These tools can mean the difference between a breach and business continuity.

The CyberArk Privileged Access Security Solution provides organizations with the controls to secure privileged access, detect when suspicious activity is occurring and prevent attacks that are underway as soon as possible. The CyberArk solution works with leading SIEM and UEBA tools such as LogRhythm, Splunk, QRadar and more to enable organizations to collect, detect, alert and respond to high-risk activity and behavior involving privileged access. Protection from advanced threats requires a complete layer of privileged access management; check out these integrations and more at the CyberArk Marketplace, here.

[1] Mandiant M-Trends 2018 report

Previous Article
CISO View Insights from the Global 1000: Five Steps for Integrating Security with DevOps
CISO View Insights from the Global 1000: Five Steps for Integrating Security with DevOps

It’s an issue CISOs across the globe face – how do you prioritize security without impacting developer velo...

Next Article
Q&A: Securing SAP ERP Systems with CyberArk
Q&A: Securing SAP ERP Systems with CyberArk

In a recent, popular On the Front Lines webinar, we explored critical challenges enterprises face in protec...