CyberArk Labs: Evolution of Credential Theft Techniques Will Be the Cyber Security Battleground of 2018

December 11, 2017 Lavi Lazarovitz

In the past year, organizations continued to struggle to address cyber security risks created in the wake of rapid technology adoption. Technology adoption needs to be aligned with effective risk management strategies, and the challenge most organizations face is that today’s technologies often lack the security of more mature technologies. This has opened organizations to attacks targeting privileged credentials. Look no further than cyber attacks and data breaches at companies like Yahoo! and Uber that flooded the dark web with billions of credentials for potential misuse.

In the wake of these attacks, the coming year will see increased use of automation and expanding hybrid cloud and DevOps environments that will create fertile ground for attackers based on a growing variety of privileged credentials associated with human and non-human users. These credentials include those associated with employee and remote vendor session and browsers, service accounts, access keys, machine identities, SSH keys and embedded passwords.

Based on its research, CyberArk Labs believes that credential-based attacks and exploitation will accelerate and dominate the threat landscape in 2018. Following are specific examples of where privileged credential risk will be most prevalent.

  • Attackers Hide Behind Machine Identities – While federated identities are increasing, identity boundaries are decreasing across devices and networks, creating a murky security environment. The number of identities will only increase in the coming years with the adoption of services-oriented environments. One of the implications is an expanded attack surface, one no longer limited to the exploitation of domain admin credentials as a primary target. Security teams must be prepared to not only determine “who” – but increasingly “what” can be trusted. By stealing machine identities, attackers can keep a lower profile on the network while using related credentials to control processes and even security policies. For example, CI/CD tools can become critical assets – the most sensitive on the network. When credentials for these tools are exploited, an attacker can gain control of the entire DevOps workflow and weaponize the tools to push malicious code or configurations.
  • Key Chaos Leads to Unintended Consequences – The prevalence of SSH keys to access cloud resources and the lack of adoption of PKI for DevOps environments are leading contributors to key chaos, which increases security risk and the chances of key exposure or compromise through simple mistakes or human error. Security teams must improve oversight and management to avoid these keys becoming easy targets for attackers. The main concerns associated with unmanaged keys center on the proliferation of machine and human identities that provide privilege escalation opportunities. For example, a user with access to a machine-assigned role with account-level privileges may be able to steal that machine’s identity and adversely affect the cloud account. Additionally, the use of temporary tokens can be a double edged sword. Temporary tokens are an improvement to static keys, generally expire after a period of time, and are used to permit dynamic privilege. Temporary tokens can provide better security, but only if managed and provisioned properly, including oversight of who has those keys at any moment of time.
  • Security as a Target: Authentication in Attackers’ Crosshairs – Cloud is pushing towards identity consolidation as we consume more “services” and less raw technology. Consolidation of identity means more opportunity for lateral movement across services, and a compromise of the authentication service may lead to a total loss of the identity. Current authentications methods such as two-factor and single sign-on must adapt to protect against emerging threat vectors, or become targets themselves. If these tools are compromised, they allow attackers unprecedented flexibility, and the ability to compromise networks at a deep level. From a defensive perspective, evolving block chain technology could be adopted to remove the single point of trust and failure that allows Golden Ticket and SAML techniques. Block chain authentication could be used to remove the trust from Active Directory, for example, and move that trust to the whole network. This will force attackers to compromise a substantial amount of assets and sensors (to have consensus) before being able to authenticate. Authentication and the larger realm of security controls will continue to be an enticing target given heightened power and trust.

Further Reading

Previous Article
Detecting Pass-The-Hash with Windows Event Viewer
Detecting Pass-The-Hash with Windows Event Viewer

Overview In this article, we explain how to detect a Pass-The-Hash (PTH) attack using the Windows event vie...

Next Article
Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps
Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps

CyberArk Labs discovered a new attack vector, dubbed “golden SAML,” which allows an attacker to authenticat...