Be Very Afraid of Your Third-Party Vendors

Cybersecurity is top of everyone's mind in today's hyper-connected world. In 2017, the global identity and access management (IAM) market size was valued at USD 8.85 billion and was expected to experience a CAGR of 12.7 percent from 2018 to 2025. Asia Pacific is poised to be the most promising regional market during the forecast period, due to the high deployment of IAM solutions and increasing cyber threats on critical infrastructure.

Technology is evolving, and with that, the tactics, techniques, and procedures, or TTP, used by attackers, nation states and others are also changing. Specifically, the ways that attackers compromise credentials is also evolving. The result is a significantly high exposure to data breaches and security risks.

There were several significant attacks in recent years including the United States Office of Personnel Management (OPM), Sony, Equifax, the SWIFT attacks and others. For each of the attacks, we examined the attackers’ TTP. Unsurprisingly, we found out that in each of the attacks, a privileged account was used at some point or other, either after initial infection, for lateral movement – to cross to and compromise other devices or machines - or for data exfiltration.

For example, the group targeting the Bangladesh bank used credentials to move laterally to the SWIFT (Society for Worldwide Interbank Financial Telecommunications) network, using accounts with local administrative privileges in the administrative network. They used the bank’s very own SWIFT keys to execute USD 1 billion of transactions, of which ‘only’ USD 81 million went through.

Then in 2017, WWPKG Holdings, one of Hong Kong’s prominent travel agencies, revealed that its customer database was compromised, putting at risk its customers’ personal information. Early this year, two Hong Kong travel agencies, Goldjoy Holidays and Big Line Holiday, were also reported as being hacked with perpetrators holding sensitive personal information for ransom with one seeking a payout in bitcoin. Then last year, Cathay Pacific disclosed that personal information of up to 9.4 million of its passengers had been accessed in a data breach.

How are these privileges and credentials compromised?

The Weakest Link

The first insight is that organizations, especially the more security-minded organizations, are only as secure as their least secure third-party vendor. 

The OPM attack is a particularly strong example of this. The attackers gained access by first compromising trusted third-party credentials that gave access to the United States Office of Personnel Management (OPM) and United States Department of the Interior (DOI) networks. This eventually allowed them to exfiltrate 20 million records that contained Personally Identifiable Information (PII) of government officials as well as about five million fingerprints.

So, organizations that have placed all kinds of security controls in their environments should be very wary of trusted credentials used by third parties that connect to these environments because this might provide easy access for malicious actors.

As detailed in this recent report, unmanaged, unsecured third-party and remote vendor access remains a significant security risk. More than half (51 percent) of all survey respondents reported that they give third-party vendors remote access to their internal networks and, of this group, 23 percent fail to monitor remote vendor activity.

‘Dirty’ Networks

The second insight concerns what we term ‘dirty’ networks. Gaining access to an environment, whether it be through a third party or not, is simply the first step. The attackers must be able to move around to get to their target asset. In many of the cases we have analyzed we noticed that the compromised network was ‘dirty.'

‘Dirty’ in this case means networks that have many high-risk machines hosting privileged credentials. Once compromised, these become privilege escalation opportunities for attackers. A privileged account on an endpoint with internet access is a simple but not rare example of this phenomenon.

Security Controls Are Targeted

Our last insight reflects a more recent trend where attackers are increasingly targeting security controls themselves, to either shut them down or even compromise their credentials as, in many cases, security controls and services can only run with extremely privileged accounts associated with them, allowing,  for instance, to patch services. Organizations currently deploy such a plethora of security controls, agents, scanners to have created a complex environment, some of which are open source, some of which are not configured correctly and some even increasing the potential attack surface due to a vulnerability.

Attackers have recognized that comprising security controls can yield high value in terms of accessing privileges, so the security controls themselves are now a target. This represents the most exciting trend that CyberArk Labs has examined in the last year.

Three Critical Steps To Lock Down Privileged Credentials

1. Lock Down Credentials and Endpoints: Locking down credentials and endpoints is a crucial first step. You'll need to identify and prioritize which accounts present the highest risk and therefore need to be locked down first.
2. Isolate and Control Sessions: Once all of these critical accounts are located within a vault, it’s time to turn your attention to usage control. Many people need access to privileged accounts—from third-party contractors to temporary employees and more. Security teams must manage and monitor privileged access sessions without impacting the end-user experience OR disrupting system administrators’ workflow.
3. Keep a Watchful Eye: It is crucial to understand when there are anomalies. Does John typically work from 8:00 to 5:00, but suddenly starts to check out passwords at 2:00 a.m.?  Was that even John, or was it someone else? Or, what if John usually checks out 10 to 15 passwords per day, then all of a sudden he starts checking significantly more? What happens if we can detect the very first time that someone can compromise the system by brute-forcing their way in as an administrator or another admin account?  Or creating a backdoor account and then logging into it at strange hours? You need to be able to detect, alert and respond to attacks targeting privileged access.

Privileged accounts are the keys to an organization's overall security. Therefore, they pose the most significant security concern. If hijacked by an external attacker or a malicious insider, privileged accounts will allow attackers to take full control of the IT infrastructure, disable security controls, steal confidential information, commit financial fraud, disrupt operations and much more.

It is hard to know who might fall victim to an attack and/or have their accounts exploited. Thus, it is paramount to take cyber threats seriously, as the costs associated with security breaches are also rising tremendously, not only financially, but also in terms of legal exposure and reputation.

Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk authored this article.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.