Recent hacks and breaches show users and applications are primary attack vectors
This week’s attack on OneLogin indicates privileged user accounts may have been misused
While details about OneLogin’s latest breach are still being uncovered and shared, we know from the OneLogin blog and Krebs on Security that “a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S.”
This indicates it’s likely the access was gained through a highly privileged user account – such as that of an IT administrator. Privileged accounts can be turned on an organization when compromised by an attacker. If undetected for even a short time, this level of access can result in a catastrophic breach.
Hackers salivate at the idea of having administrator level access inside their targets environment. It is well worth their time to hone in on individuals in these roles and their user accounts.
Getting started is pretty easy. A quick Google or LinkedIn search can uncover a list of all the IT administrators at a company. Browsing the technical profile of each administrator will probably then provide some good insight on which ones are managing the technology the hacker wants to exploit, such as an AWS environment.
The obvious approach here is to protect every user account with multi-factor authentication since most password credentials are either compromised or easily figured out. But in the case of IT administrators we need to go further.
Sensitive IT access needs to be controlled more granularly with privileged access management and administrative type activity (often performed thru APIs) needs to be closely monitored.
Applying analytics, machine learning and automation to privileged user activity makes security smarter. It adds intelligence to the systems that control the activity of those users with unfettered access to a company’s most sensitive systems and data. Whether it’s a privileged admin, automated script, overseas developer or external partner, the business must have control to authorize, limit, audit and record access.
While it is helpful to know days or hours after a malicious activity, when privileged access has been gained by an attacker, the security solution needs to respond within seconds.
Analytics and machine learning help detect malicious behavior and trigger automated mitigations instantly when risk is detected, such as activating session recording, forcing re-authentication, generating alerts to admins and other systems, or stopping a session completely.
The system essentially compiles an electronic dossier for each user, device, and resource that includes the activity and events correlated with the entity.
We also know that much of the administrative activity today is done via scripts and APIs. We need to begin applying the same analytics and control principles at the API level if we are to survive in the fast paced DevOps world.
The WannaCry attack and this breach at OneLogin show that companies must rethink the way they do security – with a maniacal focus on user access and applications.
Here’s why: 10 years ago, the attack surface could be defined by the number of entry points to the network; today the attack surface is calculated by the number of applications or API’s multiplied by the number of users who have access to the applications. That number is astronomical and provides a target-rich environment for bad actors.
Access is what bad actors need to succeed with any data breach, and they get that access through compromised credentials. The 2017 Verizon Data Breach Investigation Report shows that 81 percent of all hacking-related breaches are caused by compromised password credentials.
The Software Engineering Institute cited that 90 percent of all data breaches exploit application vulnerabilities. Bringing security into the development, test and deployment process is critical to delivering secure applications from the start.
The companies that get security right by refocusing on applications and user identity, elevate the experience of the users and reap great rewards not just in security but business outcome.
No CIO or CISO wants to be surprised by a system breach, particularly one that could have been avoided or mitigated by having the right access controls and analytics in place.