Each year the folks at FireEye release the M-Trends report compiled by their Mandiant Consulting arm. This outlines what last year’s IT security trends were and what we should anticipate in the coming year. While this year’s M-Trends 2016 validates what many of us have experienced firsthand, it really brings to the forefront how critically important securing identity will be this year.
Within the 48-page report, there are 21 sections directly related to identity. Not to mention, a few infographics that invoke identity questions. After taking out the filler pages, identity is mentioned in almost every page. It will be a safe to say that Compromised Identity is the single largest issue allowing hackers to successfully execute their attacks; this was the case in 2014, again in 2015 and certainly will be the theme of 2016.
The M-Trends report can be boiled down to:
Security trends going mainstream
- Attacks are becoming disruptive — These are no longer behind-the-scenes attacks, as hackers are looking for ransoms, and they they will embarrass your company if you do not give in.
- Attacks are targeted at personally identifiable information (PII) — Hackers are going for specifics to really target users.
- Attacks are aimed at network devices — By changing flows of information and the ways to access networks, hackers have free reign.
Attack vectors that won’t go away
- Outsourced Service Provider Abuse — This is a case of breaching those outside of your organization with access to your organization.
- Windows Persistence — There are all sorts of windows services that are ripe for hackers to abuse.
How to defend your network:
- Vulnerability Assessments — Not a new concept by any means, but has never been more important.
- Credentials — It is necessary to make it difficult for unauthorized users to gain access to your systems.
- Inability to detect a breach — If you aren’t monitoring systems and access, you don’t know if you are protecting yourself.
- Poor Egress Controls — You need to keep bad guys from getting in, but it is also important to keep bad guys from getting out of your network.
A case study of how to stop a typical attack:
- Monitor your network.
- Use the information you have captured to make decisions.
- When an attack appears — verify and respond.
For the remainder of this article, I would like to focus on addressing the 21 sections that relate to identity security. Centrify helps IT security teams that are struggling to prevent data breaches in our cloud and mobile world. Compromised identity is the leading cause of security breaches (nicely outlined in the M-Trends 2016 Report), but traditional perimeter defenses cannot protect users with too many passwords, too much access and too much privilege. Centrify helps customers solve these problems and establish a new perimeter — based on identity. This reduces risk and simplifies administration.
Below is how I would use Centrify products to address the mentioned security concerns. I’ve included a clip from the M-Trends report with the page number for reference along with my brief interpretation. Most of my recommendations aren’t particularly complicated but like most things in life, it is the little things that count.
“Mandiant’s Red Team, on average, is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment. Once domain administrator credentials are stolen, it’s only a matter of time before an attacker is able to locate and gain access to the desired information. This means that, in our experience, 146 days is at least 143 days too long. On a positive note, companies that detected the breach on their own had a median number of 56 days compromised. The takeaway is that we are getting better as an industry, but there is still work left to do!” (Page 4 of M-Trends 2016)
At face value, I would look at this as being initially prevented with the use of multi-factor authentication (MFA). This quickly turns to a conversation about enforcing least privilege access, not to mention the need for workflow (Centrify Identity Service, Privilege Service or Server Suite).
“An attacker with domain administrator-level access to a victim’s Active Directory environment attempted to distribute ransomware through scheduled tasks and Group Policy objects (GPOs). The attacker created a scheduled task and pushed it onto the target systems via GPOs. The scheduled task loaded a malicious script from the domain controller (DC). The script then copied over an executable from the DC to the target systems and executed it. The executable was designed to encrypt user files (documents, photos, emails, backups, etc.) on the file system and instruct the victim to visit a website that contained instructions to obtain the decryption key.” (Page 11, M-Trends 2016)
With multi-factor authentication installed it would be hard for someone remotely to do this, and with the enforcement of least privilege, very few accounts would have this level of access (Centrify Server Suite).
“ENSURE STRONG SEGMENTATION AND CONTROLS OVER YOUR BACKUPS – Most organizations have mature backup policies so they can recover quickly in the event of a system failure. However, it’s common for the systems containing backups to be part of the same environment compromised by the attacker. Tighten access to your backup environment to mitigate the risk of an attacker accessing the system using compromised credentials and destroying your backups.” (Page 15 – Lesson 8, M-Trends 2016)
Implement multi-factor authentication for access to the backup system and if it has share accounts make sure a password safe is implemented (Centrify Privilege Service).
“The breaches we investigated spanned multiple sectors, including healthcare, travel, financial services, and government. While we initially suspected the threat actors would target health records and credit card information, we found no evidence. Instead, we observed the threat actors target and steal information that could be used to verify identities such as Social Security numbers, mothers’ maiden names, birthdates, employment history, and challenge/response questions and answers.” (Page 16, M-trends 2016)
Have strong password policies, change them frequently, use a single identity store, use SAML authentication where possible and lock it down with multi-factor authentication. Needless to say, hackers are aware that focusing on compromising identities is where they gain the greatest value (Centrify Identity Service).
“The threat actor gained access to the databases by leveraging the victim’s Active Directory information to identify database administrators and their computers. Specifically, the attacker searched Active Directory group membership for the keyword “database.” The threat actor moved laterally to those systems and harvested documentation in an attempt to identify the names of databases, database servers, and database credentials.” (Page 17, M-Trends 2016)
Enforce least privilege access to make this very difficult and implement multi-factor authentication so you know who is accessing Active Directory (AD) (Centrify Server Suite).
“Given the type of PII the attacker stole, threat actors could circumvent user identify verification and management processes. We commonly see threat actors use legitimate user accounts that already exist in the environment. Access to this type of PII could allow a threat actor to successfully navigate knowledge-based security mechanisms (knowing the correct response to personal questions only the employee is assumed to know) and compromise existing accounts.” (Page 18 – Bypassing Identify Verification and Access Management Schemes, M-Trends 2016)
Maintain a single identity store, have strong password policies and implement multi-factor authentication. Hackers are looking to compromise identity so they can escalate privilege (Centrify Identity Service).
“Implement network Access Control Lists (ACLs) to limit access to database servers. Only systems on trusted and well monitored network segments should be permitted to establish connections directly to database servers.” (Page 18 -Restrict network access to database servers, M-Trends 2016)
Implement server isolations so only trusted servers or computers can talk to each other (Centrify Server Suite).
“Over the past several years, Mandiant has observed advanced threat actors compromise networking device infrastructure such as a routers, switches, and firewalls. These devices are critical components of enterprise infrastructures and are often overlooked by incident responders during an investigation, especially when they have identified other backdoors or means of remote access used by the threat actors.” (Page 19 – Attacks on Enterprise Networking Devices, M-Trends 2016)
Networking devices historically use shared accounts and are rarely updated. Implement a password safe where admins log in using their Active Directory credentials and have no knowledge of what a device’s password is (Centrify Privilege Service).
During our testing to understand the severity of this issue, we discovered that this attack could be performed even if two-factor authentication was required on the Cisco ASA device. We were able to harvest session information, as well as legitimate credentials, which allowed us to perform a traffic replay attack.” (Page 20 – Cross-Site Scripting a Cisco ASA VPN Concentrator, M-Trends 2016)
Multi-factor authentication would certainly help in this instance, and protection of shared accounts in a password safe would go a long way (Centrify Identity Service and/or Privilege Service).
“As with other systems in an environment, integrity monitoring and authentication management are critical in preventing or detecting an attack on networking devices. Mandiant recommends the following actions to aid organizations in preventing, detecting, and recovering from an intrusion involving the compromise of networking devices:
Strong Authentication: Enforce multi-factor authentication for administrative access to the networking devices. Use a system that relies on hardware tokens, SMS, or a smartphone application rather than a workstation-based ‘softoken’ solution.” (Page 21- Tactical Recommendations, M-Trends 2016)
This recommendation is pretty clear: Use multi-factor authentication. (Centrify Privilege Service).
“Mandiant continued to observe advanced attack groups leveraging outsourced service providers to intrude onto the networks of our customers. This topic should sound familiar; in 2013, Mandiant’s M-Trends report included an article and case study about how advanced attack groups were observed increasingly taking advantage of outsourcing relationships in order to gain access to companies that employed those services. This trend has grown, and is possibly more prevalent today as an rising number of organizations become increasingly reliant on their outsourced service providers.” (Page 24, M-Trends 2016)
Control the service providers that are accessing your network and only allow them to access the specific applications or devices they are hired to manage – not the entire network. This cannot be overlooked (Centrify Privilege Service).
“The Takeaway – Your network is only as secure as your outsourced service provider. Make sure your organization understands the security of these providers, and apply as stringent policies to their access as you would to your own employees.” (Page 23 – Attacker leverages site-to-site VPN tunnel and compromises client from OSP network, M-Trends 2016)
Don’t give your outsourced service provider a site-to-site tunnel. Only give them access to the application or device they need. Make them use multi-factor authentication (Centrify Privilege Service).
“Outsourced service provider abuse was observed in several forms throughout 2015. We investigated cases involving financially motivated attackers leveraging stolen credentials from third-party service providers to access retail and hospitality networks and steal payment card data, a continuing trend that has been widely reported over the last few years and has not shown any signs of decreasing.
We also witnessed attackers indirectly leveraging outsourced service providers for access by stealing credentials left behind in unsecured files on victim systems. While it is true that the attacker already had access to the victim environment, it was the outsourced service provider credentials that allowed the attacker to interact with the target segment of the victim’s environment. In one case we worked, the attacker found a spreadsheet with usernames and passwords to a protected network segment. Unfortunately, this protected network segment allowed remote single-factor access to the environment. The attacker simply leveraged the credentials they had stolen to authenticate to the segmented environment, accessed systems processing cardholder data, and continuously harvested.” (Page 24, M-Trends 2016)
Implement multi-factor authentication and have a single identity silo that uses strong password policies. Consider providing role-based access by granting a level of trust to the service provider’s Active Directory (Centrify Privilege Service, Identity Service).
“Our investigations revealed that attackers were maintaining access to the ITOs by gaining access to the ITO management servers that these service providers use to support their clients’ infrastructure. From there, the attackers performed reconnaissance and harvested credentials that enabled them to access the targeted companies’ systems. The attackers occasionally deployed malware inside the end-client (victim) networks as an additional persistence mechanism, but primarily leveraged the elevated privileges of the ITO administrators to move throughout the victim networks undetected.” (Page 24, M-Trends 2016)
Enforce least privilege access on the management server. Only give the ITO the minimum level of access to do their job. Multi-factor authentication would also help (Centrify Server Suite).
“When an attacker infiltrates a targeted company’s network using the compromised ITO infrastructure, they have essentially skipped the first three phases of the lifecycle. There’s no need to craft an exploit or send a spear phishing email to the target company since they already have elevated privileges with unrestricted access. This shortcut allows the attackers to scale, improving efficiency and reducing efforts required to complete their missions.” (Page 27, M-Trends 2016)
Don’t give unrestricted access by implementing least privilege access on the server. Instead, only give access to the server and not to the network. Then, secure that access with multi-factor authentication (Centrify Server Suite, Privilege Service).
“Historically, large enterprises have been wary about migrating their IT infrastructure to the public cloud because of perceived security risks. As we’re seeing in our investigations, the risks associated with outsourcing IT services may be just as concerning. Consider the following recommendations if you are engaging, or have already engaged, an outsourced IT service provider.
Implement Multi-Factor Authentication & Jump Servers
Implement multi-factor authentication mechanisms for all outsourced service providers and, where possible, via jump server for service providers to access a client network environment. If an attacker is active inside an outsourced service provider’s network, multi-factor authentication with a dedicated jump server can prevent them from being able to steal credentials and pivot directly into the end-client’s (victim) networks. Furthermore, any chosen multi-factor solution should be tied to a corresponding user’s Active Directory account and not be valid for other accounts. Hardware-based tokens or phone-based tokens (such as those delivered via SMS) are more secure options for multi-factor authentication. Be sure to actively monitor remote logons for any suspicious activity.
Monitor Use of Privileged Accounts
Monitor the use of privileged accounts, including those associated with outsourced service providers. Attackers target privileged accounts such as local administrator, domain administrator, and service accounts. These are especially valuable inside the ITO management systems since they can potentially be used across multiple clients/victims. While there are various products/solutions available to help manage and monitor privileged accounts, organizations may consider something as simple as sending a daily report to all privileged account holders showing where they authenticated to, enabling astute administrators to identify suspicious activity.” (Page 27 – Recommendations, M-Trends 2016)
Implement multi-factor authentication, only provide access to the server requiring access, enforce least privilege access and produce log files. Log files that can be tied to an identity can greatly help enrich the correlation of a SIEM solution (Centrify Server Suite, Privilege Service).
“The most simplistic persistence techniques involved creating or modifying a Windows service or adding malicious files to registry run keys.” (Page 29, M-Trends 2016)
If you want to stop the abuse of windows servers, a great first step is to enforce least privilege access. Don’t give Windows admins full administrator rights to all windows servers if they don’t actually need it (Centrify Server Suite).
“The following observations are not intended to be an exhaustive compilation or ‘Top X’ listing of the security vulnerabilities that continue to plague enterprises. As with every security firm and internal testing team, we continue to encounter default credentials, missing patches, poor input validation, outdated operating systems and other common issues showing up on vulnerability reports everywhere.
Rather, these observations represent a common set of key issues identified during targeted testing in which the target organization is unaware of the test (except for a small set of stakeholders), and our testers have “carte blanche” to attack the organization using the same TTPs of an advanced adversary.
Observation #1 – Credentials, in general
Captured credentials remain the most efficient and undetected technique for compromising an enterprise. Most notable are the following:
- Many organizations still have not fixed the password problem. In short, many organizations still struggle with forcing users to use passwords that are sufficiently complex and difficult to guess. There is plenty of research and statistics available on passwords 6, and the issues specific to user password management have been acknowledged for a very long time. Modern enterprises have access to a variety of robust solutions that address the problem with credentials, from password vaults to multi-factor authentication to single sign on. Yet passwords remain a systemic problem for almost every client we encounter, so we cannot discuss attacking without talking about passwords.
This issue is not just limited to the regular user population. Sysadmins, developers, DBAs, domain administrators, and even security professionals continue to present a huge risk to their own enterprises. These users – who should know better and are highly targeted – remain some of the worst offenders for choosing poor passwords or disregarding established policy.
If you are on an IT or security team, know this: The bad guys are coming for you and they want your credentials. Do not make it easy by having a poor password policy.
- Cached credentials remain a major issue. In addition to the well-known password dumping tools already available, the weaponization of PowerShell and WMI has resulted in multiple effective toolkits that make targeting “high value” users and extracting credentials from memory almost trivial. These tools are fast, almost impossible to detect by AV, publicly-available, and widely supported. Even with detailed guidance from Microsoft regarding the protection of credentials and the built-in safeguards in modern Windows operating systems, our Red Teams continue to have extraordinary success retrieving credentials from memory and reusing those credentials to move laterally throughout a network.
- Single factor authentication. This architectural flaw has been discussed and addressed for a long time, yet we continue to see organizations expose OWA, Citrix, SAP, and even VPN to the Internet behind single factor (and often Active Directory-integrated) login pages. It is trivial to create a social engineering campaign that tricks users into “authenticating” with their AD credentials to a malicious site. Furthermore, it provides an attacker already within the environment an alternative path that is virtually indiscernible from normal user activity.” (Page 40 – 2015 Security Failure Trends, M-Trends 2016)
This is exactly what Centrify does: Uses a single identity store so that all users (admins or business users) can log in as himself or herself, implements single sign-on across all systems and executes multi-factor authentication across all important systems. Don’t ever share passwords (Centrify Server Suite, Privilege Service, Identity Service).
“Indicators on critical internal systems, including security controls, are being ignored. In 2015, Mandiant encountered multiple organizations that deployed best-practice security controls, including password vaults, two-factor authentication, data encryption, and SIEM — but are not monitoring access attempts or administrative activity on these controls! Given the high level of privileges under which these controls execute and their importance to the security posture of the organization, they make a particularly interesting target. Our Red Team regularly leverages compromised security infrastructure to perform reconnaissance, gain additional access, and even observe the security team’s activities. By not monitoring access attempts and administrative activity on these security controls, organizations miss out on key indicators that a targeted attack is in progress.” (Page 41, M-Trends 2016)
Using a single identity store with password safes and multi-factor authentication will provide enriched logs to allow for better monitoring will go a long way. Also, add least privilege access enforcement to increase server security. Privilege accounts and users hold the keys to the kingdom, so secure them like they hold the keys to the kingdom (Centrify Server Suite, Privilege Service).
“Emphasis should first be placed on maturing the security program, educating users, and securing critical infrastructure and assets.” (Page 43, M-Trends 2016)
Implementing Identity Security is a mature practice in the enterprise and is quickly filtering down to the mid-market and SMB space. Security affects everyone (Centrify).
“During the widespread zero-day exploit use by APT3 and APT18, two other significant intrusions occurred. The first involved APT29 – a suspected Russian origin threat group – compromising an entity actively involved in Russian oil interests. APT29 conducted numerous RDP sessions disguised as valid normal SSL connections inside this client. The RDP sessions were used to place malicious code within the firm, as well as steal multiple files.
The second significant intrusion occurred against a manufacturer by APT19, a suspected Chinese origin group. APT19 initially used a backdoor to spread across the environment and then harvested almost 6,000 valid user accounts. Once they leveraged the accounts to gain legitimate access, APT19 deleted tools and evidence of their initial access in a significant counter-forensic effort. FaaS quickly responded to this event using well-vetted knowledge of legitimate access detection methodologies and intelligence” (Page 46, M-Trends 2016)
With a greater focus on identity security along with properly implemented controls like multi-factor authentication, least privilege and strong password policies, this may have never happened (Centrify).
While there are many ways to approach any problem, I hope that I have shown a holistic way to address some very complex problems with a great identity platform. I’m sure 2016 will throw even more challenges our way, but it is key to get basic security controls in place if you are to stand a chance of protecting your organization. Multi-factor authentication, least privilege access, single source of identity and strong password policies should be in every organization’s plans and Centrify is perfectly suited to help.
To learn first-hand how Centrify can address the issues discussed above, sign-up for our 30-day free trail here.