Preventing the ability of attackers to perform lateral movement within your network is not only a threat detection function—it’s also a cyber hygiene function. In this blog, we’ll review some of the most common—and invisible—ways that privileged user credentials proliferate in enterprise networks. It’s well understood that domain admin or other high-powered credentials are gold to a cyberattacker. With “keys to the kingdom,” they can move easily and silently from one system to another, change domain attributes, add permissions, change passwords, and connect to any machine in the domain. Most organizations dedicate significant resources to careful management of Active Directory and use various technologies and practices to control access privileges. But our experience shows that even in the most diligent organizations, privileged user credentials are more accessible to attackers than you’d think.
1. “Orphaned” Credentials
Through routine IT support activity, powerful credentials can be inadvertently left behind. Suppose an employee in the Finance department calls the internal help desk with a connectivity or application problem. The help desk person uses domain admin credentials to access the system remotely, troubleshoots, and remedies the problem, but ends the session without properly logging off. Those domain admin credentials may remain on the end user’s system until he or she logs off the network or restarts the system. Although this occurrence is not malicious and the situation eventually corrects itself, it creates an invisible window of vulnerability that an attacker can exploit if in the right place at the right time. Systems may be especially vulnerable in Finance, Human Resources, and other areas where users are less security-conscious and are more frequently targeted by phishing and malware campaigns.
2. Poor Local Admin Practices
The age-old “silo” problem or lack of coordination between IT Operations and Security can manifest in risky system deployment practices. From a security perspective, organizations normally should not allow creation of local admins because they can operate outside the control of the Active Directory domain, leave systems more open to malware, and open the door to a range of security violations. However, for efficiency purposes, it is common for standard endpoints to be built from system images (golden images) that contain a default local admin user—and the same default password. While this may make things more convenient for IT administrators, attackers now have the opportunity to access multiple machines with a single password. With local admin rights, it is also easier for employees or attackers to create unauthorized local users, which can typically only be discovered by querying each machine.
3. “Shadow” Admins
For good reason, a layered defense architecture includes some form of privileged user monitoring (PUM) or privileged access management (PAM) to treat these credentials with an appropriate degree of risk mitigation. Without due care, however, this can cause a false sense of security. Through manipulation of Active Directory Access Control Lists (ACLs), cyberattackers can elevate user privileges, and thereby create “shadow admins” that have domain admin-level access but are not part of the domain admin group. One Illusive customer, a security officer who had just taken a new job, intentionally assigned to a regular user elevated privileges equivalent to a domain admin. He did this specifically to test how quickly the violation would be discovered; three years later, he was still waiting.
Of course, malicious IT people or other insiders can also intentionally create shadow admins, and they can also be created accidentally. Given how complex AD permission structures and organizational requirements can become, mistakes are easily made that end up granting rights beyond what a user’s function requires.
Control through Visibility
The necessity to prevent abuse of privileged credentials has become even more urgent with the emergence of Bloodhound and other attack tools that help automate lateral movement. Enforcement of privileged access policies is not simply a matter of properly configuring Active Directory; credential violations can be extremely difficult to manage. This is for two main reasons:
- It is a typical “needle in the haystack” problem. There is so much security data that serious issues can be easily overlooked.
- The credential landscape—what we call the “access footprint”—is constantly changing, even in the most well-run organizations. It’s always difficult to instrument identity and access management changes as fast as user functions change, so access-related security gaps are common, but even through normal business operations, credentials get stored and hidden in a variety of places.
Even in relatively small businesses, entire security teams would be consumed trying to continuously identify and correct credential violations. From a practical standpoint, automation is required. This is one of the challenges that Illusive’s Attack Surface Manager addresses. It identifies the location of domain admin credentials, continuously discovers credential violations, and provides automation to help correct them so you can uncover and rapidly resolve conditions that promote malicious lateral movement.
It’s inevitable that attackers will occasionally break through your defenses, but by perpetually minimizing your internal attack surface, you can reduce the risk that the keys to your kingdom will fall into their hands, and significantly thwart their ability to reach their targets.
Get a free Attack Risk Assessment – Our remote assessment will identify hidden vulnerabilities that attackers seek to exploit now such as cached domain admin credentials, key endpoints with direct access to critical business assets, improperly disconnected RDP sessions with heightened access, ambiguous “shadow admins”, and more.
Read our whitepaper, Use Cases for Attack Surface Manager, which looks at how security teams are given unprecedented power to easily implement a cyber hygiene program to harden their networks against malicious lateral movement of cyberattackers.
Subscribe to the Proofpoint Blog