If identity is indeed the new perimeter, then privileged access is its primary attack vector. Weak credentials and privilege misuse are consistently identified as the dominant pattern in data breach reports. Approaches to managing privileged access are struggling to keep pace with the changing threats. In this session, we'll examine recent attacks that exploit privilege misuse, analyze some of the specific methods used (like mimikatz), then examine new approaches that can mitigate this risk to the enterprise. Emphasis here will be vendor agnostic, but we will discuss specific technical approaches as well as some technologies that can assist in managing privileged access and adopting a program of least privilege. In addition, we’ll explore differences in approach between on-prem PAM approaches compared with various cloud technologies. We'll also discuss common roadblocks in PAM programs and potential methods to resolve them. Finally, we’ll look at the role that identity & user behavior analytics (UBA/UEBA) can play in providing an active defense against privilege misuse.

1. Revisiting Privileged
Access in Today’s
Threat Landscape
LANCE PETERMAN
@LPETERMAN

2. About Me
 IAM Strategy & Platform Lead at
Merck
 Also, Teach Software Architecture
& Design at UNC-Charlotte
 Also, Board & Founding member
of IDPro
 Opinions are my own
 Twitter: @lpeterman

3. Why we can’t get a
Perfect 10 in the Vault

4. 3 years ago…

5. My use case…

6. Existing &
Emergent
Patterns
Existing &
Emergent
Patterns
How Privilege
is (mis)Used
How Privilege
is (mis)Used
New
Responses
New
Responses

7. Existing &
Emergent
Patterns
Existing &
Emergent
Patterns

8. PAM Reference Architecture (2015)
8
Password
Vault
Session
Management
& Recording
PAM Policy
Management
Discovery &
Policy
Enforcement
Session Review
Privileged Access Management
SRM/Ticketing WorkflowPolicy Store
Logging &
Audit
SIEM /
Analytics
CMDB /
Change
Management
Information Technology Resources
Access
Certification
Identity
Management
Non-person
Credential
Management
Identity &
Access
Management

9. PAM Reference Architecture
9
Access
Certification
Identity
Management
Non-person
Credential
Management
Identity &
Access
Management
SRM/Ticketing WorkflowPolicy Store
Logging &
Audit
SIEM
CMDB /
Change
Management
Information Technology & InfoSec Resources
**Analytics/
AI/ML
SOC
Credential
Vault
Session
Management
& Recording
PAM Policy
Management
Discovery &
Policy
Enforcement
Session Review
Privileged Access Management
Secret/Key
Management
EPM

10. Vaulting

11. Session Management

12. Local Admin Management/EPM

13. Secrets/Key Management
• Market is fragmented here – AWS, Ansible, Chef, CyberArk…lots more
• Does this belong in IAM? Similar challenge with CIAM for many
enterprises

14. Other Patterns/Approaches
• Elevation vs. Vaulting for person accounts
• Analytics…got a minute, or 90?

15. How Privilege
is (mis)Used
How Privilege
is (mis)Used

17. June 27, 2017 6am EDT

18. NotPetya

20. MimiKatz “cute kitten”
• “Swiss army knife” (or multi-tool) of Windows credentials
• Needs local admin for ‘most’ functions
• Leverages weaknesses/features in:
• LSASS - Local Security Authority Subsystem Service – credentials stored in memory
after use
• Can leverage credentials stored as (depending on OS level):
• Kerberos tickets
• NTLM password hashes
• LM password hashes
• Clear-text passwords
• GREAT Resource for understanding MimiKatz – ADSecurity.org

23. Other Windows OS/protocol threats
• Kerberoasting
• Vulnerabilities in Kerberos (UN)Constrained Delegation
(KCD)
• GPO Permissions
• Do you really know where your privileges are…
• Notice that little of this is explicitly identity related? Or is it?

24. Secrets
Revealed

25. IOT Exploits

26. Insider threat is
still a thing…

28. New
Responses
New
Responses

29. Technology ‘Arrows’
• Use EPM or similar tools to reduce/eliminate local admin privileges wherever
possible
• If you don’t have secrets/key management, explore the need. Talk to your
vendors.
• Have an IoT platform? Find out, explore gateways for segmentation
• Consider automated tools for privileged account discovery
• Reduce privilege ‘scale’ through segmentation
• Eliminate credential caching where possible
• MFA for sensitive internal apps, even regular users
• Consider analytics for privilege abuse use cases but make sure you get the
data

30. Process ‘Arrows’
• Reduce privilege ‘scale’ through segmentation (ex: SCCM
admins), including number of admins per server
• Eliminate credential caching where possible
• Consider software updates a threat vector (supply chain attack)
• Leverage Least Privilege (LPM)wherever possible (see people
arrows)
• Defense in depth should be a mindset, look beyond Layer 7 for
solutions
• Embed security & identity in your SDLC
• Same for Change Management (CMDB is your most important
identity asset)

31. People ‘Arrows’
• Partner with Developers on Secrets & Local Admin
• Partner with InfoSec on expanding privilege analysis, focus
on LPM, and Defense in Depth
• Partner with the business on identifying your high value
assets (HVA), know what you’re protecting and why
• Partner with everyone on MFA – pierce the veil on how it
can be used and reduce friction
• Prioritize activities based on risk

33. Resources
• 2015 Talk - https://youtu.be/1HA2N_4c2jw
• Local Admin rights blog post -
https://identitybytes.com/index.php/2018/03/20/applying-a-rheostat-to-
local-admin-rights/
• Secrets compromised - https://threatpost.com/22k-open-vulnerable-
containers-found-exposed-on-the-net/132898/
• IoT compromised -
https://www.bleepingcomputer.com/news/security/someone-is-taking-over-
insecure-cameras-and-spying-on-device-owners/
• MimiKatz - https://www.wired.com/story/how-mimikatz-became-go-to-
hacker-tool/
• ADSecurity.org Guide to MimiKatz - https://adsecurity.org/?page_id=1821

34. Thank You!!!

35. Backup Slides

36. What is Privileged Access Management?
Privileged access: is
defined as any feature or
facility of a multi-user
information system that
enables the user to
override system or
application controls (e.g.
Administrator, Root, or
similar high-level privileges)

37. What is Privileged Access Management?
37
Privileged accounts or identities
•Hold special or extra permissions
within a system, application or
database
•These accounts can grant
broad access to underlying
business information in systems
•Ideally, only used by authorized
individuals when elevated
privileges are required to fix
urgent problems, or…
•Misuse can significantly affect
the organizations business (risk)*

38. What is
Privileged
Access
Management?
The use of privileged accounts should be
managed and the password monitored
when stored digitally. Privileged account
activity should be logged and traceable
to a unique user.
38
What is Privileged Access Management?
Unique
Monitore
d
Manage
d
PAM

39. What does that tell us?
• The threat landscape is changing…DAILY
• “The compromise of privileged access is a key stage in
100% of all advanced attacks.” – CyberSheath Report
4/13 3
• This is the critical attack vector for internal and external
threats
• 45% of hackers directly target privileged credentials -
Thycotic
• Verizon DBIR – “97% of all breaches are preventable
through basic and intermediate controls.”
• 43% of respondents in a 2012 survey did not have a PAM
practice or wasn’t sure if they did

40. The Practice of Privileged Access
Management (PAM)
• Designed to answer:
• Who/what has Privileged access
• When it was used
• Where it was used from
• What was done
• Technology is only One part of the
equation – People & Process are
essential
• Has to be part of your governance
process, not just a one off
enrollment*