If identity is indeed the new perimeter, then privileged access is its primary attack vector. Weak credentials and privilege misuse are consistently identified as the dominant pattern in data breach reports. Approaches to managing privileged access are struggling to keep pace with the changing threats. In this session, we'll examine recent attacks that exploit privilege misuse, analyze some of the specific methods used (like mimikatz), then examine new approaches that can mitigate this risk to the enterprise. Emphasis here will be vendor agnostic, but we will discuss specific technical approaches as well as some technologies that can assist in managing privileged access and adopting a program of least privilege. In addition, we’ll explore differences in approach between on-prem PAM approaches compared with various cloud technologies. We'll also discuss common roadblocks in PAM programs and potential methods to resolve them. Finally, we’ll look at the role that identity & user behavior analytics (UBA/UEBA) can play in providing an active defense against privilege misuse.
2. About Me
IAM Strategy & Platform Lead at
Merck
Also, Teach Software Architecture
& Design at UNC-Charlotte
Also, Board & Founding member
of IDPro
Opinions are my own
Twitter: @lpeterman
13. Secrets/Key Management
• Market is fragmented here – AWS, Ansible, Chef, CyberArk…lots more
• Does this belong in IAM? Similar challenge with CIAM for many
enterprises
20. MimiKatz “cute kitten”
• “Swiss army knife” (or multi-tool) of Windows credentials
• Needs local admin for ‘most’ functions
• Leverages weaknesses/features in:
• LSASS - Local Security Authority Subsystem Service – credentials stored in memory
after use
• Can leverage credentials stored as (depending on OS level):
• Kerberos tickets
• NTLM password hashes
• LM password hashes
• Clear-text passwords
• GREAT Resource for understanding MimiKatz – ADSecurity.org
21.
22.
23. Other Windows OS/protocol threats
• Kerberoasting
• Vulnerabilities in Kerberos (UN)Constrained Delegation
(KCD)
• GPO Permissions
• Do you really know where your privileges are…
• Notice that little of this is explicitly identity related? Or is it?
29. Technology ‘Arrows’
• Use EPM or similar tools to reduce/eliminate local admin privileges wherever
possible
• If you don’t have secrets/key management, explore the need. Talk to your
vendors.
• Have an IoT platform? Find out, explore gateways for segmentation
• Consider automated tools for privileged account discovery
• Reduce privilege ‘scale’ through segmentation
• Eliminate credential caching where possible
• MFA for sensitive internal apps, even regular users
• Consider analytics for privilege abuse use cases but make sure you get the
data
30. Process ‘Arrows’
• Reduce privilege ‘scale’ through segmentation (ex: SCCM
admins), including number of admins per server
• Eliminate credential caching where possible
• Consider software updates a threat vector (supply chain attack)
• Leverage Least Privilege (LPM)wherever possible (see people
arrows)
• Defense in depth should be a mindset, look beyond Layer 7 for
solutions
• Embed security & identity in your SDLC
• Same for Change Management (CMDB is your most important
identity asset)
31. People ‘Arrows’
• Partner with Developers on Secrets & Local Admin
• Partner with InfoSec on expanding privilege analysis, focus
on LPM, and Defense in Depth
• Partner with the business on identifying your high value
assets (HVA), know what you’re protecting and why
• Partner with everyone on MFA – pierce the veil on how it
can be used and reduce friction
• Prioritize activities based on risk
32.
33. Resources
• 2015 Talk - https://youtu.be/1HA2N_4c2jw
• Local Admin rights blog post -
https://identitybytes.com/index.php/2018/03/20/applying-a-rheostat-to-
local-admin-rights/
• Secrets compromised - https://threatpost.com/22k-open-vulnerable-
containers-found-exposed-on-the-net/132898/
• IoT compromised -
https://www.bleepingcomputer.com/news/security/someone-is-taking-over-
insecure-cameras-and-spying-on-device-owners/
• MimiKatz - https://www.wired.com/story/how-mimikatz-became-go-to-
hacker-tool/
• ADSecurity.org Guide to MimiKatz - https://adsecurity.org/?page_id=1821
36. What is Privileged Access Management?
Privileged access: is
defined as any feature or
facility of a multi-user
information system that
enables the user to
override system or
application controls (e.g.
Administrator, Root, or
similar high-level privileges)
37. What is Privileged Access Management?
37
Privileged accounts or identities
•Hold special or extra permissions
within a system, application or
database
•These accounts can grant
broad access to underlying
business information in systems
•Ideally, only used by authorized
individuals when elevated
privileges are required to fix
urgent problems, or…
•Misuse can significantly affect
the organizations business (risk)*
38. What is
Privileged
Access
Management?
The use of privileged accounts should be
managed and the password monitored
when stored digitally. Privileged account
activity should be logged and traceable
to a unique user.
38
What is Privileged Access Management?
Unique
Monitore
d
Manage
d
PAM
39. What does that tell us?
• The threat landscape is changing…DAILY
• “The compromise of privileged access is a key stage in
100% of all advanced attacks.” – CyberSheath Report
4/13 3
• This is the critical attack vector for internal and external
threats
• 45% of hackers directly target privileged credentials -
Thycotic
• Verizon DBIR – “97% of all breaches are preventable
through basic and intermediate controls.”
• 43% of respondents in a 2012 survey did not have a PAM
practice or wasn’t sure if they did
40. The Practice of Privileged Access
Management (PAM)
• Designed to answer:
• Who/what has Privileged access
• When it was used
• Where it was used from
• What was done
• Technology is only One part of the
equation – People & Process are
essential
• Has to be part of your governance
process, not just a one off
enrollment*