We trust admins with the proverbial “keys to the kingdom” and direct access to the company’s most sensitive data, but are we doing enough to ensure data security and compliance?
Root, domain admin and super user are all accounts with elevated privileges that give users full control over the systems they are managing. Account compromise or misuse of escalated privileges pose a significant threat. These elevated privileges increase the risk associated with these accounts and require additional safeguards such as user behavior monitoring and alerting.
3. WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel
Founded 2006
1,200+ Customers Worldwide
$20M Invested by Bain Capital
The leading provider of User
Behavior Monitoring for Application
Users, Admins and External Vendors
4. APPLICATION ACCESS
App Admins App Users
PRIVILEGED ACCESS
(Windows Admins, root,
DBAs, System Admins,…)
(Developers, IT Contractors,
Network Admin,…)
Shared Accounts Named Accounts
Entitlement changes
Logging Utilization
5. PRIVILEGED ACCESS: THE ‘ROOT’
OF TODAY’S BIGGEST BREACHES
78.8M affected by
Anthem breach, DBA
account
compromised
56M affected by
Home Depot Breach,
Privilege Escalation
to Blame
76M affected by
JPMorgan Chase
breach, obtained
admin privileges
6. Penetrate
Establish
Foothold
Open shell and run
commands to learn
orientation:
• Who Am I?
• Host name
• Location of directory
service
Escalate
Privileges
Move Laterally
Complete
Mission
Uploads and executes
malicious software
Scan memory for active
sessions and extract
passwords
Hackers attacks:
• URL Interpretation
• Input Validation
• SQL Injection
• Impersonation
• Buffer Overflow
LETS EXAMINE AN ATTACK
Hackers Log into AD
to get a targeted list
of machines
Hackers leverage
credentials to
compromise data on
machines
13. REGISTRY EDITOR
Edit and Modify Specific Values
• Firewalls
• User Access Control
• Applications / Software
• Windows Components
14. UNSECURE ‘SHELL’
TELNET suffers from security
problems.
TELNET requires a login name
and password (when
exchanging text).
Hackers can easily eavesdrop
using snooper software to
capture a login name and the
corresponding password
even if it is encrypted.
TELNET has been largely
replaced by the more secure
SSH protocol.
22. Challenge:
The Board of Directors of Ally Bank established a Privileged User Access (PUA)
project for all sessions that are accessing data on 160 servers in-scope for PCI and
SOX compliance.
Their 5,000 privileged users represented a significant risk in their organization, so
they are rolling out Password vaulting (Lieberman) and needed to implement a
monitoring program in parallel
Solution:
Needed a monitoring system to collect, alert, and report on the specific use of
applications, functions, or access to specific information
23. Challenge:
Needed to comply with SOX, HIPAA, PCI mandates surrounding the audit and
logging of privileged access to 1,130 servers.
SOX, HIPAA, PCI mandates must include a date/time stamp as well as proof of
what happened in all privileged sessions on regulated servers.
Solution:
Holistic view of configuration changes across environment
Real-time alerts and data exported to SIEM (IBM Qradar)
Reports centered around privileged access as a whole
Editor's Notes
What privileged user activities should be closely monitored and alerted upon
What’s happening in all admins sessions and even for actions that do not generate logs
How to see if users are accessing information they shouldn’t be in critical systems or deleting files
How to identify which users are remotely accessing your systems or changing permissions
ObserveIT can alert on
Terminal creation
Tool upload via FTP
Shell command execution
ObserveIT will alert on
Surrogate to root
Commands running as root
Data Exfiltration
Hackers Exploit Your AWS WebServer via SQL Injection
Hackers open shell & run commands for orientation & to discover host name & location of AD / directory service
Hackers upload & execute malicious software to scan memory for active sessions and extract passwords
Hackers Log into AD to get a targeted list of machines
Hackers leverage credentials to compromise data on machines
Malware Distribution
Hackers Exploit Your AWS WebServer via SQL Injection
Hackers open shell & run commands for orientation & to discover host name & location of AD / directory service
Hackers uploads malware to the server
Hacker modifies JSP pages to distribute the malicious software
Hacker cleans the audit files to cover their tracks
Monitoring Privileged Users is a key part of a Privileged Identity Management initiative. Let’s explore the three major components of Privileged Identity Management:
Provisioning & Governance
Controlling the complete lifecycle of who has access to your critical systems is critical and that is where provisioning comes in. The ability to report on who has access to these systems is where governance solutions come in.
Password Vaults
We all know how important protecting privileged account passwords is and this is where Password Vaults come in. We all know how dangerous it is when privileged users are using sticky notes to remember admin passwords for shared accounts.
User Monitoring
Controlling who has access is absolutely a critical need. And protecting the passwords is also critically important, but they both lack the ability to monitor and auditing what users actually do this access and passwords they have. Further, password vaults introduce increased complexity and single points of failure and because of this are often only deployed to protect a select number of servers.
ObserveIT fills a critical missing component required to meet compliance regulations, detecting and stopping data breaches, and deterring careless and malicious activity and monitoring all Privildeged users with the ability to extend this visibility easily to your entire user population.
Integrations
ObserveIT integrates with provisioning and Passwords Vaults to provide monitoring of all user activity and behavior across the entire lifecyle of your privileged users.
--click to next slide---
Create new system users, access files, authorize network activity, and change system settings.
cron jobs
Config. Change:
Embedded Scripts (innocent script story)
Unsecure ‘shell’ (telnet on legacy appliances – SSH is much more secure and passwords are encrypted over the wire)
Unauthorized access (to configuration files) & run commands that they are not supposed to be
Unapproved ‘setuid’
Escalating Privileges
Pass-the Hash
‘rm’ ‘cp’ with ‘sudo’
Installing “backdoors”
“leapfrog” logins
Legacy systems like routers and phone systems and other applications – like IP address in router
Systems still have a place in the business and if your privileged users still need to access telnet sessions we can monitor
1) Sudo into root shell - A sudo allows an admin to delegate authority to give selected users the ability to run commands as a root or another user. ObserveIT alerts if someone is running a sudo command to interactively open a root shell that does not require a root password. Traditionally, it is difficult to track user actions because in shell you are not limited to a specific command but with ObserveIT it’s simple.
2) Update root cron jobs - A cron is a time-based scheduler program that enables UNIX users to automatically execute commands or scripts at a specific time and date. Cron jobs are used for scheduling tasks to run on the server. ObserveIT alerts when the –e option is used with root permissions to modify cron jobs that will later run with root permissions, enabling potential backdoor user activity at a later date.
3) Edit sudoers files - The sudoers file controls who can run specific commands as specific users on specific machines and can also control special actions like whether you need a password for particular commands. ObserveIT alerts when the sudoers file is edited, as this could enable unauthorized root permissions for the user.
4) Changing a program to a setuid programs (possible backdoor) – Setuid short for “set user ID upon execution” are UNIX access rights flags that allow users to run programs with temporarily elevated privileges in order to perform a specific task. ObserveIT alerts when a user tries to change a program to a “setuid” program (which automatically provides root permissions while the program runs), since this could enable potential backdoor user activity.
5) Opening generic root shell – root shell is one of the main targets of hackers since they can then run whatever command they want, under full authority and it is very hard to track what they do when they get it, ObserveIT can track when a regular user opens a root shell so it can be monitored to make sure is a legitimate action, and commands done under the sensitive shell can be monitored.
6) Creating local user with duplicate user ID - ObserveIT alerts when a user with privileged permissions creates a new user with the same ID as an existing user. The newly-created user could login with his/her own password and perform actions as if they were performed by a different user (especially suspicious for power users like root)
7) Su into root shell with no password - In UNIX, the “root” user has control over the machine. An attacker will want to obtain a shell prompt so that any command can be entered that will execute with root privileges. ObserveIT alerts when a regular user runs a program that opens a root shell using "sudo su". The user will not be asked for the root user password and will have root user permissions without knowing the root password.
Here, a low-level user is seen running the Ping command twice, once normally and once with a special parameter, LetMeIn. The second version actually provides this low-level user with root-level permissions for this session:
At this point, this user can do almost anything on the machine, from stealing sensitive data to crashing the system.
It is actually rather easy to deploy this kind of backdoor; only a few short lines of C code are required, like this:
This code shows how the Ping command is modified to run normally, unless the LetMeIn parameter is specified on the command line. When this parameter is invoked, the normally-harmless Ping command opens a root-level shell for the user running it. (The printf commands are included for illustrative purposes and would not be included in real-life usage of this exploit.)
An alert was generated by the system in response to the user executing a sudo comment to give himself root permissions. The administrators received this alert by email and also in the console. Here, we see the details of the alert shown in an overlay shown within a video recording of the action itself:
Watching a video at the moment that an alert was generated makes it explicitly clear what the user was doing, and if it warrants further attention.
For the second alert – generated when the user executed the Ping backdoor exploit – we see the level of detailed “behind the scenes” information provided to administrators. While the session video does not show the system-level effects of that modified Ping command, the user activity log presents all the underlying system commands very clearly.
OIT Reps: Angela Halliwell, Daniel Petri, Alex Ellis
Deal details: $298,500 for 615 multi-platform server agents
Lead source: Existing customer (already have 450 server agents deployed)
Use cases: Primary – Audit and Compliance Secondary – Threat Management
Customer Summary: Publicly traded NYSE: CI, Industry: Managed Health Care, $32.4 billion in annual revenue with 35,000 employees worldwide, 80 million global customer relationships, sales in more than 30 countries, Cigna is a global health services company dedicated to helping people improve their health, well-being, and sense of security. All products and services are provided exclusively through operating subsidiaries of Cigna Corporation. Products and services include an integrated suite of health services, such as medical, dental, behavioral health, pharmacy and vision benefits, and other related products including group disability life, and accident coverage.
Main players:
Deb Cody - CISO (executive sponsor)
John Shepard – Director, Information Protection (economic buyer) – reports to Deb, Chris’s peer
Linda Bird – Manager, Information Protection Security Engineering (technical buyer) – reports to John
Christina Fryman – Manager, Audit & Compliance, Access Management & Governance (primary consumer of OIT data/reports) – reports to John
Carmine D’Uva – IAM product support (influencer – hands on, deploys new agents)
Chris Lockery – Director, Information Protection – runs Threat Management Team & Forensics – reports to Deb, John’s peer
Edmond Mac – Incident Response & Forensics – reports to Chris
Jim Jeffers – Incident Response & Forensics – reports to Chris
Mac Edmond – Incident Response & Forensics – reports to Chris
Tyse Water – Incident Response & Forensics – reports to Chris
Main Driver: Compliance/Audit and enable business securely – Trust But Verify. OIT provides Access Mgmt & Governance with the attestation they need to comply with SOX, HIPAA, PCI mandates to include a date/time stamp as well as proof of business approval. They are monitoring privileged users with privileged access; for example, who on the App team should have access to service accounts? They verify, spot check, and provide reporting to Christina. The second phase of their deployment will involve Chris Lockery and the Threat Mgmt Team now that we have alerting and can be used more proactively.
Environment: Server environment is mostly Windows which are first priority because they hold high value assets, then mid-range Unix and Linux. Deployment to US first then Glasgow/EUR and APAC, all done by Carmine out of Philly site. Workstations are mostly Windows but their small percentage of Mac users is rapidly growing. For ticketing, they use HP Service Manager and we’ve manually integrated with their SIEM, IBM QRadar, via a week of onsite PS delivered by Daniel Petri. They also use CA Controlminder and SYMC DLP solution.
Issues/Challenges: John Shepard and Linda Bird are good, strong fans of OIT and really understand the value that we bring. I’ve been able to develop good coaching relationships with both but haven’t yet developed either one in to a true “champion” in the sense that without consensus and collaboration, neither of them could have pulled the trigger to get a Q4 deal done, which is not ideal. They were non-committal on timeline all through Q3 and early Q4 so I expected this to be a 2015 deal and didn’t feel like I had accurate forecasting ability on this one. There has not been a time-specific driver so it was challenging to push them faster or create a catalyst to buy.
How it was won: We provide, as a team, a ton of attention to this account and it pays off. We worked very closely with John, Linda, Christina and Carmine starting in May to get all of their licenses upgraded and deployed to non-prod then prod via a very detailed, rigorous process (Daniel held their hands quite a bit!) with the expectation that if success criteria were met, expansion globally would be a next step to cover HVA’s first and then mid-tier second. We had some challenges along the way but this team is extremely communicative and detailed with requests to sales, support, and product management for feature requests. We coordinated several calls and meetings and included Avi, Gaby and Micky to ensure that their extensive input to roadmap was captured and documented and that every issue or concern was resolved. We committed to doing their QRadar integration and had to reset a few times but because the communication had been so consistent, we weathered hiccups pretty.
This is a classic case of being in the right place to grab year end budget flush! The day before Thanksgiving Linda and John called and asked if I wanted an early holiday gift -- $300K of use-or-lose budget for server licenses. WooHOO! Of note, they specifically said that they thought about parsing it out across a handful of vendors but that they ultimately decided to give it all to us. Cigna is a large and important customer to OIT and it’s clear to me that they feel very well taken care of by a broad “One-OIT” Team including those mentioned already plus Tal, Yaniv, Dimitri, Matt Z, Gaby, Avi, Makesh, and more.
Next steps:
Continue working closely with our primary contacts to get these licenses deployed.
Webinar and Case Study including joint marketing with QRadar team
Partner with Chris Lockery to get Threat Management Team comfortable with integrating OIT in to the suite of tools they use for Incident Response and Forensics to ensure that this leads to a workstation opportunity next.
Introduce Deb Cody, CISO, to Paul Brady next time she’s in Boston or coordinate Paul to meet her in Philadelphia or a CT site.