Super User or Super Threat?
•Download as PPTX, PDF•
0 likes•744 views
We trust admins with the proverbial “keys to the kingdom” and direct access to the company’s most sensitive data, but are we doing enough to ensure data security and compliance? Root, domain admin and super user are all accounts with elevated privileges that give users full control over the systems they are managing. Account compromise or misuse of escalated privileges pose a significant threat. These elevated privileges increase the risk associated with these accounts and require additional safeguards such as user behavior monitoring and alerting.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Super User or Super Threat?
Similar to Super User or Super Threat? (20)
More from ObserveIT
More from ObserveIT (20)
Recently uploaded
Recently uploaded (20)
Super User or Super Threat?
- 1. SUPER USER OR SUPER THREAT? KNOW WHEN USERS PUT YOUR BUSINESS AT RISK Presented by Matt Zanderigo and Kevin Donovan
- 2.
- 3. WHO IS OBSERVEIT? HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital The leading provider of User Behavior Monitoring for Application Users, Admins and External Vendors
- 4. APPLICATION ACCESS App Admins App Users PRIVILEGED ACCESS (Windows Admins, root, DBAs, System Admins,…) (Developers, IT Contractors, Network Admin,…) Shared Accounts Named Accounts Entitlement changes Logging Utilization
- 5. PRIVILEGED ACCESS: THE ‘ROOT’ OF TODAY’S BIGGEST BREACHES 78.8M affected by Anthem breach, DBA account compromised 56M affected by Home Depot Breach, Privilege Escalation to Blame 76M affected by JPMorgan Chase breach, obtained admin privileges
- 6. Penetrate Establish Foothold Open shell and run commands to learn orientation: • Who Am I? • Host name • Location of directory service Escalate Privileges Move Laterally Complete Mission Uploads and executes malicious software Scan memory for active sessions and extract passwords Hackers attacks: • URL Interpretation • Input Validation • SQL Injection • Impersonation • Buffer Overflow LETS EXAMINE AN ATTACK Hackers Log into AD to get a targeted list of machines Hackers leverage credentials to compromise data on machines
- 7. Provisioning & Governance _____________________________________________________ User Monitoring _____________________________________________________ Password Vaults _____________________________________________________ PRIVILEGED ACCESS MANAGEMENT Visual Audit Trail of all privileged user sessions App & Access usage Reporting Detailed session analysis: sudo, privileged escalation, backdoors…
- 8. Escalated privileges _____________________________________________________ WHAT SHOULD BE CLOSELY MONITORED AND ALERTED UPON Configuration changes _____________________________________________________ “The enterprise needs deep and real-time insight within privileged sessions” Lateral MovementUnauthorized activity
- 9. CONFIGURATION CHANGES Changes via Embedded Scripts Changes to Active Directory Changes within Registry Editor
- 10. EMBEDDED SCRIPTS
- 12. ACTIVE DIRECTORY Password Resets, Adding Users, Changing Groups, Modifying Access, etc.
- 13. REGISTRY EDITOR Edit and Modify Specific Values • Firewalls • User Access Control • Applications / Software • Windows Components
- 14. UNSECURE ‘SHELL’ TELNET suffers from security problems. TELNET requires a login name and password (when exchanging text). Hackers can easily eavesdrop using snooper software to capture a login name and the corresponding password even if it is encrypted. TELNET has been largely replaced by the more secure SSH protocol.
- 15. ESCALATED PRIVILEGES ‘rm’ ‘cp’ with ‘sudo’ Creating “backdoors” ‘leapfrog’ logins
- 16. ‘RM’ ‘CP’ WITH ‘SUDO’ SU RM CP
- 17. SUDO Into Root Shell
- 18. Modifying the Ping Command CREATING “BACKDOORS”
- 22. Challenge: The Board of Directors of Ally Bank established a Privileged User Access (PUA) project for all sessions that are accessing data on 160 servers in-scope for PCI and SOX compliance. Their 5,000 privileged users represented a significant risk in their organization, so they are rolling out Password vaulting (Lieberman) and needed to implement a monitoring program in parallel Solution: Needed a monitoring system to collect, alert, and report on the specific use of applications, functions, or access to specific information
- 23. Challenge: Needed to comply with SOX, HIPAA, PCI mandates surrounding the audit and logging of privileged access to 1,130 servers. SOX, HIPAA, PCI mandates must include a date/time stamp as well as proof of what happened in all privileged sessions on regulated servers. Solution: Holistic view of configuration changes across environment Real-time alerts and data exported to SIEM (IBM Qradar) Reports centered around privileged access as a whole
Editor's Notes
- What privileged user activities should be closely monitored and alerted upon What’s happening in all admins sessions and even for actions that do not generate logs How to see if users are accessing information they shouldn’t be in critical systems or deleting files How to identify which users are remotely accessing your systems or changing permissions
- ObserveIT can alert on Terminal creation Tool upload via FTP Shell command execution ObserveIT will alert on Surrogate to root Commands running as root Data Exfiltration Hackers Exploit Your AWS WebServer via SQL Injection Hackers open shell & run commands for orientation & to discover host name & location of AD / directory service Hackers upload & execute malicious software to scan memory for active sessions and extract passwords Hackers Log into AD to get a targeted list of machines Hackers leverage credentials to compromise data on machines Malware Distribution Hackers Exploit Your AWS WebServer via SQL Injection Hackers open shell & run commands for orientation & to discover host name & location of AD / directory service Hackers uploads malware to the server Hacker modifies JSP pages to distribute the malicious software Hacker cleans the audit files to cover their tracks
- Monitoring Privileged Users is a key part of a Privileged Identity Management initiative. Let’s explore the three major components of Privileged Identity Management: Provisioning & Governance Controlling the complete lifecycle of who has access to your critical systems is critical and that is where provisioning comes in. The ability to report on who has access to these systems is where governance solutions come in. Password Vaults We all know how important protecting privileged account passwords is and this is where Password Vaults come in. We all know how dangerous it is when privileged users are using sticky notes to remember admin passwords for shared accounts. User Monitoring Controlling who has access is absolutely a critical need. And protecting the passwords is also critically important, but they both lack the ability to monitor and auditing what users actually do this access and passwords they have. Further, password vaults introduce increased complexity and single points of failure and because of this are often only deployed to protect a select number of servers. ObserveIT fills a critical missing component required to meet compliance regulations, detecting and stopping data breaches, and deterring careless and malicious activity and monitoring all Privildeged users with the ability to extend this visibility easily to your entire user population. Integrations ObserveIT integrates with provisioning and Passwords Vaults to provide monitoring of all user activity and behavior across the entire lifecyle of your privileged users. --click to next slide---
- Create new system users, access files, authorize network activity, and change system settings. cron jobs Config. Change: Embedded Scripts (innocent script story) Unsecure ‘shell’ (telnet on legacy appliances – SSH is much more secure and passwords are encrypted over the wire) Unauthorized access (to configuration files) & run commands that they are not supposed to be Unapproved ‘setuid’ Escalating Privileges Pass-the Hash ‘rm’ ‘cp’ with ‘sudo’ Installing “backdoors” “leapfrog” logins
- Legacy systems like routers and phone systems and other applications – like IP address in router Systems still have a place in the business and if your privileged users still need to access telnet sessions we can monitor
- 1) Sudo into root shell - A sudo allows an admin to delegate authority to give selected users the ability to run commands as a root or another user. ObserveIT alerts if someone is running a sudo command to interactively open a root shell that does not require a root password. Traditionally, it is difficult to track user actions because in shell you are not limited to a specific command but with ObserveIT it’s simple. 2) Update root cron jobs - A cron is a time-based scheduler program that enables UNIX users to automatically execute commands or scripts at a specific time and date. Cron jobs are used for scheduling tasks to run on the server. ObserveIT alerts when the –e option is used with root permissions to modify cron jobs that will later run with root permissions, enabling potential backdoor user activity at a later date. 3) Edit sudoers files - The sudoers file controls who can run specific commands as specific users on specific machines and can also control special actions like whether you need a password for particular commands. ObserveIT alerts when the sudoers file is edited, as this could enable unauthorized root permissions for the user. 4) Changing a program to a setuid programs (possible backdoor) – Setuid short for “set user ID upon execution” are UNIX access rights flags that allow users to run programs with temporarily elevated privileges in order to perform a specific task. ObserveIT alerts when a user tries to change a program to a “setuid” program (which automatically provides root permissions while the program runs), since this could enable potential backdoor user activity. 5) Opening generic root shell – root shell is one of the main targets of hackers since they can then run whatever command they want, under full authority and it is very hard to track what they do when they get it, ObserveIT can track when a regular user opens a root shell so it can be monitored to make sure is a legitimate action, and commands done under the sensitive shell can be monitored. 6) Creating local user with duplicate user ID - ObserveIT alerts when a user with privileged permissions creates a new user with the same ID as an existing user. The newly-created user could login with his/her own password and perform actions as if they were performed by a different user (especially suspicious for power users like root) 7) Su into root shell with no password - In UNIX, the “root” user has control over the machine. An attacker will want to obtain a shell prompt so that any command can be entered that will execute with root privileges. ObserveIT alerts when a regular user runs a program that opens a root shell using "sudo su". The user will not be asked for the root user password and will have root user permissions without knowing the root password.
- Here, a low-level user is seen running the Ping command twice, once normally and once with a special parameter, LetMeIn. The second version actually provides this low-level user with root-level permissions for this session: At this point, this user can do almost anything on the machine, from stealing sensitive data to crashing the system.
- It is actually rather easy to deploy this kind of backdoor; only a few short lines of C code are required, like this: This code shows how the Ping command is modified to run normally, unless the LetMeIn parameter is specified on the command line. When this parameter is invoked, the normally-harmless Ping command opens a root-level shell for the user running it. (The printf commands are included for illustrative purposes and would not be included in real-life usage of this exploit.)
- An alert was generated by the system in response to the user executing a sudo comment to give himself root permissions. The administrators received this alert by email and also in the console. Here, we see the details of the alert shown in an overlay shown within a video recording of the action itself: Watching a video at the moment that an alert was generated makes it explicitly clear what the user was doing, and if it warrants further attention. For the second alert – generated when the user executed the Ping backdoor exploit – we see the level of detailed “behind the scenes” information provided to administrators. While the session video does not show the system-level effects of that modified Ping command, the user activity log presents all the underlying system commands very clearly.
- OIT Reps: Angela Halliwell, Daniel Petri, Alex Ellis Deal details: $298,500 for 615 multi-platform server agents Lead source: Existing customer (already have 450 server agents deployed) Use cases: Primary – Audit and Compliance Secondary – Threat Management Customer Summary: Publicly traded NYSE: CI, Industry: Managed Health Care, $32.4 billion in annual revenue with 35,000 employees worldwide, 80 million global customer relationships, sales in more than 30 countries, Cigna is a global health services company dedicated to helping people improve their health, well-being, and sense of security. All products and services are provided exclusively through operating subsidiaries of Cigna Corporation. Products and services include an integrated suite of health services, such as medical, dental, behavioral health, pharmacy and vision benefits, and other related products including group disability life, and accident coverage. Main players: Deb Cody - CISO (executive sponsor) John Shepard – Director, Information Protection (economic buyer) – reports to Deb, Chris’s peer Linda Bird – Manager, Information Protection Security Engineering (technical buyer) – reports to John Christina Fryman – Manager, Audit & Compliance, Access Management & Governance (primary consumer of OIT data/reports) – reports to John Carmine D’Uva – IAM product support (influencer – hands on, deploys new agents) Chris Lockery – Director, Information Protection – runs Threat Management Team & Forensics – reports to Deb, John’s peer Edmond Mac – Incident Response & Forensics – reports to Chris Jim Jeffers – Incident Response & Forensics – reports to Chris Mac Edmond – Incident Response & Forensics – reports to Chris Tyse Water – Incident Response & Forensics – reports to Chris Main Driver: Compliance/Audit and enable business securely – Trust But Verify. OIT provides Access Mgmt & Governance with the attestation they need to comply with SOX, HIPAA, PCI mandates to include a date/time stamp as well as proof of business approval. They are monitoring privileged users with privileged access; for example, who on the App team should have access to service accounts? They verify, spot check, and provide reporting to Christina. The second phase of their deployment will involve Chris Lockery and the Threat Mgmt Team now that we have alerting and can be used more proactively. Environment: Server environment is mostly Windows which are first priority because they hold high value assets, then mid-range Unix and Linux. Deployment to US first then Glasgow/EUR and APAC, all done by Carmine out of Philly site. Workstations are mostly Windows but their small percentage of Mac users is rapidly growing. For ticketing, they use HP Service Manager and we’ve manually integrated with their SIEM, IBM QRadar, via a week of onsite PS delivered by Daniel Petri. They also use CA Controlminder and SYMC DLP solution. Issues/Challenges: John Shepard and Linda Bird are good, strong fans of OIT and really understand the value that we bring. I’ve been able to develop good coaching relationships with both but haven’t yet developed either one in to a true “champion” in the sense that without consensus and collaboration, neither of them could have pulled the trigger to get a Q4 deal done, which is not ideal. They were non-committal on timeline all through Q3 and early Q4 so I expected this to be a 2015 deal and didn’t feel like I had accurate forecasting ability on this one. There has not been a time-specific driver so it was challenging to push them faster or create a catalyst to buy. How it was won: We provide, as a team, a ton of attention to this account and it pays off. We worked very closely with John, Linda, Christina and Carmine starting in May to get all of their licenses upgraded and deployed to non-prod then prod via a very detailed, rigorous process (Daniel held their hands quite a bit!) with the expectation that if success criteria were met, expansion globally would be a next step to cover HVA’s first and then mid-tier second. We had some challenges along the way but this team is extremely communicative and detailed with requests to sales, support, and product management for feature requests. We coordinated several calls and meetings and included Avi, Gaby and Micky to ensure that their extensive input to roadmap was captured and documented and that every issue or concern was resolved. We committed to doing their QRadar integration and had to reset a few times but because the communication had been so consistent, we weathered hiccups pretty. This is a classic case of being in the right place to grab year end budget flush! The day before Thanksgiving Linda and John called and asked if I wanted an early holiday gift -- $300K of use-or-lose budget for server licenses. WooHOO! Of note, they specifically said that they thought about parsing it out across a handful of vendors but that they ultimately decided to give it all to us. Cigna is a large and important customer to OIT and it’s clear to me that they feel very well taken care of by a broad “One-OIT” Team including those mentioned already plus Tal, Yaniv, Dimitri, Matt Z, Gaby, Avi, Makesh, and more. Next steps: Continue working closely with our primary contacts to get these licenses deployed. Webinar and Case Study including joint marketing with QRadar team Partner with Chris Lockery to get Threat Management Team comfortable with integrating OIT in to the suite of tools they use for Incident Response and Forensics to ensure that this leads to a workstation opportunity next. Introduce Deb Cody, CISO, to Paul Brady next time she’s in Boston or coordinate Paul to meet her in Philadelphia or a CT site.