The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented...
Transcript of The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented...
![Page 1: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/1.jpg)
Security Solutions Inc.
AnthonyMeyerRegionalSE,CanadaCyberArk
LucGagneNorthAmericaSalesDirectorIAMConcepts
The Role of Privilege in Recent Breaches
![Page 2: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/2.jpg)
Medical Center
About• PrimaryHospital&Level1TraumaCenter
• TeachingHospitalforaUniversity
Whathappened• 6,000+Computers&connecteddeviceshitbyRansomwarein2017
• Refusedtopay&decidedtorebuild
![Page 3: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/3.jpg)
Gaining Access..
AHacker
Intranet
DMZ
RDP
# Weak password gives access to DMZ machine # Finds hash and moves into trusted zone
1
# Discovers IT admin creds with domain privileges # Erases VMware backups to prevent OS roll backs
2
![Page 4: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/4.jpg)
Deploy, Collect and Wait
Intranet
AHacker
# Deploys ransomware to 6k machines; crippling vital systems for client care
3
# Attacker is presumed to have been inside the network for <1 week
4
![Page 5: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/5.jpg)
Remediation
5
DMZ# CyberArk engaged for remediation
5
Intranet
# Vault installed and total remediation completed in 6 weeks 6
![Page 6: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/6.jpg)
Key takeaways
• Total cost of remediation effort is over $10M
• If an attacker owns the infrastructure, they can cripple the business in an instant
• Unmonitored admin credential usage can be devastating, especially without a behavioral analytics platform
• Password policies remain subject to human error without tool assistance
![Page 7: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/7.jpg)
Entertainment Company
About • American entertainment company that produces, acquires and distributes
movies What happened • Destructive malware erases infrastructure. Sensitive data was stolen and
publicized
7
![Page 8: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/8.jpg)
The Attack
8
AHacker
# Attacker utilized a spear phishing to get inside the network
1
# Attacker harvested credentials found on the client PC. Credentials were used to move laterally
2
# Usernames and passwords for admins were kept in Word files with names like Computer Passwords
3
![Page 9: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/9.jpg)
The Attack: continued..
9
Intranet
AHacker
# 7 sets of credentials were found and studio’s entire network mapped. This information was “hard-coded” into destructive malware
3
![Page 10: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/10.jpg)
Key Takeaways
• Attackers spent a long time in reconnaissance mode without causing any immediate harm.
• The attackers used to gathered information to blackmail and, in the end, do a lot of damage
• A Golden Ticket was not necessary, in fact only seven sets of credentials were enough to infiltrate the entire organisation
• This highlights the fact that it is important to have random and unique passwords for each end point
![Page 11: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/11.jpg)
Insurance Company
About• InsuranceCompany
• Over50,000employeesWhathappened• Disclosedadatabreachin2015.Atfirstsaid35+Mrecordsstolenandlaterrevisedto
75+M
• Paidarecord$115milliontoseHleU.S.lawsuitsoverdatabreach(significantlyovertheirinsurancecap)
![Page 12: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/12.jpg)
Phishing for access
AHacker GoldenTicket
# Attacker utilized a phishing campaign to get inside the network
1
# Bad actor harvested credentials from a management script written by a contract employee
2
# With admin credentials in hand, attacker generates a “Golden Ticket”
3
![Page 13: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/13.jpg)
I’ve got the golden ticket!
AHacker
# Using address book, attacker searched for users with “database” or “security” in their title
1
# Attacker chose a DBA’s credentials to access a domain server that was connected to an encrypted database
2
# DBA’s unmonitored privileged credentials allowed attacker to decrypt and exfiltrate data for possible sale on the deep web
3
0110100001100001
![Page 14: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/14.jpg)
Wait,thosearen’tmycommands…
DomainAdmins
How long can an attack remain unnoticed?
AHacker
InternalDomain
Addresses&MedicalInfo SocialSecurity#s
Names&Birthdays
CyberArk?
Months!
![Page 15: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/15.jpg)
3 weeks to secure with CyberArk
CyberArkPS
InternalDomain
Addresses&MedicalInfo SocialSecurity#s
Names&Birthdays
DomainAdminsDomainAdmins
AHacker
![Page 16: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/16.jpg)
▪ Golden tickets should only be found in movies
▪ People remain the weakest link in an org’s security chain, especially temporary employees
▪ Encryption is a powerful tool -- unless you have credentials to decrypt and extract
▪ Unmonitored privileged account usage can prove fatal
Key Takeaways
![Page 17: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/17.jpg)
Services Company
About• Oneoftheworld’slargestOilandGasservices
company
• BasedintheUS
WhatHappened• Breachoccurredinearly2017however,thefirm
decidedagainstdisclosingpublicly
• CalledCyberArktohelpwiththeremedia`on
![Page 18: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/18.jpg)
A flawed environment
InternalDomain
# All users were local admins on their workstations
1
# Personal accounts were used to administrate the network
2
# No two-factor authentication for VPN access
3
BusinessPartners
![Page 19: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/19.jpg)
The attack
InternalDomain
Monster.com--CV
ContractorBusinessPartners
CyberArkPS
![Page 20: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/20.jpg)
Key Takeaways
• Falling revenues should not be accompanied by security short-cuts
• Reputation with business partners could falter if attacks effect their environment
• Two Factor authentication and separation of duties are no longer just security suggestions
• A dollar saved on security tools can mean millions lost in revenue
Droppingoilpricess`flesindustryspending(link)
![Page 21: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/21.jpg)
7 Step Hygiene Program
![Page 22: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/22.jpg)
SecuritySoluIonsInc.
LucGagneNorthAmericaSalesDirector
416-999-6360
©CopyrightIAMConceptsCorpora`on2018
HelpingcustomersachievetheirIAMgoalsanddeliveringvaluetothebusiness
![Page 23: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/23.jpg)
About IAM Concepts…
©CopyrightIAMConceptsCorpora`on2018
WeoffercosteffecIveIdenIty&AccessManagementstrategies,soPware,consulIngandservices
• WeareaToronto-basedcompanythatspecializesinIden`ty&AccessManagement.• 90%ofourstaffisserviceoriented(Solu`ons’Architects,Developers,SpecialistsandProjectManagers)
• WeofferhighlycustomizableManagedServicesandSojwareasaService(SAAS)• Consul`ng:freeworkshops,largescaleassessments,healthchecks,roadmaps,training• Cer`fica`onsinthetopIAMvendorsinthemarket• Implementa`onservices&ProjectManagement• Cer`fica`onswiththeleadingvendorsinthemarket• CyberArkTechnologyPartneroftheYear2017
![Page 24: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/24.jpg)
Iden2ty & Access Management challenges
©CopyrightIAMConceptsCorpora`on2018
Whatarewehearingfromcustomers?
• Lackofresources,trainingandexper`se(lossofknowledgeableemployeestoaHri`on)• ConfusionaroundIAMsojwaresolu`onsavailable?CloudorOn-Premise?• HowcanIgetquicker`metovalueformyIAMini`a`ves/projects?• CanIleverageIAMsojwarethatwealreadyhave?• HowcanyouhelpmeaddressAccessGovernanceAuditandcompliancerequirements?• CanyouhelpmebuildabusinesscasetointernallysellourIAMproject?• HowcanImanageuseraccesswiththerapidgrowthofourmobileworkforceandallofthesedifferentend-userdevices?
![Page 25: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/25.jpg)
IAMConcepts’ Managed Services Offering
©CopyrightIAMConceptsCorpora`on2018
IAMConceptsprovidesanIAMManagedServicetailoredtoeachcustomer’sneeds:
• Whetheritbeimplementedonthecloudoronpremise
• Opera`onalmanagementcaninclude:• Applica`onmanagement• SecurityAdministra`on
IAM Managed Services
Infrastructure Management Security Administration
Secure VPN
OnPremise Cloud
Aflexible,customizable,andcosteffecIvemanagedserviceoffering
![Page 26: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/26.jpg)
Why our customers are interested in an IAM Managed Service?
©CopyrightIAMConceptsCorpora`on2018
Risk Mitigation
Quality Cost Optimization
• Stabiliza`onofexis`nginfrastructure• Standardservicelevelsofdelivery• Proac`vemonitoringofIAMapplica`ons• Enhancedperformanceandusabilitythroughourassetlibrary• Keypatchesandupdatesreviewedandappliedregularly
• AlignmentofIAMinvestmentswithbusinessobjec`ves• Costcontrolandcontainment• Compe``vepricing
• Elimina`onofneedtotrainandretainhighlyskilledstaff• Founda`onputinplacetomakeotherIAMini`a`ves• ComplexityofmanagingIAMsolu`ons• AdaptabilityofIAMsolu`ontoevolvingneeds
BalancesriskmiIgaIon,costopImizaIon,andqualityservicedelivery
![Page 27: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/27.jpg)
CyberArk Managed Services from IAMConcepts
©CopyrightIAMConceptsCorpora`on2018
3StepProcessforon-boardingaCyberArkManagedService
FuncIon Coverage
Applica`onSupport CyberArkPASwithCri`calPlasorms:AD,Linux,AIX(100servers)
Coverage 8x5on36Term
ServicesProvided • ProblemandIncidentManagement• Maintenance,patching,andhot-fix• Managementandrepor`ng
Environments Non-Produc`on&Produc`on
ServiceLevelObjec`ves
Jointlydefinedaccordingtopriorityincidentresponse`meobjec`ves
Func`onalEnhancements
OndemandviaRequestforServiceop`on(i.e.securityadministra`onorcustomiza`ons)
CyberArkManagedServiceallowsclientstomiIgaterisks,opImizecosts,andfocusestheSecurityAdminteamonTrueSecurityAdministraIonacIviIes
Step1DefinetheManagedService
Step2One`metransi`onservicefortechnicalandopera`onaltransi`on
Step3On-goingManagedServiceforthedura`onoftheterm
OurCyberArkManagedServiceOfferingDesignedtobeaflexible,customizable,andcosteffec`vesolu`ontailoredtofitclientspecificrequirementssuchas:• PAMProblemandIncidentmanagement
• Ticketandincidentstatus,correc`vemeasures,rootcauseanalysis• PAMPeriodicInfrastructureMaintenance
• Preventa`vemaintenance• Performancetuning• Patchingandsecurityhot-fix
• RegularServicereviews• Func`onalEnhancements–uponrequest
SampleCaseStudyAwealthmanagementservicesproviderrequiredCyberArkapplica`onmanagedservicestoaddressskillsgapandmanagecosts,withoutaddingcomplexity
![Page 28: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/28.jpg)
Privilege Access Management and ID Governance
©CopyrightIAMConceptsCorpora`on2018
Organiza`onsarelookingtoconnectiden`tygovernanceandprivilegeaccessmanagementintoaunifiedsolu`onthatmeetsauditandcompliancerequirements,increasesopera`onalefficiency,andaddressesrisk.IAMConceptshasworkedwithtwobestofbreedsolu`ons–integra`ngSailPoint’sIden`tyLifecycleandGovernancecapabili`eswithCyberArk’sPrivilegedAccountSecuritysolu`on–addingiden`tycontrolstoprivilegeaccess.Thissolu`onprovidesourclientswithacompleteprivilegeaccessmanagementandIDgovernanceasingleautomatedpolicy-basedprocessto:• Gainvisibilitytoprivilegeusersandtheaccesslandscapebyimpor`ngprivileged
en`tlementsmanagedbyCyberArkintoSailPoint• CerIfyprivilegeaccessrequiredandremoveexcessrightsfromSailPointtoaleastprivilege
model,withrevoca`onautoma`callyreflectedinCyberArkduringaccessreviewsandcer`fica`on
• IdenItylifecycle,processesandcontrolsforprivilegedusersaremanagedinSailPoint,suppor`ngaccessrequestsandCRUDprovisioning(Create–Read–Update–Delete),withprivilegeden`tlementsautoma`callyaddedinCyberArk
• AuditandreporIngoftheen`reprocess,fromiden`typrovisioningtoprivilegedaccountusage
IDLifecycle
Create Read
Delete Update
Governance
ü PolicyMgtü Cer`fyü Report
PrivilegedAccountSecurity
![Page 29: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/29.jpg)
ThepreferredNorthAmericanIden3tyandAccessManagementServiceproviderwithover100+customers,leveragingtop3erstrategicpartnersandvendorsto
meettheneedsofourclients.
WeoffercosteffecIveIdenIty&AccessManagementstrategies,soPware,consulIngandservices
![Page 30: The Role of Privilege in Recent Breaches - ASIMM · • 90% of our staff is service oriented (Solu‘ons’ Architects, Developers, Specialists and Project Managers) • We offer](https://reader033.fdocuments.net/reader033/viewer/2022042219/5ec5888016b60b50d24a11ea/html5/thumbnails/30.jpg)
Security Solutions Inc.
AnthonyMeyerRegionalSE,CanadaCyberArk
LucGagneNorthAmericaSalesDirectorIAMConcepts
Thank you!