We have a saying at CyberArk, “privilege first,” and it refers to security strategy. Nearly every advanced attack relies on privileged escalation to carry out the breach. Don’t believe me? Here’s a quick reference: Backoff-based retail breaches, UPS Store PoS breach, Energetic Bear hacker activity and there are many others. In each of these, the attackers went after the ‘keys to the IT kingdom,’ privileged credentials. With these, they were able to move freely across the breached network. So why is lateral movement so closely linked to privileged credentials?
Prominent lateral movement techniques are dependent on obtained credentials stolen from the attacked network or individual. The Red October hacker activity for example, saw attackers compile a list of all credentials from any available location on the network in order to navigate the IT environment undetected from 2007 to 2013. If malicious activity raised suspicion on one set of credentials the attacker simply switched and moved to another area of the network.
There are many ways to move laterally across a network that depend on privileged credential use, including Pass-the-Hash attacks or remote access by stolen/guessed credentials. The latter is more common (Essentia Health is a good example). Where else can an attacker authenticate to once they have a foothold? Here are just a few possibilities:
- Connections to shared files: enables an attacker access to available information as well as dropping malware onto a shared file
- Log on to web portals with stolen credentials: enables an attacker to create an infection using the web portal, such as a reference to a malicious website
- Accessing the Domain Controller: allows for both the extraction and internal reconnaissance information
- Accessing the Exchange server or any other centralized server: creates an additional attack vector, for example sending an infected update or ‘poisoning’ any user who accesses the server by infecting their machine
- Access to core infrastructure such as routers: enables an attacker to visualize the network beyond the accessed LAN network, and gain access by using relevant credentials
- Remote execution of commands: allows the use of relevant credentials and a publicly available tool such as psexec from Microsoft, or a Shell
- DNS poisoning: enables an attacker to redirect a victim to a different website than the address typed into a browser
These are just a few samples of why privileged credentials are critical to secure and why privilege must come first in every security strategy. Too often, privileged account security is left to the IT department to manage and approached from a compliance mindset.