Who's Spying on Your Privileged Accounts

Author: Sam Ghebranious, Regional Director, Australia and New Zealand, CyberArk

News about the infiltration of Kaspersky’s network highlights the fact that these days, no-one and no company is out of bounds. For hackers and other attackers even security companies are fair game.

One of the first things most people ask following an attack is: Who was responsible? It's a natural question but one that is very hard to answer. Attribution of an attack is a difficult part of deconstructing a breach. We can see the signatures in malware and identify the networks used to support the attack. But in the end, we're almost never 100 per cent certain of attribution.

Perhaps the more relevant question is: How? In the case of Kaspersky, the motivation seems to have been espionage. According to sources, the malware used to execute the attack was an updated version of Duqu, which features code directly derived from Stuxnet. Duqu is the alleged culprit used to spy on Iran’s trade relationships and efforts to develop nuclear material.

The idea of cyber attacks as a form of international or business espionage may raise images of Maxwell Smart, Napoleon Solo, The Prisoner and other staples of 1960s cold war television programming, but the threat, unlike the characters, is very real.

Information systems, with their wealth of intellectual property, market and business data, are a veritable treasure trove for cyber spies. All that is required is to gain access. And one of the best ways to achieve this is by leveraging privileged accounts or credentials. Privileged accounts provide complete, anonymous access to, and control of, all parts of IT infrastructure, industrial control systems and critical business data. They exist throughout every business -- in fact it’s challenging to find any part of the enterprise that isn’t managed by privileged or administrative accounts.

This makes privileged accounts the ultimate intelligence asset for cyber espionage campaigns. Once an attacker gains access to an account, they can anonymously study a company's security arrangements and explore systems, taking all the time they need. With this access attackers can remain virtually undetected, gradually siphoning information as part of their corporate espionage campaign. They can create short cuts that facilitate future attacks on the organisation, implant malware for financial gain, or, as occurred at Sony Pictures, the attacker may simply destroy a company’s ability to do business.

Stop Lateral Movement

The Kaspersky attack highlights how attackers use lateral movement to navigate across the network, accessing different machines and devices. The fact that the attackers used multiple zero day exploits (valuable currency in the hacker world) to facilitate this movement is a sign of how critical it was to the overall attack.

The way this type of lateral movement is achieved is by exploiting privileged accounts. The attacker gains access to a privileged employee's machine or device, then gradually expands access to target systems and databases by escalating credentials.

Read more: Australian PC users worse at patching Windows than New Zealanders, but both lead US: Secunia

The lesson here is if you can prevent movement by locking down privileged accounts, you can isolate the attack. Without the ability to escalate credentials the attacker remains confined to the breach point, thus minimising the amount of useful information that can be stolen and the damage that might otherwise be inflicted.

Privileged accounts haven't always received the attention they deserve. Given the increasing incidence of breaches as a form of cyber espionage, it might be time for the C-suite and company Board members to re-assess the way privileged accounts are secured, managed and controlled to ensure a breach in one area doesn't ultimately lead to access to the entire enterprise's assets. After all, proactive security starts by assuming the attackers have already made their way inside the network. After that, the challenge is to minimise losses by preventing the criminals from achieving the kind of lateral movement that proved so damaging for Kaspersky and many others.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags data breacheszero day exploitscyber spiesPrivileged Accountskasperskycyber attackStuxnetinformation systemsCSO Australia

More about CSOKasperskyNewsSmartSonyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sam Ghebranious

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts