Login

Promote Your Company       |     Contact

Independent Cyber News.

Hygiene is Hard: Why Even Security-Conscious Organisations Still Fall at the First Hurdle
Simply put, organisations need to move beyond reactive threat hunt engagements to proactive identity security and zero trust and statistics show this is one of the biggest gaps in our environments today that need attention
Identity & Access Management | Offensive Security | Security Operations | Social Engineering
Posted: Wednesday, Sep 10

i 3 Table of Contents

Hygiene is Hard: Why Even Security-Conscious Organisations Still Fall at the First Hurdle
From Morey Haber

A critical infrastructure operator sought evidence of an intrusion; investigators instead found many ‘open doors’ into the environment.

Introduction

When authorities were engaged recently on a proactive hunt exercise with a critical infrastructure operator, the intent was “to determine if a [threat] actor had been present in the organisation’s environment.”

Such exercises are commonplace given the current backdrop. Advanced persistent threat (APT) actors are targeting a range of infrastructure operators globally, and organisations have historically had a hard time detecting and containing these types of incidents. Authorities, including in Australia, have taken a keen, legislatively-backed interest in trying to help an organisations cyber defence team solve these kinds of challenges, with joint exercises recommended as a common vehicle to advance this endeavour.

A Real World Look

In this instance, the exercise found no evidence of an intrusion. What it did find is that elements of basic cyber-security hygiene were not up to standards, in terms of meeting expectations or minimum best practices.

Specifically, the exercise uncovered hygiene issues including:

  • Insecure-stored credentials in clear text.
  • Shared local administrator credentials across endpoints.
  • Unrestricted remote access for administrators.
  • A range of misconfigured devices and servers.
  • Insufficient log collection and management.

Unfortunately, the key findings of these threat hunting exercises were hygiene-related and in many ways, not surprising. Enforcing security hygiene continues to be a key priority for security leaders, and a key tenet of security strategies and regulatory compliance.  Security practitioners will recognise many of the weaknesses uncovered in the exercise as foundational controls that the ACSC Essential Eight, or CISA/NIST equivalent frameworks, advocate for.

Complex and ever-evolving technology environments make it challenging to consistently enforce and apply these hygiene practices. This is evident from the yearly audits of Essential Eight maturity among government organisations, which consistently find low and inconsistent compliance. It can also be correlated with other sources of data.

Getting The Basics Locked Down

Recent research by BeyondTrust indicates that many organisations have “overlooked” some common hygiene practices and controls, with each effectively acting as an “invitation … [that] silently opens the door to hackers”. The research identifies disused accounts, overly permissive administrative access controls and credential reuse across multiple accounts as common issues. It also found that in the pursuit of federated system access, many organisations have essentially created “hidden privilege escalation paths” in their environment that can be exploited by even low-privilege users to laterally move with an environment and escalate privileges based on misconfigurations and the failure to implement least privilege access.

Taken together, the threat hunt findings and research results represent a wake-up call for all organisations to turn up the heat on all forms of security hygiene. This is especially true for identity and privilege-related security practices, given that many observed weaknesses involve the treatment and management of credentials and machine secrets. Therefore. what is needed by many organisations is a way for hygiene issues to be proactively detected and escalated for further investigation and remediation.

To bridge this gap, organisations should look to use a layered approach that addresses identity security, privileged access and secure remote access.

At its core, identity security provides end‑to‑end oversight of who or what has access with detection and prevention of hidden privilege paths. In the threat hunting exercise, many findings stem from unmanaged or shared accounts and associated identities.

A Modern Take on Identity

A modern identity‑centric toolset is designed to prevent this. It firstly enables discovery of all identities: human, machine, agentic Ai, and administrators (local and domain), across domains and network connected devices. It then maps out identities and account relationships, revealing direct and indirect escalation paths to privileged access. Once this is all mapped out and understood, Privileged Access Management or PAM is used to right-size and exert control over elevated access and permissions found for identities, users, accounts, processes, and systems across the environment.

One of the primary goals to mitigate risks identified by this data is to implement and enforce least privilege. This concept and practice is designed to restrict access rights for users, accounts, and computing processes to only those resources absolutely required to perform legitimate functions. Least privilege is a foundational concept of a zero trust architecture: a desirable end state that layers on contextual, in-the-moment data to enable decisions on granting, restricting, and terminating access to users, applications, endpoints, and other assets.

Additionally, PAM delivers accountability for all privileged activity using centralized logging, supports centralised password and secrets storage and rotation including archiving of password history for backup recovery, and offers session management and recording including behavioural monitoring and auditing. These capabilities directly address the hygiene issues found in the threat hunting exercise, by enabling organisations to avoid insecurely stored credentials, shared passwords, and unrestricted remote administrative access in their environment.

Furthermore, by coupling PAM controls with an identity security intelligence and monitoring tool, organisations can enhance their ability to detect anomalies for all accounts and privileged access usage and improve their responses for identity‑driven threats.

Conclusion

Decisively, all organisations need the ability to detect deviances from good security hygiene proactively and continuously. Simply put, organisations need to move beyond reactive threat hunt engagements to proactive identity security and zero trust and the statistics show this is one of the biggest gaps in our environments today that need attention.

Morey Haber
Morey Haber is the Chief Security Adviser at BeyondTrust and has more than 25 years of IT industry experience. During this time, he has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud-based solutions and originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators.

Get Your Cyber News Delivered

Subscribe

Similar Posts

No results found.
Share This