How to Defend Against the 10 Most Dangerous Privileged Attack Vectors

Supply chain attacks are becoming an increasingly common strategy for hackers. They’ll generally target organizations via third-party suppliers, partners, or vendors, all of whom might require privileged access in some form or another.

Often, the target organization has less visibility and control over the security of their third parties, making this an attractive weak link for hackers to exploit.

One of the most well-known examples of this is the 2013 Target attack, where hackers successfully gained access to a third-party contractor via phishing.

This gave the attackers the access they needed to install malware on Target’s systems and steal sensitive customer information.

Increasingly, hackers are also gaining access via commercial software products.

This was the case in one of the most prolific attacks in modern history: The 2020 SolarWinds breach. Here, attackers inserted malicious code into SolarWinds’ Orion system – an IT monitoring system that required privileged access to the IT systems of its customers.

Hackers then had access to the IT environments of these customers, which included the US government and several multinational organizations.

How to stay safe against supply chain attacks

• Apply least privilege to third-party and service accounts as well as internal employees
• Create robust contractual security requirements for all third-party vendors, partners, and suppliers

7. Misconfigurations

Misconfigurations can be tricky to define, since they refer to a range of different issues and challenges. Essentially, these are any instances of poor IT policy and best practise making it easier for hackers to target and access your IT environment.

There are several examples of this, and each generally has its own solution:

• Hard-coded credentials being available in the code of software, servers, IoT devices, and more.

Solution: Use modern PAM software to identify hard-coded credentials. Then, replace them with passwords that can be encrypted, vaulted, rotated, or some combination of all three.

• Blank or default passwords being used, making them easier to guess through brute-force tactics.

Solution: Implement strict policies that require passwords to be unique, complex, and regularly rotated.

• Overprivileged user and service accounts creating a wide attack surface for hackers to target and move laterally through.

Solution: Implement least privilege and remove all excessive permissions across both user and service accounts.

• A lack of password rotation or just-in-time access makes passwords easier to guess and removes any barriers to the hacker once they’ve successfully signed in.

Solution: Implement password rotation and just-in-time access so stolen passwords become useless (once rotated) and infiltrated accounts can still be locked down.

• Account sharing makes it easier for hackers to gain access, since passwords are often shared in messages, emails, or other insecure media. It also makes it easier for hackers to evade detection, since the account is already associated with multiple accounts, identities, and behaviors.

Solution: Avoid account sharing wherever possible. If they are used, access should be granted via secure digital tokens or password vaults. Ideally, shared account passwords should not be visible to the end user.

• Lack of multi-factor authentication on privileged accounts can also make life easier for hackers, since there are fewer barriers for them to overcome before gaining access.

Solution: Implement MFA on all privileged accounts as standard and, ideally, all other accounts as well. This ensures an extra layer of defense should the password be corrupted.

• Lax or weak access controls on files, folders, and local devices will also increase your attack surface. This is because poor access policies essentially create more accounts through which sensitive information can be accessed.

Solution: Implement robust identity and access management (IAM) policies so sensitive information can only be viewed by the smallest possible number of people.

• Insecure protocols such as HTTP instead of HTTPs or SSL instead of the newer TLS can also make you vulnerable. Hackers can exploit these details to capture, analyze, modify, or steal data – often as it’s transmitted from client to server. This can sometimes include unencrypted login details.

Solution: Always use up-to-date protocols and avoid working with third-party software vendors or suppliers who don’t.

• Lack of realtime monitoring can also make it easier for the hacker to evade capture once they’ve already infiltrated an environment. This technology can help organizations detect suspicious activity through anomaly analysis – since hackers’ activity is often quite idiosyncratic.

Solution: Implement realtime monitoring so suspicious behavior can be detected and locked down before damage is done.

• No PAM controls on service accounts can create further access points for hackers. Machine identities such as RPA workflows, IoT devices, and applications often need access to perform an automated function. Like with the SolarWinds attack, hackers can exploit these accounts to gain access. Organizations often forget to secure service accounts like they would with user accounts, creating an open door for hackers.

Solution: Apply least privilege to both user and service accounts.

With so many misconfigurations to remember, it’s vital that you have access to the most recent privileged access management solutions. Without the functionality these tools offer, it’s impossible to identify and remediate the issues we’ve listed in this section.

Credential exploitation is another umbrella term that refers to a range of tactics and strategies that hackers use to gain access to login credentials. This could include plain text passwords, password hashes, digital tokens, API keys, SSH keys, or more.

1. Brute force guessing: As you’d expect, this simply involves hackers guessing until they get it right. In these cases, passwords are generally simple to guess, like “Password1”, “1234”, or the user’s date of birth. Poor policies around password rotation and strength can make it much easier for hackers to do this successfully.
2. Password spraying: Similar to brute force guessing, but with a broader attack surface. Attackers may try to gain access by trying a few commonly used passwords across several accounts. Many will use bots to do this quickly and automatically.
3. Phishing: As discussed, phishing attacks are a popular way to get hold of login details. Often the hacker needs to have access to phone numbers or email addresses in order to target a particular person with a phishing scam.
4. Pass the hash: A ‘hash’ is an encrypted string of characters that can authenticate users instead of the actual password. Often, hackers can scrape these hashes from active memory and gain access without needing to know the plain text password it substitutes for.
5. Password scraping: Similar to pass-the-hash, this involves the attacker scanning the IT environment for plain text passwords. These can be stored in active memory or available in an application’s source code.
6. Keylogging: Attackers might also use keylogging software to record the keystrokes of users, including passwords, as they’re typed in. This is a type of malware that attackers can install as part of lateral movement.
7. Data breaches: Sometimes, plaintext passwords can be bought on the dark web, giving hackers direct access to accounts.
8. Man-in-the-middle: This generally involves the hacker taking advantage of an insecure connection to access data as it moves between eg a server and a client device. Insecure protocols are a common example of this.

In almost all of these cases, the hacker is generally trying to access the environment in the first place, or move laterally after having gained access.

These techniques can be used to infiltrate both privileged and non-privileged accounts.

How to Stay Safe Against Credential Exploitation

• Create robust policies to ensure passwords are unique, strong, and regularly changed.
• Implement MFA so hackers have another level of protection to overcome in order to gain access.
• Use password-less technologies wherever possible, including single sign on, password vaulting, and encryption. These can ensure the end user doesn’t need to see the plain text password and can instead be authenticated via MFA, single sign on, a digital token, or the password vault itself.