How to Protect IT Accounts from Advanced Persistent Threats

Security is arguably one of the most important facets of operating any business. It is, therefore, of immeasurable value for IT solution providers to offer protection that guards against the pervasive compromise of data. Here, the senior product marketing manager at Actividentity, a vendor of authentication and credential management solutions, defines the nature of advanced persistent threats and discusses how to lock down customers' systems to protect against them.-- Jennifer Bosavage, editor

Imagine your customers’ worst-nightmare data breach scenario. Does it involve damage to their data, brand, finances, and competitiveness? Probably. Does it involve loss of jobs for senior people in IT? Probably. Does it involve pervasive compromise of data only possible through gaining control of IT administrator accounts? Almost certainly. IT administrator accounts are the key to advanced persistent threats (APT) as an attack doctrine. Protecting IT administrator accounts is, or should be, among the highest priorities for any organization seeking to inhibit APTs.

To do that, it's important to understand that APTs are not one kind of attack. APT are a philosophy of gaining access by choosing off of a sort of Chinese menu of attack methods in succession until penetration is achieved. According to the Verizon Business Data Breach Investigations Report 2010, almost half of all breaches exploit weak or stolen credentials, because the most efficient and effective way to probe a network is by “appearing to belong.” For APTs, it is clear the percentage that steal or crack credentials is considerably higher.

It's easy to exploit weak or stolen credentials. Whether the credentials are compromised by never-before seen zero-day keylogger malware, sophisticated spear phishing, sloppy password reuse, social engineering, rainbow table brute force attacks, untrustworthy people looking over a user’s shoulder, easily guessable passwords, sniffing WiFi traffic, or something else, the end result is still the same. The attacker gains control of a legitimate account to get a foothold inside the network.

APTs are also distinctive for sometimes combining techniques, such as searching on Linked-In or Facebook for the names of people who work at a particular company, then sending custom-built malware as e-mail attachments, socially engineered to get opened. In the case of the recent RSA breach, the e-mail attachment was an infected PDF entitled, “Recruitment Plans.” Again, APTs target a specific organization using as many attempts as it takes until they get control of a legitimate user account. Then they have completed the first stage of the attack.

The second stage of the attack involves escalating privileges until the hacker can access the desired data and control or sabotage systems. From inside the network, the attacker sniffs around for other accounts or access to the Active Directory server. Most networks have few internal barriers to this kind of snooping. Keyloggers may be spread. Lists of Domain Admins may be viewable by enumerating the nested group memberships of the Domain Admins security group. By searching for who can reset passwords of these specific user accounts, then who can reset passwords for those accounts, etc. it is often possible to find a daisy chain of resets starting with an account that is already compromised. Those are typically domain administrators, delegated administrators, local administrators and such.

The third stage of the attack is to use the newly stolen “keys to the kingdom” to take data and stage it for transport outside the network. With APT, this may be an entirely different route than the way into the network. Often data is packaged on media servers so that the file sizes and movements will draw minimal suspicion. This harvesting process can go on nearly indefinitely, amplifying the damage.

Clearly, protecting IT administrator accounts from compromise, while not the first line of defense, must be the strongest. It is the highest value link in the attack chain, and the most manageable population of users to implement and enforce very strong authentication upon.

To protect IT administrator accounts from APT, the first step must be mandating smart cards for all IT administrators. Smart cards are superior to one-time password tokens because smart cards provide strong authentication into Windows PCs and servers, in addition to strong authentication into VPNs. They are also more convenient to use: insert your card, type your PIN code and you’re in. Key loggers don’t work on smart cards if the attacker does not have access to the user’s smart card. By replacing passwords with a very strong digital certificate, password reuse becomes a non-issue. Brute force dictionary attacks can not compromise a PKI smart card because the smart card will automatically lock itself after 6 incorrect PIN verification attempts. When deployed throughout the organization, smart cards resolve the problem of easily guessed, “Admin, Admin” login credentials. To be absolutely certain, smart card login should be enforced in the AD Policy for IT admin accounts.

Fortunately, modern credential management appliances make smart cards much easier and faster to deploy, typically in less than a day. These appliances include a certificate authority, data base, hardware security module and wizard, making them much more channel-friendly solutions, and ideal for rapid deployment to a group of IT administrators.

Ultimately, your customers want a practical solution to a very complex and quickly evolving problem. While there will always be new zero-day keyloggers, spear phishing tricks, social engineering tactics etc., securing IT administrator accounts can and should be relatively controllable, and that is good news you can give to your clients. Good luck.