Five steps to prevent insider threat actor movements

Morey Haber, Chief Technology Officer and Chief Information Security Officer, BeyondTrust.
6 years ago

People are an organisations’ most valuable resource. But they can also be its greatest vulnerability, especially when armed with weak credentials, all-too-powerful privileged accounts, and security ignorance or hubris. The problem is simple. Too many users have too much access. In fact, a recent survey we conducted revealed that 38% of organisations grant administration rights to their workforce by default, despite 79% saying it is a major security risk.

So, while most organisations focus ample security resources on controlling and protecting the boundaries of their networks, many pay inadequate attention to what is happening on the inside. Today’s threats just burrow under or through perimeter defenses, exploiting key individuals and fault lines within an organisation to cripple the entire structure. To combat these, organisations must be able to monitor for suspicious behavior, take the destructive potential out of users’ hands, and become Privilege Ready by adhering to five best practices.

#1 Reduce the attack surface

The first step to Privilege Readiness entails ensuring that the system and application vulnerabilities that could open pathways into your environment are prioritised according to risk. Vulnerabilities should be patched regularly, and this process should be automated, if possible.

Enable whitelisting to ensure that the only applications running are those that come from a trusted source. Closing off these inroads reduces the attack surface, making it considerably more difficult for an outside attacker to gain that initial foothold that would enable them to become an insider.

#2 Principle of least privilege

The second key piece of Privilege Readiness is to adopt the Principle of Least Privilege. Any end user or application should be granted the minimum possible privileges and rights they need to perform their role or function. While it might seem more efficient to grant users as much leeway as possible when working on the organisation’s network, this proves to be unjustifiably risky in practice.

Least privilege does not only apply to those who use these accounts, but also to how and when the accounts are being used. Role-based access control is key to helping least privilege work as smoothly as possible. This ensures an optimal balance between access and security, while making the actual process seem invisible.

A tiering model for access, in which even administration accounts only have access to the rights they need, will also help. This will limit the size of those highly privileged targets, meaning that it will be that much harder for attackers to escalate their capabilities when attempting to laterally move through your network. Administration accounts should be used separately from day-to-day, non-privileged accounts and only when a task requires their wide-ranging powers. This practice is referred to as privilege separation.

As Tier 1 Unix and Linux servers handle critical data, it is important to limit the potential for lateral movement. Broad access rights to these resources can equate to almost uncapped risk potential, jeopardising your most sensitive data and assets. Either enable users to log-in as themselves and elevate specific activities that they can perform, or delegate specific, granular privileges.

Organisations should also consider implementing time-based privileged access controls to prevent access at irregular hours, meaning that attackers will find it more difficult to assume powerful accounts at night or on weekends when no one is looking.

Network segregation is also included under the concept of least privilege. This involves segregating the parts of your network that do not need to be interacting. This security measure impedes lateral movement by eliminating pathways.

#3 Protect privileged accounts

Your highly privileged and shared accounts must be discovered, grouped for easier management, monitored, and audited. Passwords must be strong, unique, and rotated regularly. Furthermore, when using work services, passwords should only be entered into approved devices that can ensure the security of those credentials.

Additionally, you should eliminate hard-coded, embedded credentials where possible and, if not, these credentials need to be watched closely in real-time. While passwords present an intrinsic weak link, a variety of solutions— multi-factor authentication, single sign-on, and biometrics—can bolster security and help prevent lateral movement within the network.

Enhanced authentication security should be applied for any Internet-facing service or high-risk account. You should strongly consider the use of automated password managers to cut down on the storage of passwords in plain text and embedded in the code, and to provide better enforcement around password security.

#4 User activity and critical resources

Regardless of how you manage privileged access, ensure that all privileged activity is logged and monitored. This entails implementing session recording and other technologies, which can be accomplished, to some extent, by setting up screen recording and other manual processes. However, session reporting and management quickly becomes untenable in environments with hundreds or thousands of concurrent sessions.

Automated privileged session management and monitoring solutions can enable streamlined visibility and control over privileged access to servers, databases, and network devices, while capturing keystrokes, text, graphical screen output, and mouse movements.

To gain deeper visibility into risk, correlate the privileged user activity reporting against other behavioral metrics. This will help you spot risky users, compromised accounts, and abnormal access by flagging suspicious behavior in your environment. Auditing and reporting can also be automated against compliance objectives by highlighting directory changes that would threaten security or hamstring compliance, giving you the clarity and detail demanded by regulatory regimes such as GDPR.

#5 Automate wherever possible

While it is possible to forge a path to Privilege Readiness through manual processes and by accumulating and implementing multiple tools, nearly the entire pathway to Privilege Readiness can be automated. By applying automation throughout each step—from managing vulnerabilities and enforcing least privilege, to managing privileged accounts and conducting advanced threat analysis—you can vastly reduce your organisation’s attack surface and become Privilege Ready.

You should always assume that an attacker with enough time and resources will eventually be successful. When that does happen, it is important to detect those breaches as soon as possible, stop lateral movement, and limit the damage the attacker can cause. Limiting privileges is sometimes seen as a hindrance to an efficient workflow, but it need not be.


Key takeaways

  • While most organisations focus resources on protecting boundaries many pay inadequate attention to what is happening on the inside.
  • By applying automation throughout each step, you can vastly reduce your organisation’s attack surface.
  • Always assume an attacker with enough time and resources will eventually be successful.
  • It is important to detect breaches as soon as possible, stop lateral movement, and limit damage the attacker can cause.
  • Limiting privileges is sometimes seen as a hindrance to an efficient workflow but it need not be.
  • Regardless of how you manage privileged access, ensure all privileged activity is logged and monitored.
  • To gain deeper visibility into risk, correlate privileged user activity reporting against other behavioral metrics.
  • Enhanced authentication security should be applied for any Internet-facing service or high-risk account.
  • Consider the use of automated password managers to cut down on the storage of passwords in plain text and embedded in the code.

Organisations must assume intruders can assume identity of an employee but must be prevented from lateral movement explains Morey Haber at BeyondTrust.

Don't Miss

Rob Spee, SVP of Global Channels & Alliances, BeyondTrust.

3 trends set to shape the regional cybersecurity channel in the year ahead

As we enter 2024, the GCC channel must shake off the lingering
Marc Maiffret, Chief Technology Officer, BeyondTrust

BeyondTrust announced availability of Identity Security Insights to manage human, non-human identities

BeyondTrust announced the general availability of its groundbreaking Identity Security Insights solution.