At Clango, our CyberArk consultants and engineers are often asked, “What constitutes a privileged account?” Many people who ask that question are surprised by the answer.
There’s a common misconception that privileged accounts are only those that enable the highest levels of administrator access — for example, domain controller credentials in a Microsoft environment. However, any admin rights, even at the workstation level, pose significant cybersecurity risks.
Local admin rights give users virtually unlimited control over their workstations. Users with such rights can download software, add accounts, set permission levels, and change security settings. They also have full ownership of any file, which means they can move or copy data and change the ownership of documents. Attackers who are able to obtain local admin rights can exploit common vulnerabilities within the Windows environment to hijack domain-level credentials. They can also use their admin privileges to find vulnerabilities, launch attacks, and hide their activity.
In a previous post, we mentioned the cyberattack chain. Attackers use phishing techniques or malware to obtain user credentials, then move laterally through the network looking for attractive targets. The goal is to obtain administrator credentials to gain the broadest possible access to systems and resources.
A recent CISO View research report by CyberArk explains in detail how this attack strategy works in a real-world Windows environment. An attacker might obtain the administrator credentials on an individual workstation through the use of keystroke logging malware. Because many workstations use the same administrator password, it’s a relatively simple matter to move from machine to machine looking for higher-level credentials.
From there, an attacker can use a technique called “pass-the-hash” to obtain all the password hashes that are stored in memory for all users who recently logged into a particular machine. All the attacker has to do is find a workstation that was recently accessed by a help desk technician or IT administrator. The attacker then has higher-level credentials that will provide access to one or more servers and can continue moving through the network until domain-level credentials are obtained.
How real is this threat? According to the CyberArk report, widely available toolkits make a pass-the-hash attack simple to execute. Generally, “Red Team” ethical hackers can obtain domain-level credentials within three days of infiltrating an environment. A 2014 report from Microsoft noted that organizations must “consider the very real possibility that they may have an undetected compromise of domain or enterprise administrator credentials” due to the pass-the-hash vulnerability.
Clearly, this is not a new problem. Many organizations lack policies that address governance of local privileges of workstations and other devices, including admin rights. When the people-process-technology paradigm fails, organizations routinely give users admin rights to their workstations due to politics, bureaucracy, or a lack of help desk resources. The CyberArk Global Advanced Threat Landscape Report 2018 found that a whopping 87 percent of users have local admin rights on their endpoint devices, up from 62 percent in 2016. CyberArk suspects the 25 percent jump indicates that organizations are giving in to employee demands for flexibility.
Clango’s CyberArk consultants and engineers urge you to apply privileged account best practices to all administrator credentials, especially at the workstation level. In our next post, we’ll explain how Clango can help you take advantage of CyberArk Endpoint Manager to break the cyberattack chain by locking down local admin rights.
If you’d like to learn more about Privileged Account Security, send us an email at firstname.lastname@example.org.