SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Securing beyond the perimeter is more important than you think
Mon, 4th Apr 2016
FYI, this story is more than a year old

As cyber threats become more sophisticated and prolific, it's no longer enough for organisations to solely secure the perimeter. More frequently, and with a high level of success, hackers are making their way into enterprise systems via the network and gaining access to sensitive information.

“Securing the perimeter is important, but it's important to secure far beyond this,” says Sam Ghebranious, CyberArk ANZ regional director.

He says it's inevitable that enterprises will experience some form of security breach in their lifetime, and as such it's important for businesses to take a proactive approach. It's important for them to first know what they're working with – ‘education is key', he says.

According to Ghebranious, once businesses have taken note of their systems and understand the basics of their current infrastructure, they can implement comprehensive security solutions.

“Do you actually know who's on your network? If you can't answer this question, you should do something about it - find out about your network and put tools in place that will let you know when you're getting breached and then do something about it,” he says.

Kerberos attacks are a good example of potentially destructive and damaging cyber threats that go beyond the perimeter.

Privileged account exploitation is at the centre of these targeted cyber attacks, and post-mortems of today's most high-profile breaches – from Sony Pictures to Office of Personnel Management (OPM) – reveal an increasingly predictable pattern, according to CyberArk.

Attackers crash through the network perimeter, hijack credentials and use them to move laterally throughout the network, taking additional credentials and escalating privileges along the way to accomplish their goals, the company says.

Combining privileged accounts with attacks on the Kerberos authentication in Windows domains raises the stakes of the cyber threat. During such attacks, threat actors target domain administrator privileges, which provide unrestricted access and control of the IT landscape. Armed with these privileges, attackers can stealthily manipulate Domain Controllers (and Active Directory) and generate Kerberos tickets to obtain unauthorised access, according to CyberArk.

Kerberos attacks are troublesome for three primary reasons, CyberArk says:

Access: Once an attacker has Local Admin privileges, it is possible to dump additional credentials, which if left behind in the compromised machines, enable the attacker to move laterally in the network, elevate privileges and gain unauthorised access to valuable assets.

Obscurity: To bypass security controls and evade detection, an attacker can reuse Kerberos tickets to impersonate authorised users and sidestep authentication processes – disguising activity and avoiding authentication log traces.

Persistence: The days of stolen data being dumped all at once are largely over – attackers often prefer to remain on the network undiscovered for extended periods of time, funneling information out little by little. Kerberos attacks give attackers what they need most to do this: time. It is possible to maintain persistence with Kerberos tickets, even when credentials have been changed, CyberArk says.

Privileged accounts represent the largest security vulnerability an organisation faces today, according to the company. In the hands of an external attacker or malicious insider, privileged accounts allow attackers to take full control of an organisation's IT infrastructure, disable security controls, steal confidential information, commit financial fraud and disrupt operations, according to CyberArk.

Stolen, abused or misused privileged credentials are used in nearly all breaches. With this growing threat, organisations need controls put in place to proactively protect against, detect and respond to in-progress cyber attacks before they strike vital systems and compromise sensitive data, CyberArk says.

Proactively protecting administrative credentials and preventing attackers from ever reaching these credentials in the first place is essential to every enterprise security strategy, according to CyberArk.

Privileged account security solutions, that combine protection and threat detection, can thwart attackers before network takeover is accomplished and trust in the IT infrastructure is broken, the company says.