Privileged accounts are a key part of the cyberattack chain and involved in almost every security breach today. Protecting privileged user accounts and, increasingly, machine accounts (non-human accounts) is a key priority for every security-conscious organization today, and central to addressing many regulatory requirements and enabling zero trust. Privileged account access can enable a threat actor to acquire sensitive information, make system changes, manage resources, and even override security controls and erase traces of their actions; depending on the type of privileges obtained.
As enterprises become more complex and de-centralized, embrace the cloud, and more users work from home, the number and diversity of privileged accounts is exploding. Many of these privileged accounts are proliferating unseen, unmonitored, and unmanaged, presenting dangerous backdoors to the environment for threat actors.
While some privileged users are employees, other privileged accounts are associated with contractors, vendors, auditors or even automated third-party services and non-humans on premise, in the cloud, or in hybrid environments.
Finding & Identifying Your Privileged Accounts
As a part of any cybersecurity strategy, the most important first step is to perform an asset inventory. After all, if you do not know what exists in your environment, you cannot design an appropriate plan to manage and mitigate the risks they represent. Privileged Access Management (PAM) is most effective and successful when the entire environment, and the privileges that exist therein, are identified and well understood.
To perform the most basic asset inventory, many organizations rely on asset discovery. This technique ideally identifies every asset connected on the network and provides details on the services, users, applications, vulnerabilities, configurations, operating systems, etc. This information then helps organization classify assets and accounts based on sensitivity, data, ownership, geolocation, and more.
While digital discovery is never perfect and often suffers from some blind spots based on technology limitations and how it is configured to run, it does help generate the much-needed baseline for organizations. Ongoing discovery then becomes a routine part of the cybersecurity practice to identify new assets, shadow IT, non-conforming systems, and even devices that have been depreciated. With all this information, additional security initiatives can begin to take shape.
Let’s get back to PAM. Privileged access management (PAM) entails the management and protection of accounts (both human and non-human/machine) and their associated privileges throughout an environment. Common use cases can include the secure storage and retrieval of privileged credentials, the removal of administrative rights, secure session access, and managing secrets used for automation.
All of the above PAM use cases share one common component--you must ascertain the credential for management—and that credential can be obtained from a comprehensive discovery solution. To that end, if the tool you are using can enumerate accounts, it probably can enumerate associated privileges and group membership too. And with that data, you can start to build the basis for your privileged access management journey.
So, let’s assume you can perform a discovery and enumerate accounts. What’s next? The first concept is to provide a classification for the account. Are they administrative, service, local, directory-based, etc.? These are merely table stakes attributes because, if you can discover the account, but not classify how it is used or its source, then anything you do next is a moot point. A list is just a list unless it has context.
The next step is to rate each of the accounts in terms of importance—this is where your asset inventory becomes inventory. Hopefully, you have been able to classify your crown jewels and most sensitive assets based on a discovery. This will include personally identifiable information (PII), trade secrets, financial information, payroll, etc. The list will vary per company, but the compromise and disclosure of any asset that could cause extreme embarrassment, market or financial stress, or is a “game over” event is typically classified as critical.
Next, you need to associate which accounts have access to these resources and place them under management and remove administrative rights. The process continues through your inventory until you have covered every asset and account that you deem important, or that is required to mitigate perceived risk.
The Most Important Privileged Accounts to Discover
While the process I outlined in the section above has been over-simplified for the purposes of this blog, there are a few things to learn about this process and account discovery that should be heeded as a part of your journey.
So, with that aside, what are the most important privileged accounts to find across your environment, and why?
1. Domain admin accounts: The most important privileged accounts in your environment are ones that have access to virtually any and every asset. These are typically domain administrator accounts and are the highest value to a threat actor. Organizations should strive to minimize the number of domain administrator accounts, who has access to them, and place all of them under privileged access management.
2. Non-human automation accounts: Next, seek out any account associated with an application, operating systems, database, service, network device, etc. that is shared among multiple assets to enable functionality. While these generally do not have blanket administrative rights, the compromise of one asset with the shared account can easily be used for lateral movement. This authenticated ‘hop’ to other assets typically occurs by a threat actor until some form of privileged escalation can occur and the compromise of administrative privileges is achieved. In general, the existence of shared accounts represents a poor security practice. Yet, shared accounts persist because they are offer the most workable and convenient way to enable a use case. Therefore, these accounts should always be identified and placed under privileged access management.
3. Management solutions: Technology that is used to manage, monitor, configure, automate, and install /modify the environment—from directory services to security solutions—should never have shared accounts. Security best practices dictate that access from a user to these solutions should absolutely always have a one-to-one relationship. Therefore, all the accounts used by application, network, security, and operating system administrators should all be placed under management. This can ensure the one-to-one relationship is maintained and all access is monitored for appropriate behavior. This encompasses any access that occurs on premise or in the cloud, and any work performed remotely by employees, contractors, vendors, auditors, etc.
4. Service accounts: The most under-the-radar accounts in every Windows environment are associated with running services. Service accounts represent the plumbing for operations in a Windows environment and are often assigned credentials that lack the ability to log in locally, yet, can be abused or misused to compromise the operating system or an application. Service accounts are generally a form of shared account that, depending on the application, can be shared on multiple assets in order to operate as a single resource. When service accounts are placed under management by a PAM solution, changes (such as for credentials) must be synchronized or connected resources will not stop and restart their services correctly. This is why attributes are such an important component of discovery. It’s imperative to identify all the locations for service accounts and link shared ones together automatically so the accounts can be managed as a group. Otherwise, some accounts could be missed, fail to correctly rotate credentials, and new assets that utilize the same service account will not be placed under proper management, each of which can contribute to security holes and cascading outages.
5. Cloud accounts: While noticeably lower in the list, some clients may choose this category as their highest priority. When using the cloud to manage your workloads, accounts created to manage instances, runtime, and resources are based on an identity, entitlements, and permissions model. As a function of discovery, these accounts should be enumerated across multicloud environments and represented in a common format for risk assessment. By uncovering and onboarding these cloud accounts, you can manage cloud account entitlements and determine when accounts are over-provisioned, stale, or even misused during operations.
6. Specialty accounts: One of the most overlooked types of accounts for discovery and management are specialty accounts created on endpoints, locally, to support re-imaging, the help desk, and other information technology functions. Often, these accounts are created as a local administrator and represent a legitimate backdoor into the host by authorized sources. As you can surmise, these accounts frequently lack unique passwords or may have passwords shared with similar devices based on age, geolocation, or owner. As a security best practice, each one of these accounts should have a unique password. Access should be monitored and managed for each device. This represents a unique challenge since password management solutions are typically unable to establish a network route to a remote host to manage these credentials. In addition, basic endpoint hardening would prevent any inbound connection that could administer these accounts. Therefore, management of these accounts is typically done with a PAM agent and the discovery functions are performed using the same, or similar, technology to populate an asset management database with the attributes necessary to onboard PAM management.
7. Accounts with embedded credentials: There are myriad reasons a developer, administrator , or even an application, may have credentials embedded in scripts, configuration files, or compiled code. This is typically tied to DevOps automation for Agile development, but differs since the locations may be beyond the control from a development, quality assurance, and automation perspective. The files could be scripts created by any department looking to automate a task (business logic, for example), or a third-party program that self-compiles code once a credential is set. The practice of embedded secrets is well-recognized as a high security risk, so it’s important to discover and onboard these credentials for management. However, once discovered, secrets and passwords stored in files and need additional management techniques to replace them or have code recompiled. In addition to identifying embedded secrets during discovery and the associated accounts, PAM solutions can onboard them for management and replace the embedded secrets with API calls or dynamic secrets.
Aside from the important privileged account types listed above, there are a wide variety of other accounts that should be discovered and managed by privileged access management solutions. Security best practices guide you to identity, classify, and rate the risk for each one to determine the sensitivity and prioritization for onboarding and management. The PAM guided discovery process can also pinpoint risks related to password/account attributes found in the discovery process, such as passwords that are defaults, reused, or have not been changed for a long time.
Following a proven plan can help you improve your security posture. By leveraging an asset management database and discovering all your accounts, you can more effectively manage risk and reduce the threats posed by shadow IT and rogue accounts.
As a best practice, prioritization should always follow a top-down approach to mitigate risk and also leverage other security disciplines to ensure consistency. The discovery, onboarding, and offboarding privileged accounts is an ongoing process for every organization and should be baked into daily operations.
Find & Manage All Your Privileged Accounts with BeyondTrust
The top analysts – Gartner, Forrester, and KuppingerCole—have all published recent reports recognizing BeyondTrust as leader in Privileged Access Management. We are one of only a few vendors to appear as a leader in each report.
Analysts have also consistently recognized BeyondTrust’s powerful privileged account and asset discovery capabilities, which can be applied to find and manage your entire universe of privileges—on premises, cloud, hybrid, vendor, employee, human, and machine.
Contact BeyondTrust today to get started or learn more.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.