Stopping the Cyber Attack Chain with Privilege and Vulnerability Management
June 22nd, 2017
The Cyber Attack Chain (or Kill Chain) is a common reference for illustrating the steps involved in an externally-driven cyber attack. After witnessing first-hand so many data breaches that happen as a result of these methods, we have developed a summary version that you can use as you make the case to better protect your important data and assets. Let’s begin by reviewing the steps in the Cyber Attack Chain, then I will define six steps you can take today to reduce your attack surface.
Steps in the Cyber Attack Chain
Based on our experience, externally-driven data breaches start when an attacker exploits asset vulnerabilities. This can be done via drive-by downloads, phishing attacks or even direct hacking attempts. (The Verizon Data Brach Investigations Report provides ample data on the frequency of such attacks, but 75% of attacks come from outsiders.)
Next, once inside the network, the attacker hijacks privileges or leverages stolen or weak passwords. In fact, 80% of breaches involved misused privileged accounts. Once the attacker successfully becomes an insider, they can leverage those privileges and passwords to move laterally and exploit other resources to achieve their ultimate objective – your data. What’s scarier than that, is it takes an average of 256 days to realize you’ve been breached!
Taking Control: How Integrated Privileged Access Management and Vulnerability Management Mitigate the Risks from Cyber Attacks
How can an organization prevent an attacker from exploiting the perimeter through a vulnerability, prevent hijacking and privilege escalation, and limit lateral movement? Start with these basic six steps:
1) Identify and remediate vulnerabilities with better prioritization of risks. How well are you able to
prioritize vulnerabilities, or correlate those vulnerabilities against other threats in the wild? Integratingmultiple threat inputs into a single system for prioritization and “heat mapping” is the one way.
2) Limit access to sensitive systems and data by leveraging vulnerability data to make decisions on granting privileges to assets or applications.
3) Enforce least privilege to prevent client-side attacks and reduce default user privileges to contain potential account hijackers. Basically, stopping an attacker before he moves laterally.
4) Eliminate shared accounts and password sharing. Uncontrolled accounts are involved in 8 out of every 10 data breaches. Want a fast way to reduce 80% of that risk? Store all your enterprise passwords in a single, secure store that requires a check-in, check-out process and provides a secure enclave for third-parties.
5) Monitor all privileged activities for security and accountability. Logging must be done for compliance purposes, but session monitoring also adds additional benefits – indexed recordings provide keystroke-level detail on who did what and when, ensuring that you have a full audit trail for the auditors.
6) Tie it all together by correlating and analyzing user and asset behavior to identify in-process attacks. This is where the value of full-integrated privileged access management and vulnerability management comes into play. This combination of behavioral analytics, vulnerability and malware intelligence, user and security data from best-of-breed security solutions allows you to out-maneuver attackers and stop data breaches.
Putting it all Together
The real value of a full-integrated solution to address every step of the Cyber Attack Chain is that there are no gaps, and that you can leverage vulnerability and external threat data to make privilege decisions. All of this reduces your attack surfaces and risks.