Stolen or compromised credentials pose well-known risks to organizations and their employees. And as hackers and other malicious actors become more advanced and sophisticated in their techniques, the global threat is increasing. At a recent IT security conference, I spoke with a customer about an alert (TA18-276A) that the United States National Cybersecurity and Communications Integration Center (NCCIC) released late last year. The alert, titled “Using Rigorous Credential Control to Mitigate Trusted Network Exploitation,” outlines recommendations on how to overcome these challenges. In this blog, I’ll discuss how Conditional Access and detection of malicious use of tools and protocols can address the NCCIC’s recommendations.
The alert provides information on how Advanced Persistent Threat (APT) actors are using multiple mechanisms to acquire legitimate user credentials. Once acquired, attackers can use the credentials to exploit trusted network relationships, in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Some of the suggested NCCIC best practices for administrators to mitigate these threats include rigorous credential controls and privileged-access management, as well as remote-access control and audits of legitimate remote-access logs.
This alert highlights the need for identity-centric solutions to detect, protect, and respond to these types of threats. Here are the two core recommendations where a modern approach to authentication and threat protection can make a difference:
Manage Credentials and Control Privileged Access
The assumption being made here is that we need to assume that attackers will get inside the perimeter by compromising the credentials of legitimate users. Once they are on the inside with unauthorized access to the network resources, they try to propagate exploits or laterally move around the internal network in order to gain more privileges and access to critical systems and sensitive data. The recommendation: “Adopting and enforcing a strong-password policy can reduce a threat actor’s ability to compromise legitimate accounts; transitioning to multi-factor authentication solutions increases the difficulty even further. Additionally, monitoring user account logins—whether failed or successful—and deploying tools and services to detect illicit use of credentials can help network defenders identify potentially malicious activity.”
With a conditional access solution you can take that one step further. Because modern authentication solutions that provide conditional access can learn the behavior of all of the users and entities within an organization, they understand normal user behavior. If the attacker has gained a foothold, conditional access solutions can help detect when they attempt to do or access something in the network that is considered risky. Once detected, these solutions (like the Preempt Platform) can respond with adaptive policy-based responses, such as MFA, to defend against attacks by validating the threat and preventing the attacker from gaining a foothold and accessing sensitive data. Furthermore, these types of solutions also measure user risk and detect when users have weak or shared passwords, enabling proactive risk mitigation measures such as forcing a password change or alerting analysts.
For controlling privileged access, the NCCIC’s recommendation is that organizations should carefully manage and control privileged access by ensuring that only those users requiring elevated privileges are granted those accesses and restricting the the usage of privileges for specific tasks.
The advantage of a conditional access solution is that it is able to provide a comprehensive view of all of the privileged accounts, insights about each of them (who, what, where, etc.), and why a user has been assigned as privileged. This makes it much easier for security teams, as it provides them with clear insights that enable them to make or change group policies, as well as group membership. With this approach, organizations can ensure that users have the appropriate level of access, along with managing administrative credentials to ensure they are enforcing strong passwords.
Conditional access solutions can also automatically respond to potentially risky behavior from administrators and privileged accounts to validate a user’s identity before allowing access. By using stronger authentication techniques, such as multi-factor authentication, an organization is more likely to thwart an attacker. For more tips on how the Preempt Platform can help better secure privileged accounts, check out our white paper on 6 Tips for Securing Privileged Accounts.
Control Remote Access and Audit Remote Logins
The recommendation here is to “control legitimate remote access by trusted service providers, establish a baseline on the network, monitor for anomalous activity and control Microsoft RDP.”
Let’s first look at controlling legitimate remote access. Third-party vendors and MSPs can have legitimate reasons for access, but add a much greater risk of breach if credentials are misused. Ensuring they have limited access (least privilege) is a good place to start, however, adding additional controls on credentials can help ensure stronger security. Conditional access solutions allow you to set policies so you can easily restrict access based on a variety of factors including only allowing access during certain hours, requiring use of MFA, or introducing an authorizer based on the nature of the asset being accessed.
Next, it’s critical to understand what normal baseline behavior and traffic looks like so you can easily monitor and detect anomalous behavior. Conditional access solutions allow you to baseline trusted and untrusted access through analysis of live network authentication traffic combined with SSO, cloud directories, and more. Once a baseline is established, it’s easier to learn areas of risk and detect behavioral anomalies, credential compromise, lateral movement, privileged access abuse, targeted attacks and more.
Controlling Microsoft Remote Desktop Protocol (RDP) is also a big concern. As a matter of fact, the FBI has even recently warned that attackers are increasingly exploiting RDP. “Adversaries with valid credentials can use RDP to move laterally and access information on other, more sensitive systems.” Not to mention that Critical vulnerabilities have been found in RDP that allowed attackers to take control over a session and run arbitrary code on behalf of a legitimate user. One of the recommendations here is to assess the needs for RDP and verify adherence to best practices and do regular checks to ensure it is not open to the public (i.e. block relevant application ports) and it is properly patched. Additionally, for further protection conditional access solutions can take this a step further and detect when remote administrative protocols (such as RDP) are being used for either legitimate or malicious use based on identity, behavior, and risk. Both alerting and real-time response provide greater defense in depth when an exploit happens. Also, reducing privileged account usage as much as possible can provide an additional way to reduce risk.
To be sure, implementing these recommendations can help with reducing the impact from credential compromise, malicious hackers, and APTs. It can assist with preventing them from gaining full control of the network infrastructure and enabling further compromise of devices and data. Over time, as the perimeter continues to dissolve, organizations will need to look more to behavior-based identity to better enforce security policies and reduce risk. Conditional access solutions, like the Preempt Platform, enable that change.