One Identity: How to mitigate the risks of spearphishing
Article by One Identity APJ technology and strategy regional manager Serkan Cetin
The term phishing sums up age-old cyber-attacks perfectly.
Cyber criminals throw a line into the digital pond and hope an unsuspecting victim will take the bait and share valuable information such as login credentials.
Login credentials are a goldmine for cybercriminals, as they often lead to access to internal IT systems.
According to Forrester, 80% of security breaches involve the theft of privileged credentials.
From large web services providers, to international e-commerce companies, digital media service providers and health insurance companies, recent breaches have shown no industry is safe.
However, like traditional fishing practices, the practice has evolved.
Spearphishing is the new norm.
As the term suggests, targeting one company rather than casting a wide net allows threat actors to take a more sophisticated approach.
This targeted approach can be harder to spot than general phishing.
Threat actors will perform research on the intended target organisation and then craft emails which appear more authentic, such as impersonating real executives or sharing publicly available information which builds trust in unsuspecting employees.
Typically, when criminals gain access to an employee’s login details, they go searching for privileged accounts.
These accounts have more access to restricted sections of a business’ network, and often information behind a locked door is most valuable.
Organisations can take steps to protect themselves against privileged identity theft, such as understanding what privileges every account has, deploying a central session management hub, and analysing user behaviours.
Keep an up-to-date inventory of privileged accounts
As IT environments grow, the number of administrative, service and other types of privileged accounts can proliferate.
Enterprises running networks with thousands or tens of thousands of servers, applications and network devices often lack an accurate inventory of these assets.
Keeping a comprehensive, up-to-date inventory of privileged accounts, including ownership information for those accounts, allows IT teams to understand potential risks, which accounts they should be monitoring for suspicious activity and who in the business is responsible for the account.
Limit the scope
Best practice for privileged access is to limit the scope across the environment of any privileged account to enforce the principle of least privilege.
Each account should have exactly the minimum rights required to carry out a specific set of tasks (only those appropriate for the role of the individual), and nothing more.
Accounts that have access to more than what they need access to represent an unnecessary risk to the organisation.
Attesting the validity for privileged accesses that are granted to identities and accounts should be part of a regular process.
Remediation should involve automatically revoking privileged accesses from accounts and de-activating accounts which are no longer required.
These processes will assist with the overall management, administration and governance, as well as eliminating potential backdoors into the enterprise.
Privileged session management
If an attacker has compromised privileged credentials, they can inflict enormous damage on an organisation.
Implementing a privileged session management solution provides a central access control point providing several benefits, such as a central policy enforcement point where managers can restrict user activity, a point of integration for authentication tools such as password management and multi-factor authentication, real-time monitoring of privileged users, and recording of sessions which provides audit trails for determining how attacks occurred.
Privileged session management mitigates the risk of a successful breach by hardening privileged accounts and limiting the types of assets that can be accessed and the types of commands that can be executed.
It doesn’t, however, detect when privileged credentials have been compromised.
In recent years, new technologies leveraging machine learning and analytics have emerged to fulfil this need.
Traditional security tools such as Security Information and Event Management (SIEM) can fail to detect malware, intruder and bot attacks because they rely solely on post event log data which are used in a rules-based approach.
User Behaviour Analytics (UBA), on the other hand, uses Artificial Intelligence (AI) and machine learning to first learn a user’s behaviour, then continuously monitor the user’s digital behaviour to identify inconsistencies which may suggest a threat actor has gained access to their account.
UBA is a powerful tool to fill the gaps in an organisation’s security approach.
By capturing data about user behaviour and applying advanced analytical techniques, UBA tools can build a baseline of normal user behaviour and, through continuous monitoring of user actions, detect when unusual activity or deviations from the baseline occur.
Continuously comparing actual activity to each user’s digital footprint enables behaviour analytics tools to detect suspicious activity related to an attack.
Behavioural biometrics is one of the most exciting developments in IT security because it serves as a form of continuous authentication.
As we can see from the growing number of cyber-attacks, one-off authentication methods as a means of telling friend from foe have failed to provide adequate protection.
Continuous authentication promises to detect privileged identity theft.
A wide range of organisations have fallen victim to sophisticated, well-resourced spear-phishing attacks from cyber criminals. However, measures exist to mitigate the risks of the attack.
Process improvements and end-user education are key measures that should be part of every organisation’s security strategy.
Further, combining identity governance and privileged access management technologies can help protect organisations from potential breaches by controlling accesses and privileges assigned to accounts, and by using behavioural analytics as part of session management be able to stop attackers before they are able to inflict damage on organisations.