How Unseen Attackers and Hackers Can Lurk Among Privileged Accounts

IT professionals are constantly battling cyber threats. And while the security threats may vary, many of the most hidden and undetected cyber threats these days involve privileged user accounts.

Privileged accounts are basically those enterprise accounts that belong to users who have been granted administrative privileges to systems. The accounts may harbor unexpected attackers, which raises security concerns about serious data breaches and cyber abuse.

Because data integrity is critically important to businesses and organizations nowadays, you need to know how to protect your company’s privileged accounts from cyber threats lurking around.

It’s important to learn how to investigate your company's privileged accounts and secure the accounts from cyber-attacks. That starts with identifying the risks involved and cases of abuse.

 

What Is Privilege Account Abuse?

 

As already mentioned above, a privileged account is a user account that has privileges associated with it. Abuse of these accounts happens when those privileges are misused or used inappropriately or without authorization. Many times, this happens with malicious intent, although sometimes it happens accidentally or through willful ignorance of policies.

Privileged account abuse is currently the second most common cause of security threats, according to Verizon's 2017 Data Breach Investigation Report.

DBIR graph showing privilege misuse as one of the top causes of cyber breaches and incidents.

 

How Does Privilege Account Abuse Happen?

 

Businesses don't often monitor privileged account activity or limit the controls. And, most of the time, users have more access rights than they need in order to do their jobs. So, the access controls are simply available for anyone to use or misuse at any time, undetected. 

IT management is in charge of user accounts, but security is in charge of finding threats. Privileged account abuse tiptoes on both areas and neither covers it completely. This means there's a lack of overhead when it comes to misused controls.

 

Consequences of Poor Management of Privileged Accounts

 

Access to privileges is a gateway to a system's data. Even if a user is unintentionally misusing access, it can lead to a leak or loss of sensitive information.

Systems and applications may shut down for any period of time, damaging business operations. This can then lead to bad publicity, loss of customers, and even long-term lawsuits.

Internally, a business might face compliance failures and their penalties. Management could see steep fines or even imprisonment.

 

Privileged Accounts Top Targets for Cybercriminals

 

Sometimes, attackers come from outside business walls. A 2015 survey suggests that 45% of hackers prefer targeting privileged accounts. This is because these are the accounts with a high amount of access rights to sensitive data and records.

Attacking these accounts mean hackers can access the network and make any changes. They can also restrict access for others while taking any files they'd like. 

 

Why Cybercriminals Target Privileged Accounts

 

Hackers know privileged accounts have untapped potential for their financial gain. They use malware, stolen credentials, and phishing schemes to search for secure data.

Usually, an attacker won't restrict their users with access to a single account. But, they use one account as a gateway into an entire system, building credentials along the way.

In their access, they may find files with customer's private information. Credit card numbers, social security numbers, phone, and address. They may find banking accounts, business files, or other information worth selling.

Some hackers may focus on destroying key information a business may need. Or, even holding it for a ransom. 

Hackers don't have to be the stereotypical hooded guy in a basement. No, attackers can be as sophisticated as businesses themselves. In some cases, they have actually turned their crimes into a business, complete with salaries and benefits.

 

The Process of Attacking

 

A hacker can attack any kind of privileged account. This is true for both an upper management account as well as someone in mid-level who has account access. 

All attackers need is one access point to get their hands on potential information. They generally follow a simple process that is very effective: 

1. Identify and obtain any credentials that have privileged access.
2. Access a separate endpoint
3. Repeat and repeat until they find what they want. 

 

How Hackers Identify Privileged Accounts

 

There are several steps an attacker makes to identify a privileged account and take advantage of it:

1. Survey the privileges of local users
2. Attempt to log on with higher privileges
3. Bait with a malicious Word document and wait for the user to open it and infect a second endpoint.
4. Use tools to walk through the endpoint's memory
5. Move within the organization's user accounts

Hackers go through these steps like clockwork. And they don't stop until they find what they’re after.

 

Challenges of Preventing Cyberattacks on Privileged Accounts

 

Managing these threats is often a difficult task for organizations. This is because it's hard to prevent hackers from accessing the controls without also preventing users from doing their jobs.

Most privileged users have vital roles within the business. They need some of that access. So, blocking their access can damage their work and productivity, too.

Naturally, the solution would be to select individual controls. Decide what each user can and cannot do. This would give another layer of security, but it would also make a highly restrictive environment. And that leads to less productivity and can present challenges.

 

What Happens After an Attack?

 

Cyber security should also focus on what happens after an attack. That means your IT security needs to watch for patterns of attacks and breaches and defend against them.

Is a user showing typical behavior? Are they accessing files they typically use? Are the times they're logged on suspicious in any way?

Users usually have patterns in their internet activity. It's easy to see when they log on and how they spend their time. We can build a baseline profile using the information in those patterns.

We can then apply algorithms to watch a user's activity. If there is anything unusual happening, such as logging in at an odd time of day, security can be alerted.

This can help stop a breach before it even happens.

 

Respond in Time

 

Response time is of the essence when it comes to cybersecurity. You shouldn’t wait for an attack to respond to it. You need to be vigilant always and take measures to stop attacks promptly.

Now that you know how hackers can attack your privileged accounts, it’s easier to find a way to secure your networks and make it difficult for cybercriminals to target your business.