Sony Hack: Just Another Privilege Escalation?
Concerning Sony, Sanjay Tandon writes that, “in all likelihood, what happened here is that malicious perpetrators gained administrative access within Sony’s network, and used it to obtain access to whatever they wished to obtain access.” In his Cyber Security Blog post, Tandon describes in detail how the hack may have played out against Active Directory and certain measures one can take using his company’s Active Directory security products and recommended practices.
Sanjay cites a CNN article as his source to understanding the hack: “U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony’s computer system, allowing them broad access. The finding is one reason why U.S. investigators do not believe the attack on Sony was aided by someone on the inside [rather than North Korea]…he hackers ability to gain access to the passwords of a top-level information technology employee allowed them to have ‘keys to the entire building.’”
This is a great object lesson of what I wrote about in “There’s No Patch for Privilege Escalation.” Often all it takes is a spear phishing attack, or some other way to get access to a system administrator’s PC and from there hacker’s have the keys to the kingdom. Tandon puts it even more dramatically – “the whole world is sitting on a ticking time bomb.”
Why are many of these big hacks so easy? Once an attacker breaks through the hard shell of the enterprise firewall, or the thin skin of an endpoint’s protection, he or she can escalate privileges moving laterally through the IT environment, following the networks of working relationships within the organization.
Why does this weakness, this IT vulnerability to lateral movement and privilege escalation, exist? If you look at other enterprise directory, security and management systems you’ll find Active Directory isn’t the only one that may expose lateral vulnerability. We are told the attack on Target passed through a BMC management system, for example. That’s why I call privileged user accounts and service accounts the soft underbelly of IT security and in the post by that name, walked through an Active Directory kill chain, or attack path, analysis.
Along with risk aggregation, soft underbellies are like a law of nature in IT – a product of organic growth. After building and interconnecting system after system in a more or less unplanned manner over time, organizations tend to over-rely on centralized management and security systems like Active Directory to make sense of them. These systems become grand central station for all IT operations. They contain many accounts, security groups and permissions. And the creation and use of this vital security information isn’t tracked closely enough for the consequences its abuse could unleash.
And underneath the seamy underbellies you’ll find even worse things – shared desktop administration accounts, shared application passwords, default passwords, passwords encoded in scripts. Just bad, bad practice.
But there is a solution – privileged access management (PAM) systems. I’ll unpack PAM for you in my next post.