In our increasingly interconnected world, every entity – be it a person, device, application, or service – has a unique identity which grants it access to data and technology or operational systems that organizations rely on to effectively run their business.

Some of these identities, or ‘super-users’, require privileges that grant them administrative access to critical systems. This could be an individual running the company’s IT infrastructure, an external third party vendor remotely troubleshooting a business software, or even an API that communicates with different applications. Sometimes, due to human oversight, a ‘super-user’ might even be a contractor who worked for the business in some capacity years ago, who’s long since forgotten they even had privileged access.

As is often the case, cybercriminals are one step ahead and aware that users with privileged access to a company’s core make prime targets. Compromising the access accounts of those individuals means they have to do a great deal less heavy lifting to achieve their goals, which explains the popularity of highly-directed spear phishing attacks on certain individuals in a company. In a recent conversation Tech Wire Asia had with Nigel Tan, Delinea’s APAC Director, Systems Engineering, we discussed identity security, context-based authorization, and simplifying the management of privileged access to complex server environments with particular reference to the ways that enterprises can protect their most valuable data across cloud and traditional infrastructure.

The initial point of incursion into a targeted organization may not be a privileged user in the first instance, Nigel said. “Where the privilege exposure comes in is that once that initial incursion point is acquired by the criminal, they’ll then try to elevate [access level] by using enumeration techniques, or passing a hash to progress in their attack.”

The tools used to combat attacks that begin in this and a host of other ways are multi-part — like all cybersecurity protective measures. The first part of the solution is effective at the point of first contact; when the rogue user makes their first attempt to authenticate themselves with a target network. Many companies use Microsoft Active Directory as a controlling hub for user and machine authentication, but there are many other options in use by today’s enterprises, like Ping, Okta, Google Identity Services, 389 Directory Server, and many others.

Delinea’s solutions combine with many authentication and identity management mechanisms. To add an extra level of user authentication, many organizations use third-party, household-name account providers to ensure authenticity. Logging on with Meta, iCloud, or a Google account is convenient for users and has the added benefit of a third party working to the same goal as the enterprise business—that users are who they say they are.

That’s not the end of the story, of course. Nigel said, “Companies also have to be aware of the risks, and make sure they control the privileges that these accounts have access to. You want reassurance that you control access, and authorize correctly and also strongly authenticate. So elements like MFA have to come into play to make sure that the user is who they say they are.”

Gathering logs

The systems a user interacts with log every authentication to a network (and most other activities afterwards). The virtual crumb trail left by every user, bad actors among them, is a powerful tool to detect incursions and is often the first port of call in forensic examinations of events after an attack. In big networked systems, however, there may be thousands of sources of information.

“The audit logs are essentially disparate, right? So individual host systems would have a log, applications would have access logs, perhaps even network devices would have access logs. So by putting [Delinea] solutions in, you actually have a single source of all the accesses. As users are going through all the systems linearly, we have that central record of who is accessing what, when, and how.”

Taken together, the disparate log entries can create a picture of activity, pieced together in the Delinea dashboard. The IT team’s workflows are effectively the same but massively less prone to error. But beyond this record of a virtual journey, detailed activity records may quickly become a matter of conjecture: user x spent y minutes on service z, which may or may not have involved illicit activity.

“What we do differently, I think, from standard logging is we can record the sessions as well. So, the actual visual recording of what a user is doing while they’re on that particularly sensitive system. So that would allow deeper analysis should an incident occur.

“Now, one of the cool things that we’ve come up with is that there’s going to be 1,000s and 1,000s of hours of recordings being generated. How does a security analyst go through all that? We’re working with technology where we use AI to identify anomalies in that recording. So for example, we see that a user has switched off a firewall, or we see a user has gone to a website to download Mimikatz. We can actually flag these out so that security analysts can zoom straight into the recordings and watch them.”

This type of detail, captured, centralized, and prepared for deeper analysis, is also the core of UBA (user behavior analytics), which flags anomalous activities by any user (but especially those with any level of privilege above ‘normal’) that don’t fit the mold.

“So if I was an administrator that typically would log into a set of ten servers from nine to five every day, and all of a sudden, on a Sunday, I’m logging in at 12 midnight. That would get flagged as an anomaly, and a reason for an analyst to go in and do deeper investigation.”

The ability for security teams to see in real time when an incident is taking place means that they can apply remediation from their central command position by removing the user, disabling their account, or placing them in a quarantine group.

The Linux legacy

Depending on who you ask, the actual statistics vary on what proportion of enterprise businesses’ critical systems run on Linux. Given that most cloud computing, AWS included, is Linux-based, it’s a fair bet that ignoring security for these devices creates a massive blind spot for many organizations.

Linux has its flaws, like any piece of software, and this is a fact keenly exploited by bad actors. Nigel said one issue goes back to how the OS has historically lacked any de facto standard for centralized authentication. “Every user has to have an account on every single server. So you can imagine if you have a fleet of 10,000 Linux servers and 10 administrators, you essentially have to manage 100,000 accounts. And that is a very big administrative overhead.

“So one of the big things that we can do is to federate all identities across all these machines into a central directory, whether that be Active Directory, whether that be Okta, Ping, and so forth. We can also add more secure authentication, like multi factor authentication to the login process.”

The super-user

In a typical Linux system, a ‘standard’ user account can do very little damage to the operating system without ‘super-user’ or ‘root’ status. It’s a logical progression, therefore, that systems administrators in a Linux environment are given super-user status to be able to do their jobs. Literally, they are granted membership of the ‘sudo’ group (‘do as super-user’). Like authentication on individual instances of Linux, membership of the sudo group tends to be controlled on a per-machine basis.

“The reality is not everybody needs everything that sudo does. So what we do in that space is very selectively elevate certain commands for certain users. And we can have policy control centrally, so that you can match this across multiple 1,000s of Linux and UNIX machines.”

The higher privileged users can also be given access to super-user powers for predetermined times on predetermined servers. This type of granular control also allows systems administration to be zone-based. Nigel said, “So you might have, for example, the HR group of servers, and a power plant group of servers. And they may have different policies. We can define different policies and push them out to different zones, so that they’re appropriately protected.”

Teams working on Linux servers don’t experience any disruption to their workflows, but all operations are conducted more safely. They or bad actors impersonating them can’t overstep boundaries preset by central policies.

Conclusion

The reality of computing is that specific individuals in an organization have the power to exfiltrate data, encrypt everyday users’ desktop machines, and corrupt years of priceless intellectual property.

But bad actors need the same levels of access and ability as these privileged users to do significant damage, which is why it’s so important to secure not only the identities but also have granular control over that they are allowed to do. In many ways, it’s protecting the privileges themselves, not the person, that is key, which is why steps like time-limited privilege elevation are so effective. They essentially narrow the gaps through which attackers can wriggle.

Equally important is to have the ability to discover all privileged activities across traditional and cloud infrastructure, automate authorization through the identity lifecycle, and proactively detect irregularities or identity misconfigurations. This will give companies clear visibility of their security posture and respond to identity-related threats in real-time. Check out this free Unix Privileged Account Discovery Tool from Delinea to get a detailed custom report on reducing your vulnerabilities and security risks.

Contact a representative near you to find out more about how Delinea can make you more secure, more productive and future-proof your identity security