Stolen Credentials are a Core Attack Tool in the APT Anatomy

Hackers exploit user credentials in advanced persistent threat attacks, to gain foothold and move around in the organization

By Santeri Kangas, Omada CTO

apt

Advanced Persistent Threat (APT) attacks typically target organizations in sectors with highly valuable information, and sectors that play a pivotal role in the stability of nation states – for example the financial industry, government, manufacturing and the energy and utilities industry, all of which are critical to a country’s infrastructure.

Crime, warfare, espionage and terrorism is present in the digital as much as  in the physical world, and organizations in these domains are being targeted by increasingly sophisticated attacks, as high-profile targets to criminal organizations and nation states wishing to cause damage to their critical infrastructure or steal valuable data.

How does an APT work?

The point of APTs is that they are designed to go undetected, tapping the hacked environment for information over long periods of time.

APTs are devised and executed by professionals, not by amateur hackers. Behind APT attacks are organizations that focus their time and resources on understanding how to execute attacks on specific organizations – they do their research and collect information on the targeted organization, and customize the tools best suited for the attack. Usually, the APT attack is comprised of a variety of execution tactics and tools. An APT often starts off with a fairly trite piece of social engineering – a simple PDF to the HR department, or similar – carrying an exploit for a software vulnerability (publicly known vulnerabilities and zero-day vulnerabilities in applications are popular among hackers as entry points, and as enablers of privilege escalation).

Credentials are the key to the kingdom

Once hackers are in the system, user credentials are the key to the kingdom: User credentials – particularly administrative credentials, with extensive access rights – are a core attack tool in APT attacks, and what the attackers use, to gain the initial foothold in the organization and then move further into the infrastructure.

The hackers navigate the infrastructure, identifying users with the required access rights to the data and systems from which the hackers wish to extract information. In an environment where there is none or little control, maintenance and monitoring of changes in user rights and actual usage, it is easy for the intruders to lurk undetected within the infrastructure, and manipulate privileges into gaining ever more – and more specific – access to the most sensitive and valuable corporate treasure chests.

How to minimize the damage from an APT

While there is little an organization can do to prevent being hacked, there is plenty the organization can do to make it difficult for hackers to get to their target, and to protect the data the hackers are trying to steal.

At the very top of the “What to do” list, is to ensure that no individual users have access to more data and systems than they need, and that the organization is able to respond quickly and effectively, by suspending compromised accounts, and locking down access the instant a breach is detected.

The organization needs to be able to:

  • Map all accounts and access rights and credentials to obtain visibility of data access
  • Identify the highly sensitive systems/data stores, and users that have access to these – users with access to e.g. SWIFT payment gateways or classified intellectual property
  • Detect anomalies in the account usage – if access credentials have been changed outside the governance controls, or other indications of compromise
  • Organize efficient incident response workflows and automation to respond quickly, by locking down compromised accounts or revoking access to classified systems and data stores
  • Cutting down the time required for forensics response with efficient workflows and reports that provide what the information forensics teams need, when analyzing the attack

All kinds of organizations are susceptible to attacks, and if IT security professionals do not adhere to the basic rules of how to secure an infrastructure, they are highly vulnerable in the event of a security breach. To minimize the damage from a security breach, and protect business critical data from being stolen, a multi-layered approach to security is required, at the base of which should be a good identity management strategy.

Rather than hurrying out to get the latest spectacular gadget to deter cyberattacks, you should focus on implementing good policies, procedures, tools and intelligence  – although less glamourous, these are the cornerstones of securing any IT infrastructure.

If you have questions or comments, feel free to drop me a line.

Santeri Kangas

Santeri Kangas_Omada CTO_hi res MG_7868About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises. 

European Companies are Unprepared for EU GDPR

The EU GDPR and exploding cybercrime costs requires Europe to get ready to get in control of data access

By Santeri Kangas, Omada CTO

SecurityBreach

Until now, spectacular news stories about security breaches have primarily exposed US companies, presumably lulling Europe into a comforting feeling that large-scale and business-crippling cyberattacks are something that happens to the proverbial “other people” – i.e. organizations in other parts of the world.

As any IT security professional is only too aware, the reality is very different. For years, European organizations have simply mitigated security breaches, largely kept quiet about it, and then carried on with business as usual. In future, the Europeans will have to address the issues that lie at the heart of the matter in security breaches, just as the Americans have been doing for years, to avoid the effects of unwanted publicity to their credibility.

 Access is what it’s all about

What lies at the heart of a security breach is the matter of access!: Access to data and systems, acquired through access to user accounts and user credentials. That’s why, as companies are forced to protect sensitive data and notify authorities about breaches, it becomes paramount for them to safeguard the data, the systems, and the users from theft and abuse.

First of all: Forget about whether you know you have been hacked, or think you won’t be hacked at all.

It is an accepted condition of modern business life that your organization will be hacked at some point, and probably already has been. It is also an acknowledged truth that size doesn’t matter – your organization is a potential target regardless of how big or small it is.

What is really important is two things: your ability to detect a breach and your ability to act on the information and deal with the damage quickly, efficiently and effectively.

In future, European organizations – just like American organizations today – will have to get used to the fact that they will be judged: not on whether they got hacked, but on how they handled the breach, and how well they are able to document that they have learned enough from their mistakes, to avoid similar damage in future. You need to be able to lock down access to data and systems, and you need to be able to prove what you have done to mitigate the situation and protect the data. If you fail to do so, you will be fined by the authorities and risk public disgrace.

Identity management and access governance are of course the foundational disciplines you must have in place, to enable you to impede unauthorized access to data and systems, through access to user accounts and user credentials – and to enable you to prove that you have done everything you’re supposed to, to keep the data protected from misuse.

The Dutch warning about what’s in store

I believe Europe will be hit hard, when the EU General Data Protection Regulation takes effect in May 2018.

Anyone doubting that European organizations are just as likely victims of cybercrime as anyone else, need only look to the Netherlands for a wake-up call:

According to Fortune Magazine and ComputerWeekly, at the start of 2016, the Dutch authorities passed a data protection act of their own, a bill which – like the EU GDPR – forces Dutch organizations to report cybersecurity incidents to the authorities and to the affected individuals. Fines for failure to report the incidents can be up to €810,000, or 10% of the company’s turnover.

Fortune Magazine reports: “In just the first 130 days since the law took effect at the start of this year, more than 1,500 cyber incidents were reported.” And, Fortune adds: “Additionally, a 2015 study by PwC reported that 90% of large UK-based businesses – and 74% of small businesses – reported being hacked in the previous year.”

I have no reason to believe that Dutch organizations are IT security laggards, compared to their European counterparts. In fact, I am quite sure that the Dutch numbers represent what to expect throughout Europe, when the EU GDPR is enforced in less than two years.

Cost of cybercrime is on a dramatic increase

While European organizations have the added challenge of public embarrassment and reputational damage to deal with from 2018, the rest of the world can’t rest on its laurels.

Cybercrime is an increasingly popular activity, and the cost of cybercrime damages is predicted to skyrocket in the coming years, requiring organizations to fortify their defenses and strengthen their mitigating capabilities:

Just look at these numbers, listed by Steve Morgan of Cybersecurity Ventures:

  • In early 2015, the British insurer Lloyd’s estimated cybercrime was costing businesses globally $400 billion annually — which included direct damage plus post-attack disruption to the normal course of business.
  • Juniper Research followed with a report in the spring of 2015, which predicted that the rapid digitization of consumers’ lives and enterprise records would increase the cost of data breaches to $2.1 trillion globally by 2019.
  • This year, the Microsoft Secure Blog reported that The World Economic Forum estimated the economic cost of cybercrime to be $3 trillion worldwide. That was a six-fold jump in cybercrime damage estimates in just one year.
  • Cybersecurity Ventures predicts cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021.

Of course, these are predictions, and the actual costs will be different. But I am certain the numbers are indicative of the trend.

Strengthen your security posture

What boards and executives should take away from these two factors – the increase in the cost of damages caused by cybersecurity incidents, and the increasingly strict legislation that ensures the security breaches are broadcast to the public – is that they need to up their security and compliance game.

It is vital to incorporate the increased security and compliance risk in the 2017 budgets, to have a fighting chance at being ready for the EU GPDR in particular, and to generally diminish the costly damage cyberattacks can do to the organization.

If you have questions or comments, feel free to drop me a line.

 

Santeri Kangas

Santeri Kangas_Omada CTO_hi res MG_7868

About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises. 

Snowden and Panama teach us how lack of control with access rights is a threat to IT security

What do the Snowden files and Panama Papers have to do with identity management and access governance? Everything, actually.

1. Christian Stendevad_Executive VP_Omada_T2015

By Christian Stendevad, Executive VP, Omada

Edward Snowden – the ‘All Access’ subcontractor

The Snowden leak is arguably the most spectacular breach ever, because of

  • the drama ensuing from the publication of the leaked data
  • the victim – the National Security Agency
  • the volume of leaked data

The leak was made possible, not because of intricate hacks and spectacular exploits, but because Edward Snowden, who worked for a subcontractor to the NSA, accumulated access rights over a long period of time to a wide range of systems and data within the NSA environment.

He did this quite legitimately, by requesting and receiving access rights to data he needed to perform the tasks he was hired to do.

Eventually, he had accumulated enough access rights, to enable systematic download of information.

If the NSA had had full visibility to Snowden’s privileges, alarm bells would have gone off, and rights could have been revoked, to ensure that no one – and certainly not a contractor – had access rights and user privileges, to the extent that Snowden did.

Panama Papers – who had the wrong rights?

A contender to the “Most Spectacular Leak” title is the recent Panama Papers scandal. The 11 million documents leaked to global media have shamed corporations, politicians and celebrities and fuelled the climate of distrust between ‘the people’ and ‘the establishment’.

While we do not at this point know the details of how the leak happened, I am not afraid to make a few assumptions.

For example: The sensitive information in the documents and the sheer volume of data suggest that an autopsy of the leak will include findings about IT security…

I will go so far as to guess, that the findings will fault the IT security efforts of Mossack Fonseca.

Secondly, I think we can assume that whoever was behind the leak had extensive access rights and user privileges. Far more extensive than just about any employee should have. So presumably, the source of the leak is either very high up in the organization – or is an employee or subcontractor who, like Edward Snowden, accumulated these rights over time, and under the radar.

I am also inclined to think that the law firm has been aware that IT security is a discipline to be considered, in a business that relies heavily on digital processes and stores large amounts of highly sensitive information for customers.

That Mossack Fonseca did not have their identity management and access governance in place, may be a simple matter of risk assessment gone wrong: the cost and resources required to implement the appropriate security measures may have been deemed too high, to be worthwhile. I suspect that, in hindsight, the conclusion of said risk assessment would be different.

And if the cost of IT security solutions were the issue, perhaps a few of Mossack Fonseca’s customers would be up for a bit of crowd funding, to help pay the bill…?

And you – who has access to your data?

These two high-profile incidents illustrate why identity management and access governance is an absolutely essential discipline in IT security.

Controlling who has access to corporate data will help you prevent damage from leaks from within the organization, simply by ensuring that no one individual can access too much data.

Controlling user access will also help you control the damage done by hackers attacking from outside of the organization, making it very difficult to retrieve data once they have made their way into your infrastructure.

While most employees do not go to work with malicious intent, they do make up one big soft spot of entry points for hackers, who worm their way into systems on the back of the employees’ user access right.

Effectively, they become a risk, simply by doing their jobs.

The bottom line:

You must conduct your everyday business on
the assumption that persons with malicious intent are present in your infrastructure at all times. If that assumption is your baseline, and your organization acts accordingly, you are a long way towards healthy, security conscious policies and procedures.

 

Are You Equipped for Strict EU Compliance Requirements?

With the expected introduction of new data privacy regulations EU reinforces a comprehensive reform of data protection rules to strengthen data privacy rights. This initiative places protection of personal data high on the agenda and creates demands for efficient processes to support the reinforced regulations and ensure compliance.

Companies will be required to document established standards and policies throughout their business, and must prepare to meet compliance requirements. That means setting up a technical foundation that can establish efficient documentation and implement appropriate security measures.

Get a head start by mapping and documenting the current state of your access rights. Omada’s newly launched Governance as a Service delivers simple and fast insight to IT users’ access to sensitive data. The solution provides you with necessary insight in an interactive Audit Report that establishes a solid foundation for your compliance effort.

Learn more about how Omada Governance as a Service addresses legislative data privacy requirements such as the EU General Data Privacy Reform.

NEW Release: Omada Identity Suite v11.1

Aside

All-in-one solution for identity management and access governance

The latest release of Omada Identity Suite further extends the benefits from an all-in-one solution with a homogeneous architecture that enables easy integration and configuration. Key release highlights include enhanced features and new functionality that provides detailed operations and system monitoring and a unified role-based GUI with consolidated dashboards for improved user experience. As part of the release, Omada introduces the Omada Provisioning Service for quick and easy integration of target systems with standard connectors to AD, SAP, and Cloud applications (supported by SCIM). The updated data warehouse platform utilizes in-memory technology that enables fast reporting and analysis on large data amounts from different source systems. User dashboards feature an Operations Dashboard that enables users to monitor and conduct investigations on system components and processes. On the ‘My Dashboard’ users get overview of relevant role-based KPIs for improved manageability and usability including access to self-service password reset functionality. Interactive reporting options with drill down functionality into additional information, gives auditors fast access to detailed information about user behaviors, compliance status, and survey responses as standard out-of-the box report options.   Continue reading

LEADING DATA SECURITY PROVIDER IMPLEMENTS OMADA IDENTITY SUITE

ikb Data GmbH is one of Germany’s leading service providers in the field of IT infrastructure and data security. With a strong customer portfolio in the financial sector, ikb Data has over the past years, established itself as a market leader in the area of outsourcing and consolidation of IT infrastructure. ikb Data develops not only the concepts based on the requirements of the customer, they also provide full service IT. The IT specialist provides the right solutions and ensures their operation across complex platforms and applications, where the ability to manage sensitive data is a top priority in areas such as cloud computing, hosting, IT compliance, It security / privacy, and eDiscovery.

To increase its efficiency in the management of access authorizations for employees and customers, ikb Data has recently decided to implement the software solution “Omada Identity Suite”. The solution will also empower the detection of IT compliance vulnerabilities, in line with compliance requirements such as MaRisk BA, reducing risk substantially, and enhancing the security of business critical data. ikb Data plans to implement Omada Identity Suite in the last quarter of 2014. To learn more about Omada Identity Suite, click here.

OMADA INTRODUCES RISK CHECK SERVICE

Are your digital assets protected? Cyber criminals are becoming increasingly advanced in finding vulnerabilities, but even the most sophisticated perimeter protection will not prevent fraud and theft. Very often vulnerabilities occur due to inside procedures, misuse of confidential data, or human errors by employees that inadvertently create a security breach.  To determine who has access to your critical business data and detect security vulnerabilities Omada offers a Risk Check Service powered by Omada Identity Suite to give you complete access control, stronger security, and sustainable compliance. Learn more and download services details here.