Post on 25-Jul-2015
SUPER USER OR SUPER THREAT?KNOW WHEN USERS PUT YOUR BUSINESS AT RISKPresented by Matt Zanderigo and Kevin Donovan
Who is ObserveIT?
Risk of Privileged Access
Examples of Risky Admin Scenarios
Brief Demonstration of ObserveIT
AGENDA
WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital
The leading provider of User Behavior Monitoring for Application Users, Admins and External Vendors
APPLICATION ACCESS
App Admins App Users
PRIVILEGED ACCESS
(Windows Admins, root, DBAs, System Admins,…)
(Developers, IT Contractors, Network Admin,…)
Shared Accounts Named Accounts
Entitlement changes Logging Utilization
PRIVILEGED ACCESS: THE ‘ROOT’ OF
TODAY’S BIGGEST BREACHES
78.8M affected by Anthem breach, DBA
account compromised
56M affected by Home Depot Breach, Privilege Escalation
to Blame
76M affected by JPMorgan Chase breach, obtained admin privileges
Penetrate Establish Foothold
Open shell and run commands to learn
orientation:
• Who Am I?• Host name• Location of directory
service
Escalate Privileges Move Laterally Complete
Mission
Uploads and executes malicious software
Scan memory for active sessions and extract passwords
Hackers attacks:
• URL Interpretation• Input Validation• SQL Injection• Impersonation• Buffer Overflow
LETS EXAMINE AN ATTACK
Hackers Log into AD to get a targeted list of machines
Hackers leverage credentials to compromise data on machines
Provisioning &
Governance
_____________________________________________________
User Monitoring
_____________________________________________________
Password Vaults
_____________________________________________________
PRIVILEGED ACCESS MANAGEMENT
Visual Audit Trail of all privileged user sessions
App & Access usage Reporting
Detailed session analysis: sudo, privileged escalation, backdoors…
Escalated privileges
_____________________________________________________
WHAT SHOULD BE CLOSELY MONITORED AND ALERTED UPON
Configuration
changes _________________________________________
____________
“The enterprise needs deep and real-time insight within
privileged sessions”
Lateral MovementUnauthorized activity
CONFIGURATION CHANGES
Changes via Embedded Scripts
Changes to Active Directory
Changes within Registry Editor
EMBEDDED SCRIPTS
ACTIVE DIRECTORY
Password Resets, Adding Users, Changing Groups, Modifying Access, etc.
REGISTRY EDITOR
Edit and Modify Specific Values• Firewalls• User Access Control • Applications / Software• Windows Components
UNSECURE ‘SHELL’TELNET suffers from security
problems.
TELNET requires a login name and password (when exchanging text).
Hackers can easily eavesdrop using snooper software to capture a login name and the corresponding password even if it is encrypted.
TELNET has been largely replaced by the more secure SSH protocol.
ESCALATED PRIVILEGES
‘rm’ ‘cp’ with ‘sudo’
Creating “backdoors”
‘leapfrog’ logins
‘RM’ ‘CP’ WITH ‘SUDO’
SURMCP
SUDO Into Root Shell
Modifying the Ping Command
CREATING “BACKDOORS”
‘LEAPFROG’ LOGINS
Challenge:
The Board of Directors of Ally Bank established a Privileged User Access (PUA) project for all sessions that are accessing data on 160 servers in-scope for PCI and SOX compliance.
Their 5,000 privileged users represented a significant risk in their organization, so they are rolling out Password vaulting (Lieberman) and needed to implement a monitoring program in parallel
Solution:
Needed a monitoring system to collect, alert, and report on the specific use of applications, functions, or access to specific information
Challenge:
Needed to comply with SOX, HIPAA, PCI mandates surrounding the audit and logging of privileged access to 1,130 servers.
SOX, HIPAA, PCI mandates must include a date/time stamp as well as proof of what happened in all privileged sessions on regulated servers.
Solution:
Holistic view of configuration changes across environment
Real-time alerts and data exported to SIEM (IBM Qradar)
Reports centered around privileged access as a whole