Securing privileged access: Preventing and detecting attacks

This post was authored by Nir Ben Zvi, Principal Program Manager, Windows Server.

Introduction: Why is it important to secure privileged access?

The threat environment has continued to reinforce that identity is a primary security boundary. When examining major cyber-attacks that occurred over the last several years, one can notice a recurring common inflection point: Attackers focus on taking control over the identity systems. No matter what environment or operating systems you are using, your success in protecting and detecting attacks depends on how well you secure and monitor your privileged identities.

In this blog we will cover an actionable recommendation on how to better protect privileged identities. It follows our published plan for securing privileged access that covers heterogeneous environments and operating systems and helps you secure your current environment. We will also highlight a few technologies and solutions from Microsoft that help change the game when it comes to protecting privileged identities.

A common attack timeline includes three main phases:

1.    Initiate: Research and preparation, resulting in the attacker getting an initial foothold through spear-phishing or unpatched edge devices. The attacker will use commonly available information from Google, Facebook, LinkedIn and the like to create an attack that provides an initial foothold into your organization (typically a compromised workstation).
2.    Escalate: The attacker is inside your environment and increasing their access using credential theft tools and techniques. A demonstration of the most common insider credential theft attacks are shown in this video and additional details can be found at Pass-the-Hash and Pass-the-Ticket.
3.    Execute Mission: The attacker’s mission varies from silent undetected data exfiltration over many months to Ransomware that shows itself boldly by compromising critical resources and business operations.

Common Attack Timeline

So, what can you do to better protect your organization?

Focus on Phase #2 where the attacker has an initial foothold in your environment. This is when you are in the best position to detect and respond to the attack. By better protecting your privileged identities, you can force the attacker to take steps that will be easier to detect and most importantly, you will shift the attack timeline from 24-48 hours to weeks or longer time periods, thereby making it achievable for you to detect, isolate and respond to the attack and potentially avoid Phase #3 altogether.

Blocking Phase #1 (research and preparation) is extremely difficult and requires an inordinate amount of procedures, discipline and training that is likely only practical for government agencies with an organizational culture of secrecy.

Phase #3 (attack ongoing with attacker in control of the keys to the kingdom) is where you would need to work with specialized incident response teams to root the attackers out your environment. This is very costly and usually interrupts your ongoing business.

A few spotlight technologies and solutions for securing privileged access

Before we get into the plan on how to secure your privileged access, I’d like to call out a few solutions and technologies that we believe are game changers in helping protect against and detect attacks on your identity systems.

Protecting privileged identities

Credential Guard in Windows 10 and Windows Server 2016 prevents the attacker from stealing a copy of credentials that can be used to attack other systems.

Just In Time Administration enables you to reduce the risk of attacks targeting users with perpetual administration rights, with monitoring of privileged groups and limiting the time that people have administrator privileges.

Just Enough Administration allows you to remove admin privileges from individuals by allowing them to do a defined set of tasks “as-Admin.”

Local Administrator Password Solution prevents lateral movement among workstations and servers using the local Admin account by creating a unique random password on each workstation and server in your Active Directory environment.

Detecting ongoing attacks

Microsoft Advanced Threat Analytics (ATA) provides visibility into active credential theft and identity attacks so that you can respond quickly.

Enhanced security auditing in Windows 10 and Windows Server 2016 helps your security experts detect and investigate threats in your environment

Help me get started: Secure privileged access in three phases

With all the different technologies and options, it is sometimes hard to determine what to do first and what would give you the base return on investments for your efforts.

To help, we have worked with internal Microsoft teams and the Microsoft Cybersecurity consulting services to recommend a three stage deployment that will help considerably to improve your stance in securing your privileged identities.

The goal of this roadmap is to help you rapidly secure your heterogeneous environment with various operating systems and identity repositories.

We highlight available solutions from Microsoft in several cases, but you can also use capabilities from other vendors to help you achieve the overall goal. Regardless of which products are chosen, you should follow the complete guidance as your identity systems are prized by attackers and many groups will be able work around any one defense, such as detection or privileged access management.

You can find the full plan and relevant links here.

Phase I: First 2-4 weeks

This phase focuses on immediate actions you can take to block theft of privileged credentials. It includes basic actions that you can take to protect your domain administrators (which are the most critical identity) and also helps you create a unique local administrator for each workstation and server in your domain, so that if one is compromised it does not lead to the immediate compromise of all others.

Phase I

Phase II: 1-3 months

In this phase, you are adding the major protections to slow down an attacker and adding detection capabilities that will help detect and respond to an ongoing attack. This phase also encourages you to look more closely at the attack surface of your identity system, exploring and verifying every component that has the capability to take over your identity. Bringing in systems like Just In Time Administration helps you to automatically add two factor authentication for your administrators without needing to revamp your entire environment.

Phase II

Phase III: 6+ months

The last phase introduces secure procedures and brings the latest technologies to help you maintain a healthy and secure state for your privilege identity.

Phase III

Attack vectors and mitigations

Finally, to be able to measure your progress, the image below shows the various attack vectors and mitigations. This is by no means an accurate and measurable representation, but merely a way to visualize where the different phases help your security stance for privileged identities.

Attack Vendors and Mitigations