Contributor:
Mark Austin
April 23rd, 2012

Mitigating Advanced Malware Attacks with Least Privilege

Targeted malware attacks and Advanced Persistent Threats (APTs) are making malware detection and removal much more challenging. It is common knowledge that good security requires a defense-in-depth strategy, as no single solution can provide adequate protection from malware. Traditional approaches to malware detection should still be kept in place, to ensure that known threats and applications that exhibit malicious characteristics are quarantined at the earliest possible stage, but these need to be complimented by more advanced methods and best practices to deal with the ever changing threat landscape.

One of the biggest steps that can be taken to mitigate malware threats is to implement a least privilege approach. The most dangerous and persistent threats often look to bury themselves deep inside the operating system, using root-kits and other kernel level techniques. Once malware operates at this level it can cloak itself from security solutions, making subsequent detection and removal extremely difficult.

In order for malware to infect the kernel it must run in a privileged context or gain access to a privileged account, such as a local administrator or SYSTEM account. If a user logs on with a local administrator account then malware can gain access to a privileged context with ease, whereas if a user logs on with a standard user account it becomes much more difficult for the malware to gain privileged access to the system. It’s no surprise that over 90% of Microsoft’s critical vulnerabilities state that users who log on to systems with fewer privileges will be less impacted.

So if least privilege is such a good way to mitigate malware threats then why do so many users still log on with local administrator accounts?

The answer is the age-old problem of getting the right balance between security and usability. The more a system is locked down the more secure it becomes, but usability starts to suffer. Taking this to the extreme, if you were to remove the Internet connection and disallow removal storage devices then an endpoint would become extremely secure, but it would become unusable in the interconnected world we live in today. The removal of local administrator rights from a user may not seem quite so extreme, but many users will simply struggle to perform their role or at best will be faced with frequent over-the-shoulder administration, leading to frustration and a loss of productivity.

A privilege management solution is required to strike the balance between the two extremes of standard user and local administrator rights. Instead of assigning privileges to a user’s account, the necessary privileges are assigned directly to the applications that actually require them, based on centrally managed policies. This approach ensures that malware will find it extremely difficult to gain access to a privileged account, because all users log on with standard user accounts. More over only the applications that require elevated privileges are granted them, which significantly reduces the application attack surface.

In addition to increasing the risk of malware infection, users who log on with local administrator accounts will significantly reduce the effectiveness of many security solutions, as they are more likely to be compromised, although few vendors will point this out.

Embracing least privilege will not only increase the security posture of the endpoint, it will also lead to reduced desktop operating costs, as under-locked or over-locked desktops are more costly to support. So now you have two very good reasons to implement least privilege – reduced malware threats and reduced operating costs. Improved security doesn’t have to come at a price – with a well managed least privilege solution you can save money and improve user satisfaction too!

More from the Blog

Related technology and security insights

  • 28
    Jun
  • Story related

    NotPetya ransomware: Attack analysis

    On June 27, 2017 a number of organisations across Europe began reporting significant system outages caused by a ransomware strain referred to as Petya. The ransomware is very similar to older Petya ransomware attacks from previous years, but the infection ...