Privilege management can be a way of spotting an attacker’s footprints
Cyber-criminals are motivated, technically innovative and incredibly observant; it is a depressing and repeating pattern of the last decade that they have been able to zero in on important weaknesses when the defenders were either unaware these existed or just had their fingers crossed.
There are really only three ways to break into an organization digitally. You target a poorly-secured resource (e.g. a server left unguarded using a default login), attack an insecure or unpatched application, or try to undermine the end user with social engineering. All three serve as jumping off points to spider behind the firewall or intrusion prevention layer in search of further resources, data or users to target. Conceptually, cybercrime really is that simple.
Recent history tells us that the criminals have worked out the implications of this. Resources can eventually be secured by technological means but for applications it is much harder. For the user it might be almost impossible, which is why the user is usually where today’s attacks usually begin.
The PC as Trojan
Thanks to the way Windows PCs have been designed to operate as powerful, independent tools, undermining them is like unlocking a kingdom. PCs connected to networks can be used as staging posts to map resources, and are afforded privileges that make it possible to hide an attack that would be spotted were it launched from outside the firewall. Best of all, PCs run software that turns out to be riddled with flaws (stand up Adobe Flash, PDF Reader and Java) and are piloted by users who can be manipulated with a grim statistical certainty to click on malicious web links or open rogue attachments.
The vulnerability of the PC/user turned into a weakness so slippery that even today the security industry is still struggling to come to terms with it. If the openness of the PC can be combined with the suggestibility of the end user, a well-designed attack can become almost undefendable. One amplifies the other and it is the interaction of the two that is key.
This uncomfortable fact has slowly dawned on many organizations and caused an uptick in interest in systems that don’t simply defend a resource but manage, record and audit the trail of machine-human interactions that are directed towards them. The interactions can’t and shouldn’t be stopped but as long as they can be seen and their patterns analyzed, there is hope that attacks can be made visible.
Probably the most important interaction for the Windows PC is the granting of administrator privileges to a user or application; something that numerous high-profile malware attacks have used to gain control of targets. Admin privileges are also easily abused by users, either deliberately or inadvertently, to bypass policies and install software and, of course, to naively allow malware to subvert defenses such as antivirus.
Active management arrives
Windows XP assumed admin privileges were good because it made the user’s life easy and so developers obliged; by the time Vista and Windows 7 debuted a technology called User Account Control (UAC), the folly of this design had been realized but backwards compatibility meant that just turning off admin rights wasn’t always an option.
The emphasis has now shifted to one of active management where privileges can be elevated from standard to administrator only when absolutely necessary, and preferably on the basis of an application’s need rather than a user’s. Such elevation should always be as temporary as possible and always logged.
You could say that this design – least privilege – works to reduce the attack surface of the PC-to-user interaction as far as possible and captures information to model what counts as legitimate elevation so that it doesn’t turn into a barrier.
But as ever, the criminals have carried on innovating, trying to bypass this layer of control using a number of techniques often directed at software vulnerabilities in browsers and plug-ins, or by creating malware that works entirely in memory (e.g. has no need for admin privileges to write to disk); today’s attacks are often architected to reach out to users via the web or email keeping themselves as far as possible away from the operating system’s privilege layer.
In addition there are new types of application such as native Windows 8 ‘Store’ apps designed to carry out potentially quite intrusive functions without asking for admin rights or portable versions of apps run from USB sticks (for instance portable browsers or Skype) that grab their own space in memory that could give an attacker a foothold
Checkmate? Not necessarily. A good privilege management system doesn’t just restrict privileges, it manages applications, noting which are being used and limiting the user’s ability to install non-approved software. This is essential. Just because software does not ask for admin rights does not mean it is not trying to elevate its control in hidden ways. Software should always be locked down, if necessary using a layer of blacklisting to block known risky apps and whitelisting to allow known good ones.
The biggest takeaway of all is to grasp that even the most complex attacks – Advanced Persistent Threats (APTs) for instance – are invariably designed as a series of simple stages. First, target the end user as a primary weakness, second hit the application layer with an exploit and third capture a resource. Finally, automate this process and repeat on an industrial scale so that success becomes a matter of statistical inevitability.
The strength of privilege and application management is that it is a conceptually simple way of fighting back, putting a gatekeeper between the user, the applications and the resources, introducing a layer that makes the usually invisible interactions suddenly visible. It does not guarantee defense but it dramatically improves the odds.