I’m at RSA Conference 2015 in San Francisco this week. With so many recent stories about new cyber attacks and data breaches, it’s encouraging to see such a tremendous response from the IT security community.
One cyber security topic that I’m particularly interested in this year is “land-and-expand”, a threat that I’ve warned about for some time now. During land-and-expand cyber attacks, hackers use a variety of malware and zero-day exploits to achieve a beachhead in your environment. Once they’ve landed, the attackers pull credentials from the machines they compromise to further their expansion and exfiltration efforts. Basically, during a land-and-expand attack, invaders get in your network without a trace, take over whatever they wish, and do so with impunity.
The Cyber Security Landscape – What Works Today?
Today’s reality is that cyber warfare is now a game of speed, attrition and acceptable loss. Intrusions will be successful some fraction of time. And when successful, they will expose every static credential, hash, cashed credential, and ticket on compromised systems that you’ve used. In this scenario, ownership of your IT environment happens in minutes and typically persists for 200+ days undetected.
The solution? Change the game in identity management and identity use. Rather than trying to detect and respond to cyber attacks, start by assuming that the intruders are already in your environment, are undetectable, and have gained access to every credential on every machine that has been compromised.
You must concentrate on the removal of excess credentials, escalated permissions, hashes, Kerberos keys, and administrator memberships – to the greatest degree possible – on every system. If escalated access/credentials are needed, they should be time-limited and changed every few hours.
If you’re running applications with static credentials, these should be encrypted – although these credentials too should be considered already compromised and should also be changed automatically every few hours.
Some other vendors at the show suggest connecting your applications to their vault. Unfortunately, they neglect to mention that if you lose vault connectivity or their vault fails, you’re out of business.
We suggest never creating a connection or dependency to any vault. Assume that vaults are vulnerable, and any secret will be compromised. If you’re using a vault for static passwords, you’re already road kill in this new cyber warfare environment.
With that said, what is our solution?
RSA Conference 2015 Announcements
At this week’s RSA Conference we’re showing the latest release of our privileged identity management platform. We’re demonstrating how to remove excess local accounts and administrative memberships, provide local escalation, and create a moving target for cyber attackers that significantly limits the amount of time they have in your environment.
We’re also showing new technology that defeats memory scrapers and pass-the-hash (PTH) attacks, and puts an end to the “Golden Ticket” exploit. If you’ve ever looked at Mimikatz and its brethren, this solution is for you.
To stay ahead of today’s advanced cyber attacks, you need speed and scale of credential management. We have both, and have it by design. Stop by booths N3334 and S1523 this week and let us prove it.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.