The summer holiday season is upon us, when employees take off to spend time with friends and family and enjoy time away from the office. These vacations might be ad hoc and approved by management, or as part of mandatory vacations to reduce the potential for fraud.
The operational reality in many countries is that employees on holiday continue to check their work email and may access confidential or privileged systems while away from the office. While this is not a new behavior, organizations should consider whether they can distinguish between a legitimate user on holiday compared to a threat actor with stolen credentials impersonating a legitimate user.
Statistics on the threat of insider attacks range from the low end of 23% reported by Thales Security to the mid-range. “Sixty-nine percent of senior IT professionals agree that insider data breach is the biggest threat many are facing in terms of network security,” according to Balabit. Then there is the startling “90% of organizations (which) feel vulnerable to insider attacks,” according to CA.
Further, compromised insider credentials are easy to come by, according to OWL Cyber, which found that “companies had credentials and/or intellectual property exposed on the Dark Net which can be monetized by others.”
Threat actors are already using these stolen credentials, with 53% of organizations confirming “insider attacks against their organization in the previous 12 months,” according to Veratio. These risks are accelerating, not decreasing, as evidenced by these statistics.
There are three primary actions that organizations can take in the face of these risks and ongoing threats. These recommendations are not mutually exclusive, and each organization should tailor these based on their current level of discipline in cyber security.
Option 1: Lock The Doors And Windows
Organizations with a lower cyber security maturity should consider disabling access to privileged accounts and/or privileged commands while a staff member is on holiday. This is different from disabling their regular user account as employees may want to share holiday photos by email with their friends at the office. It is unlikely that an employee with access to privileged accounts such as the root account on UNIX or access to an Active Directory Domain Administrator account will need to use those privileged credentials as part of a scheduled change window that coincides with their holiday plans. It’s similarly unlikely that if an organization has granted access to privileged commands (such as by sudoers on UNIX or an endpoint privilege management solution on Windows) they will need to use those commands while vacationing.
Implementing this recommendation is less about technology and more about processes. The employee’s supervisor needs to notify HR that the employee will be on vacation, a process that exists today. However, HR needs to notify the IT team or the provisioning team, or the identity governance team that the employee will be on holiday. That team will then need to disable the user’s access to privileged accounts and/or access to privileged commands. This process may be automated in higher-maturity organizations or manual in lower-maturity organizations.
There are three benefits associated with disabling access privileges when a user is on vacation or a leave of absence. The first is obvious: a threat actor with stolen credentials will be unable to use those credentials while the employee is out. A second benefit is that this exercise requires an inventory of all privileged credentials and commands for a given user, which helps with regulatory compliance. The third benefit is not so obvious. A resilient organization should be able to continue normal operations and processing in the face of a short-term loss of a key staff member.
Disabling access to accounts and privileged commands will empirically demonstrate resiliency and potentially uncover any previously undocumented dependencies. Many organizations, for example, require that privileged operations may not be carried out based on scheduled tasks using non-privileged credentials. A script that runs as a named individual user before using privileged commands will be identified when it fails due to the access to those privileged commands having been disabled while the employee is out. This previously invisible dependency can then be mitigated as part of regular business continuity planning exercises.
Option 2: Check Their Tickets At The Door
Slightly more mature organizations that have deployed Multi-Factor Authentication (MFA) have more options. They can choose to disable access to privileged accounts and commands as previously described or can choose to incorporate User Behavior Analytics (UBA) to mitigate the ongoing threat of insider attacks. In its simplest form, MFA requires that users provide a password and then a second factor, such as a time-based, one-time password (TOTP) generated by an app on their smartphone, or a biometric factor, such as a fingerprint. However, MFA does not inherently prevent privilege abuse: if a threat actor steals an employee’s unlocked phone left poolside, and if there are no other security controls in place, that threat actor can impersonate the employee until the theft is discovered, reported, and the account is locked or disabled. This scenario assumes the most common deployment of MFA. That is, once a user has been authenticated, they do not need to provide their credentials again for the duration of their session.
Organizations concerned about this threat can integrate UBA with their MFA solution, assuming the integration points exist. This is not true of all vendor solutions. Broadly, UBA solutions passively observe user behavior of both individuals and peer groups and then can introduce friction when the behavior varies from the norm. For example, consider an individual who typically logs on from their company HQ and checks out privileged Active Directory Domain Administrator credentials between 8 a.m. and 2 p.m. A UBA solution could require an additional multi-factor authentication if the user requested checkout of those privileged credentials from a lakeside cabin on a Saturday evening. This helps to mitigate the threat of stolen credentials being combined with a stolen second factor of authentication.
The benefit of deploying UBA with MFA is that it’s typically faster than the process of manually disabling and enabling access to privileged accounts when an employee takes a vacation. However, this requires that an organization has already deployed MFA and integrated it with UBA if that was not a native capability. A drawback associated with this strategy is that the organization will not gain insights into the effects of disabling access to privileged commands or accounts, which can help for business continuity planning.
Option 3: The Velvet Rope
Organizations that have chosen to make decisions based on public or commercial threat intelligence have a third option for dealing with employees on holiday. These solutions range from the simple daily email of “bad IP addresses” to highly tailored, company-specific intelligence based on past threats observed by an internal program dedicated to creating intelligence out of observed and relevant data. Organizations using these solutions can manually or automatically allow or disallow access, but this is often at a macro level. An organization based in the United States that has employees located in the continental U.S. could theoretically apply a rule stating that no inbound traffic is allowed to internal systems from the United Kingdom. This rule will work until an employee decides to take a seaside holiday in Dorset.
The premise of a threat intelligence program is that only known bad traffic patterns, IP addresses, or other attributes would be blocked, so that an attacker with compromised credentials and the ability to intercept or guess the second factor of authentication would still be blocked from reaching key systems if they were attempting to connect from a known bad location.
The challenge of using a commercial or public threat intelligence solution for this scenario is that it lacks sufficient granularity. Being able to block Tor exit nodes when no employees are anticipated to be using Tor is helpful, but a basic threat intelligence solution will not prevent the use of compromised credentials to access privileged commands or credentials. The benefit of a basic threat intelligence solution is to filter out obviously malign traffic.
The best defense is a “defense in depth,” where overlapping layers of defense support one another, and where a compromise of one defense does not lead to a complete compromise. Truly mature organizations have automation for the temporary revocation of access to privileged commands, use MFA with UBA, and have built their own threat intelligence programs based on commercial data and organization-specific threat data.
This robust solution will help defend against insider attacks not only during the summer months but throughout the year!