APTs and PPM: Make Key Password Accounts a Moving Target
I was recently at the CU Information Security Conference and heard many a fine presentation concerning APTs. For those of you not familiar with the term, an APT (or Advanced Persistent Threats) is defined by the Wikipedia community thusly: “Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity.
“The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Other recognized attack vectors include infected media, supply chain compromise and social engineering.
“Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.”
Many of the speakers in the Las Vegas conference talked about combatting APTs with a layered security approach: network security, host security, endpoint security, NIDS, HIDS, IPS, and even baseball bats (maybe that was for the raccoons: see the henhouse analogy later.)
What I did not hear people mentioning was PPM (Privileged Password Management). They should have. Why PPM? The reason is simple: APTs are primarily targeting one thing- privileged passwords.
PPM is the management of privileged account passwords. It involves securely storing, releasing, checking and changing the passwords for your privileged accounts. What are privileged accounts? A privileged account is the root account for your core system, your AD Enterprise Admin account, the local administrator account for your HR server – any account that either has elevated access, is shared, or requires individual accountability.
PPM can be done through a variety of ways manually or using technology-based solutions (whether a product or a service). The main issue is to ensure that these privileged accounts are being changed on a regular basis.
So how does PPM relate to APTs? Bruce Smalley had a nice analogy that he presented during his presentation. It related to his efforts to protect chickens from predators using a henhouse. I’ll leave out some of the more graphic details, and sum it up to say that defense of chickens is like the defense of your network; if an adversary is determined to breach your environment, it all comes down to a question of time and money.
I personally like the analogy of a safe—no safe manufacturer claims its safe is impregnable – it rates the safe based on the tools and time required to breach. If you take the same perspective on your network, then you can assume that at some point your network will be breached.
With this in mind, what are APTs trying to gather? The APTs are actively trying to install keyloggers and other malware in order to capture privileged passwords. The reason a spear phishing attack is targeting a network admin isn’t to get their personal account, it is to get the keylogger on that person’s machine to wait for them to log in with Enterprise Admin and capture the valuable password.
The question then becomes the following: ‘how long will that password that has just been capture be valid on the DC?’
This is the relationship between APTs and PPM. PPM will not stop APTs, but it can have a huge impact on the value of the information captured by an APT. If the Enterprise Admin account mentioned above is changed every 45 days, then the APT has a nice, long window to communicate that password back to the owner. If however, the password is automatically changed after use (let’s say two hours later as an example), the window of the value of the captured password is significantly different.
To relate this to the henhouse analogy, PPM would be the equivalent of mounting the henhouse on a flatbed truck and driving it to a new location every two hours, without changing any of the security constructs around the henhouse (and making sure no added passengers are on board). Now predators need to find, breach, and exploit within two hours – instead of weeks or months. I think you’ll end up with a lot more eggs.
This correlation is the reason that the Fortune 1000 has significantly stepped up PPM adoption in areas outside of the traditional financial services vertical. Other large companies that have very valuable intellectual property (whether trade secrets, information contacts, or other crown jewels) are looking to minimize the effects of APTs by using PPM. Many of the most notable breaches in the past two years have related to privileged accounts, and most directly related to APTs capturing these passwords.
If your credit union is not changing your privileged passwords, then the best henhouse in the world is not going to protect you forever. It is also interesting to note that PPM will typically cost less than NIDS, HIDS or almost any other control. So before investing in more chicken wire, maybe you should look into some wheels.