Interview with Carlo Mauceli: The theft of credentials, risk factors and guidelines for the safety of Italian companies

(To Alessandro Rugolo)
26/02/18

Today we have the opportunity to talk about credential theft with one of the leading IT security experts in Italy, Carlo Mauceli, Chief Technology Officer in Microsoft Italy.

Ing. Mauceli, nowadays we hear more and more often talk about cyber defense, cyber attacks and cyberspace, not always with full knowledge of the facts. We are very pleased to have the opportunity to talk with you about one of the problems that appears to be always current in the new domain, the theft of credentials. Can you tell us, in short, what is the theft of credentials and what is the situation in Italy?

In a context in which cyber threats are growing in frequency, impact and sophistication over time, the theft of credentials represents an extremely relevant and dangerous category of attacks, in the increasingly frequent situation in which the same credentials are used to access different systems by role and importance in the corporate network by leveraging single sign-on mechanisms.

The extreme danger lies in the fact that, starting from the compromise of a single system (even of little value such as the workstation of an end user) through classic techniques of social engineering or exploitation of known vulnerabilities, the attacker captures the credentials present on the compromised system and reuses them to access all systems where those credentials are valid (Lateral Movement), stealing increasingly privileged credentials until obtaining total control of the infrastructure in subsequent steps (Privilege Escalation)1,2. These activities are in most cases unnoticed for a long time because of the difficulty of detection and detection of this class of attacks that typically give rise to the network to activities similar to the normal authentication traffic.

In a situation where the IT staff is numerically limited and under pressure compared to the amount of activity required by the business, in the course of hundreds of security assessment activities carried out on Italian companies in the last 18 months we have observed administrative practices that go exactly in the direction opposed to what would be necessary to achieve, leading to a scenario in which all the companies analyzed proved to be significantly exposed to the risk of credential theft.

The following chart shows qualitatively the percentage of companies exposed to the various risk factors.

(Exposure to the risk of the theft of credentials of Italian companies - Source: Microsoft Security Assessments 2014-2015)

Lack of dedicated administrative posts: the use of Privileged Admin Workstations is almost nil, the prevailing model is the one that uses bridge systems, which does not reduce the risk of credential theft.

Limited client segmentation: the possibilities of lateral movement are rarely limited by client network segmentation.

Excessive number of administrators: the number of administrative users is often oversized (tens and in some cases hundreds) compared to real needs, thus drastically increasing the attack area exposed to the risk of the theft of privileged credentials.

Reduced detection capacity: most companies use audit and log collection tools for compliance with the regulations of the Guarantor only. It is rare to come across companies that perform a proactive and event correlation analysis aimed at identifying compromise attempts.

weak authentication: a notable weakness is represented by the use of weak authentication protocols, combined with the very limited use of two-factor authentication, sometimes even for remote accesses.

Limited hardening: the number of vulnerabilities deriving from a wrong configuration of the systems is very high, despite the presence of public secure configuration baselines validated by authoritative sources (NIST, CIS).

Shared credentials: Client systems have administrative credentials, defined during initial system installation, identical for all clients: the compromise of a single client exposes to the compromise of all those where the credential is defined.

Awareness: the level of knowledge and sensitivity with respect to this class of attacks is growing, but the awareness of the most effective measures for prevention and detection is lacking, also because a security vision is very focused on perimeter and network defenses when, in reality that we observe daily the concept of perimeter has become unstable: identity has become the new "perimeter".

Lack of a process of Security Incident Response: the security incident management process is often completely absent or limited to just restoring the service, while the definition of communication processes, of a dedicated team, as well as the analysis of potential impact of the incident is missing.

Unique accounts: It is not uncommon to run into administrators who, with the same users, manage the systems, access the Internet, read the mail, that is, they also perform the activities that are common to standard users and that expose their credentials to the risk of compromise. In such a scenario it is sufficient to access a compromised website or open the wrong e-mail attachment to put the entire company infrastructure at risk.

Patch management lacking: updates of application components, often made impossible by compatibility constraints with Line of Business applications, as well as the updating of server systems, are not very frequent.

Out of support systems: in many situations the presence of obsole systems is still numerousyou, no longer updatable, and whose hardware features block the possibility of switching to a more modern and secure operating system.

According to what the chart tells us, the situation does not seem the best. I imagine that following the assessment activities, the companies have taken the appropriate measures. But, in this regard, what are the most effective activities to reduce the risk of credential theft? How is it possible to limit the impact of this type of accident?

There is a principle that, if respected within the administrative processes, helps to minimize this type of risk: "avoid exposing privileged credentials to less privileged and potentially compromised systems".

In general, it would be useful to think of an infrastructure divided into various tiers (Tier) of privilege, where the highest level is the most critical users or systems that contain business critical information and at the lowest level utilities and less privileged systems . In this model, a more privileged user (0 level) should never be used to connect to systems of a lower level (1 or 2). If the same physical person has the need to administer systems of different levels, it must be equipped with multiple users, each specific for the level to be administered.

A consequence of the previous principle is that a privileged user should avoid carrying out risky activities (such as accessing the Internet or reading e-mails) from the same location he uses to carry out administration activities, as doing so exposes the administration system to the risk of compromise and the potential theft of privileged credentials.

Therefore, the administration is carried out from a secure and possibly dedicated machine (Privileged Admin Workstation - PAW), and any risky activities are carried out on a secondary system where only non-privileged credentials are exposed.3.

A second important principle is to prevent less privileged systems from being able to make changes to more privileged systems. For example, if there is a level 0 server (maximum privilege), on which services related to a level 1 monitoring system are running, which can perform administration activities on the server, I am in effect lowering the security level of the server from 0 to 1. If there are clients running services that use level 0 credentials, the security level of my entire infrastructure is reduced to the security of the most insecure system on which I am 0 level credentials are exposed. It is therefore essential to identify the points where privileged credentials are exposed and logically segment systems among themselves based on the privilege level of the credentials used on them.
In implementing a more robust architecture as described above, the following tools and best practices must also be considered:

  • tools that allow you to define random passwords for built-in and service users (PIM)4;
  • Just-In-Time-Administration functionality to limit the validity of administration credentials over time5;
  • remote administration tools and protocols that do not expose credentials on the administered system;
  • segmenting the network and limiting access between systems with different criticalities, thus limiting the possibilities of lateral movement;
  • regular updating of operating system components and applications, especially those most exposed to attacks;
  • minimizing the number of system administrators and assigning minimum privileges to perform administrative tasks;
  • the correct profiling of the "legacy" applications in order to define an evolutionary roadmap that eliminates the constraints on the hardware and software systems;
  • the use of the features present in the most recent versions of the operating system (such as the isolation of credentials in a virtual environment underlying the operating system, the verification of the integrity of the code, the protection of virtual machines from their Host) to reduce the risk theft of credentials and execution of hostile code;
  • the use of detection tools aimed at recognizing the theft of credentials6;
  • the use of multifactor authentication7: however, it is good to note how this measure has limited effectiveness with respect to protection against credential theft if it is not accompanied by previous measures and should not be seen as the only solution to be adopted.

All this helps us to prevent the theft of credentials, but who has not applied the best practices indicated by you could already be in trouble, perhaps subject to a sophisticated APT. In such a case the company should be able to understand if it is under attack. I wonder if it is possible to understand if the credentials of privileged users are being stolen.

The theft of credentials is a type of attack difficult to identify because, in different phases of the attack, are used legitimate tools and access methods that are equivalent to the normal process of authentication, which makes the Detection phase of the attack extremely complex same.
In principle it can be said that the identification of these attacks requires the analysis of the behaviors followed during the authentication activities and of any anomalous behavior, as for example, if a privileged credential is used starting from a system of a user final to do remote administration of a sensitive server.
Therefore, in addition to the traditional analysis of security events, it is necessary to combine the definition of a baseline of normal behavior, and the detection of any deviations through the identification of particular "control points", which can be identified by the following strategy :

- Identify and prioritize the most valuable assets

- Think like the opponent

  • Which systems do I want to get to?
  • Who has administrative access to those systems?
  • Through the compromise of which systems can I capture those credentials?

- Identify the normal behavior on these assets

- Deepen the deviations from normal behavior:

  • Where a credential was used
  • When it has been used
  • Creation of a new user
  • Execution of unexpected software
  • Use of different privileged users from the same location, in a short period of time, starting from the same session

The greater the detail of the defined strategy, the lower the complexity of detection: the audit events traced by the operating system8 they can therefore be used effectively to identify the presence of a malicious actor who carries out credential theft activities, specifically monitoring the events described above, also by reusing tools already present in the company, such as SIEM (security incident & event management platform) and Log Collector.
It is clear that, increasing the complexity of the environment, an analysis of this type requires appropriate and easy-to-use automation tools, which are as little susceptible as possible to false positives, and which are able to highlight anomalous behaviors through aggregation of data relating to normal behavior and, through machine learning and analytics, the identification of deviations from normality. Solutions were born in this area, classified as User and Entity Behavior Analytics (UEBA)9, which aim to:

  • Minimize the time required to analyze security events
  • Reduce the alert volume and give the remaining alerts the right priority
  • Identify malicious actors

These objectives are achieved through:

  • Monitoring of users and other entities using various data sources
  • Profiling and identification of anomalies with machine learning techniques
  • Evaluation of the activities of utilities and other entities to identify advanced attacks

It is understandable how the introduction of tools of this type increases the detection capabilities of companies by significantly reducing the time between the compromise of the first system and the detection of the attack by the company; time that, at present, according to what reported in several independent studies, is around the order of 250 days and, in several cases, is in the order of years.

The idea of ​​using Artificial Intelligence to help the man, the analyst or the security expert in those more time-consuming activities is interesting, even if, in my opinion, this implies that the analyst or Security expert must be more prepared than before and this does not always happen. What do you think about the possibility of using the Cloud as a risk mitigation tool?

Premise the need to keep on-premise10 different applications, for all those services that today represent a "commodity" (SaaS11), it is possible to exploit the Cloud as a mitigating factor by assigning to a third party (Service Provider) the responsibility for the management of the service and, consequently, security.
Based on the results of the assessments carried out on the Italian scene, it is clear that the security measures adopted in the cloud are able to improve the average level of security of most Italian companies. Compared to Credential Theft, the functionality of Multifactor Authentication, the detection of attacks and the correlation of events through Machine Learning techniques, as well as, in the case of SaaS, the possibility of delegating the task to the provider can be useful. updating systems. In fact, this activity is the heaviest and requires constant attention and a knowledge that local network administrators do not always possess. In general, this is also at the basis of the centralization of services in the central data centers of large organizations, which in this way employs the most expert staff for everyone.
In general, the need for service providers to ensure high security standards that comply with a variety of standards and regulations ensures that the minimum level of security provided by the Cloud services is much higher than the average detectable in different IT infrastructures. of our country. Ultimately, the Cloud can be an additional weapon in the Security Officer's arsenal to mitigate certain threats that are not or can not be dealt with on-premise, even for cost reasons.

Engineer Mauceli, if we were to summarize in a few words the indications he gave us, in favor of a CIO or a CISO of a large organization, what would you say?

In summary, prevention and mitigation of theft of privileged credentials must be among the priorities of the Security Officer and the CIO.
Action must be taken to prevent the compromise of a company system of limited value that translates into the risk of a complete compromise of the company's infrastructure.
The publication of in-depth studies on how to attack and guidelines on the most effective prevention measures, the revision of the architecture and the introduction of new technologies to mitigate the risk and the availability of solutions aimed at improving the detection of attacks, These are factors that make the implementation of an effective risk mitigation strategy immediately possible, which means that the sector's personnel must keep up-to-date and that the investments must be adapted to the level of security that is to be achieved.

the interview is based on data available on the Clusit Report, in addition to Carlo Mauceli the authors are Andrea Piazza and Luca Bechelli

Carlo Mauceli is Chief Technology Officer - Microsoft Italy

Email:carlomau@microsoft.com

Twitter: @carlo_mauceli

 (Photos and images: Mauceli / web)

Footnotes:

1 Mitigating Pass-the-Hash and Other Credential Theft v1 http://download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ec...(pth)%20attacks%20and%20other%20credential%20theft%20techniques_english.pdf

2 Mitigating Pass-the-Hash and Other Credential Theft v2 http://download.microsoft.com/download/7/7/a/77abc5bd-8320-41af-863c-6ec...

3 http://aka.ms/cyberpaw

4 https://aka.ms/laps

5 http://aka.ms/PAM; http://aka.ms/azurepim; http://aka.ms/jea

6 http://aka.ms/ata

7 http://aka.ms/Passport

8 http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Eve...

9 http://www.gartner.com/technology/reprints.do?id=1-2NVC37H&ct=150928&st=sb

10 For on-premise software we mean the installation and management of software on machines inside the organization.

11 The acronym SaaS means Software as a Service.