Last week LANDESK was the latest company to join the ever-growing list of enterprises breached. As one of the titans of IT Asset Management, this breach is particularly painful - LANDESK’s core product set is focused on protecting IT assets. As reports indicate that LANDESK’s source code/build servers have been compromised, the attack not only jeopardizes employee and LANDESK corporate data -- but potentially the data on all endpoints running LANDESK’s client software.
The hack against LANDESK, as reported by Krebs is straight out of the hacker playbook. Despite security being a core product focus at LANDESK, they join the ranks of Target1, Anthem2, Sony3, and even the Office of Personnel Management4 as victims of highly targeted hack attacks. One thing in common across these diverse organizations all of them had their most critical systems breached using compromised administrator credentials.
John said further investigation showed that the attackers were able to compromise the passwords of the global IT director in Utah and another domain administrator from China.
Compromising Administrator credentials is the most widely used attack method to successfully breach large organizations. Managing privileged access - which admin gets what level access to what systems is a major challenge for every enterprise.
The Attack Chain
Pass-the-hash, pass-the-ticket, access tokens, cached credentials, LSA secrets, etc - there is countless number of technical capabilities for hackers to get a hold of administrator credentials. The stark reality is that infrastructures rely on integrated underlying technologies that make it impossible to eliminate these attack channels. You can implement technical strategies to reduce part of the attack, but hackers are always figuring out new and sophisticated methods to compromise your credentials.
A LANDESK software developer later found that someone in the IT department had been logging into his build server, so he asked them about it. The IT department said it knew nothing of the issue.
The biggest challenge security teams face is the ability to differentiate between legitimate and illegitimate use of credentials. Security teams need to perform the bare minimum, in real-time:
- Know what systems your admins can access
- Know when systems are accessed by your admins
- Restrict access to your privileged systems
In reality, this isn't feasible (or possible) for most organizations. Even if you have centralized logging of every account activity, security experts need to scour endless logs to find the needle in the haystack.
This is exactly why companies like LANDESK, Target, Anthem, Sony, & OPM are breached.
Breaking the Attack Chain
After years of security consulting at large enterprises, I've realized it's impossible to funnel every event through your security team. Humans performing remedial tasks are prone to error. Intrusion detection systems won't differentiate between good & bad logins. Implementing a strict and diligent security process will only clog your business flow.
In order to successfully stop this attack chain, you need to continually enforce restricted access to systems AND actively monitor changes to access. You need this process automated and streamlined so you aren't impacting important business functions. Which is why we developed SecureONE.
SecureONE solves the problem of compromised credentials by providing administrators time-based, on-demand access to sensitive systems using 2-factor authentication. So when (not if) your administrator credentials are compromised, hackers can't use it to access any system.
IT Administrators are a key part of ensuring 100% uptime of your systems, but not even admins need 24x7 access to the entire infrastructure. Having this level of access only increases your attack vectors & risk. Admins only need to access individual servers for a particular task (to troubleshoot, update, configure). SecureONE automates this workflow seamlessly by providing admins a secure & dead simple interface to access all of your endpoints.
If any of the above companies were using SecureONE, they simply would not have been vulnerable to this type of attack.