Phase 1 – Discovery and initiation

The first phase of the program is to discover business and security requirements, analyze the risks, define critical controls and map out the high- level timelines. It is generally challenging to define what the “keys to the kingdom” in an organization are; organizations typically say “we want to secure everything.” By engaging with the trusted experts in CyberArk Security Services or CyberArk certified service partners, organizations draw from the experiences of security professionals and technical specialists who have been on the front lines of breach remediation efforts.

Step 1: Identify drivers and success criteria

What are business drivers for the project? To start, consider security goals in the areas of audit (SOX, PCI, etc.), compliance, breach, best practices or other drivers for the project. Consider initial use cases, objectives, and timelines that will drive the priority and order of privileged credentials to be managed, as well as control goals and audit requirements, including retention, credential rotation frequency, etc. Senior management should be included in defining the goals and objectives of the company with the tone and direction of the security program.

Step 2: Identify critical and high value assets

Identify the most critical assets and systems containing the most sensitive information in your organization. Involvement of senior management in conducting a risk assessment that identifies critical assets is very important in this step. The findings should align with the organization’s overall risk management strategy.

What are the crown jewels?

These can be anything from PII, credit card info, intellectual property, ICS systems to ERP systems and middleware. It is very important to consider the supporting architecture and infrastructure for both on-premises and in the cloud: from domain controllers, hypervisors and DevOps tools to cloud infrastructure privileged keys and credentials.

How does an attacker think and behave

In considering these assets and systems, think “how does an attacker think and behave in each case?” (discussed in Step 4). Focus on an enterprise-wide risk management approach by mapping out the business processes around the critical assets and think like an attacker. Where is the data? How is it being stored? How is it being transferred?

Tier 0 Assets, such as Domain Controllers (“DCs”), should always be classified as a critical and be a focus in Phase 1:

  • Tier 0 (Domain Administrator and Forest Administrator Accounts)

  • Privilege Cloud Administrators

  • If DCs are virtualized, then the underlying hypervisors/VM technology also becomes a critical asset. In nearly all major breaches, an attacker is looking to get a foothold on the DC to be able to take control of the network and gain unmitigated access to a number of privileged accounts and systems.

Tier 1 and Tier 2 should be addressed in the following phases, but a tactical process should be created to ensure credential boundaries exist as quickly as possible. For example:

  • Tier 1 (Server Administrator Accounts);

  • Tier 2 (Workstation Administrator Accounts).

Step 3: Discover the privileged accounts

CyberArk Discovery & Audit (CyberArk DNA®) is a simple executable that can scan systems based on either Active Directory or an input file. Following the scan, CyberArk DNA delivers a comprehensive report that shows the number of systems scanned and the percentage of systems that do not comply with your password policy, which can be defined in CyberArk DNA prior to scan. The management summary will give you an overview of your environment, including maps of Pass-the-Hash vulnerabilities in Windows environments and SSH key trusts in Unix environments. Details of the discovered accounts and credentials are provided in tables that contain all available information for each account.

Step 4: Identify and prioritize privileged accounts to be secured

There are multiple approaches to assessing risk and setting priorities using the CyberArk DNA report and map. Organizations can see which machines and accounts create the highest risk and which machines are exposed to the greatest lateral movement risks. Based on this Pass-the- Hash map, organizations can prioritize the security and management of privileged accounts on the most at-risk systems.

Access to Privilege Cloud will be crucial for both internal and external users. External remote vendors (third-party) that require access to network and applications in order to perform tasks and transactions should be considered along with internal employees.

Identify accounts quickly. Locate the administrative accounts in Windows. For a fast-tracked initiative, the idea is not to spend a lot of time on up-front analysis as the accounts are relatively easy to identify within Active Directory (AD) and local Administrator groups.

Implement controls on the most powerful accounts first by assessing the criticality of the systems/data and risks if compromised or breached. Organizations that have completed full risk assessments typically know what systems house their most sensitive data and business critical applications. The more critical the system, the higher the risk and the more urgent the need to tightly control access. CyberArk DNA can locate all accounts on these systems, enabling security teams to first remove unnecessary accounts and then prioritize the remaining accounts in the first phase of a privileged account security project, for example:

Domain Administrator accounts and Administrator accounts with access to large numbers of machines, particularly servers, as well as application accounts that use Domain Administrator privileges.

Work quickly to get some controls in place and make improvements over time; for example:

Ideally, accounts for workstation users should not have administrative privileges, but breach survivors say this is one of the more difficult practices to implement and maintain due to the sheer volume of workstations.

In addition to prioritizing the results with organizational requirements and critical assets, organizations can also leverage the CyberArk best practices to consider the width and breadth of potential risks associated with the most common types of attacks on privileged accounts. While each organization’s privileged account security posture is unique, the CyberArk best practices leverages extensive experience responding to significant data breaches to achieve the highest level of protection.

Task

Details

Eliminate irreversible network takeover attacks

Eliminate irreversible network takeover attacks to prevent attackers from establishing persistence in an organization through irreversible network take over attacks, such as Kerberos’s Golden Ticket attack:

  • All domain controllers and privileged account to Tier 0 and Tier 1 assets are isolated and monitored

  • All access to Privilege Cloud requires multi-factor authentication

Control and secure well-known infrastructure accounts

Control and secure well-known infrastructure accounts to prevent attackers from taking ownership of an entire technology stack through a single built-in backdoor compromise and using the same credentials on similar assets:

  • Consider password age; the older the password, the greater the risk that multiple users inside and outside the organization have access to it. Old passwords may also indicate inactive accounts that have not been de-provisioned;

  • Vault all built-in backdoor accounts

  • Automatically rotate passwords periodically and after every use.

Manage SSH keys on critical UNIX servers

The inherent risks associated with SSH keys are often underestimated. Single private SSH keys can be used to access multiple target systems and accounts, and target systems can contain additional SSH keys used to access even more systems. It’s common to find some “general” key pairs that give access to a large number of target systems, thus creating vulnerabilities similar to Pass-the-Hash in Windows. To prevent attackers from leveraging unmanaged SSH keys to login with root access and take over the UNIX technology stack:

  • Vault and rotate SSH key-pairs on UNIX production servers and secure with policies

Defend cloud credentials

Defend cloud credentials and identities to prevent attackers from take over the entire cloud environment. Use Privilege Cloud to vault root accounts, IAM users and API keys.

Secure shared IDs for users

Secure shared IDs for users to prevent attackers from stealing credentials that are shared among users in order to get high level access into sensitive systems:

  • All access to Privilege Cloud requires multi-factor authentication

  • Protect all shared IDs with Privilege Cloud, which includes tamper-proof audit logs, enforcement of monitoring and recording, and session isolation.

Step 5: Define critical controls and timelines

Once the privileged account security risks are assessed, the next step is to define the critical controls and high-level timeline. As described in the Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials White Paper, attackers frequently exploit vulnerabilities with Windows Administrator credentials and use a privileged pathway to get to critical assets.

The following recommended practices should be considered as an underlying foundation for the controls framework:

  • Limit exposure of privileged credentials;

  • Enforce strong passwords and store them in an encrypted vault;

  • Minimize the number of administrator accounts;

  • Increase monitoring for privileged credential theft.

Recommended critical controls should be identified to determine which of them should be implemented first and which should follow. it is possible for organizations to quickly lock down their most risky accounts and be successful with rapid risk reduction using a privileged account SPRINT Framework. This is a short, fast-paced project to identify and quickly lock down the riskiest accounts first, like those with access to domain controllers. Once the SPRINT Framework is defined, organizations can then create a longer-range plan — a privileged account “marathon” — to put these controls in place across their infrastructure as part of an ongoing, proactive, measurable security program.

To start, consider the following best practice controls and define the timeline using the SPRINT Framework, starting with the most critical key controls:

Task

Details

Segregate duties

Reconfigure accounts to segregate duties. This reduces ability of attackers to use a stolen credential across different types of machines. Aim to implement the access control models to segregate logins for these accounts within a short period of time, such as 30-days, including

  • Domain Administrator accounts (used only to log into domain controllers);

  • Server Administrator accounts (used only to log into servers);

  • Workstation Administrator accounts (Used only to log into workstations).

Limit credentials exposure

Limit exposure of privileged credentials with tactical processes. Create credential boundaries, where each Tier has its own credential:

  • Separate identities vs. accounts: Migrate to functional accounts and away from individual accounts;

  • Repeat across all platform types following the same process. Other platforms types will include databases, network devices, security devices, etc.;

  • Once there is a consistent access control model for other user groups and technologies across the board, workflow for personal privileged access and shared access should be the same. Identity access management of the endpoint will be static; provisioning and de-provisioning risks and audit needs are mitigated and minimized.

Use the Vault
  • Use a Vault administrator password. Use of the Password Vault automatically enforces password policies and enables monitoring of administrative activities to detect credential theft. The CyberArk Digital Vault is tamper-proof and uses military-grade encryption to store passwords.
  • Require multi-factor authentication to access credentials in vault.

Randomize passwords

Automatically randomize passwords for administrative accounts. This will make them unique with complex passwords, limiting the attacker’s ability to compromise multiple machines if they learn one password.

  • In most cases, the quick wins are local Administrator on servers, Domain Administrator and root. As best practices, these accounts should not be used for regular administrative work--yet, frequently they are. These accounts are commonly overused, their passwords often kept the same on all machines and almost never changed. As a result, the risk associated with these accounts is often high.

  • The onboarding of these accounts is fairly straightforward because they typically don’t require a complex safe structure. Most organizations:

    • Know where the accounts exist;

    • Know who “should” use them.

Protect sensitive assets

Do not allow administrative access to sensitive assets from interconnected workstations.

Minimize use

Minimize the use of individually assigned administrative accounts to reduce account proliferation.

Remove privileges

Remove workstation administrator from end users.

Implement detection tools

Implement detection tools to look for signs of lateral movement or privilege escalation in real time.

Remove unnecessary privileges

If any application use domain administrator privileges, such as domain rights to multiple servers, remove those privileges.

  • Consider sensitive accounts such as Service Accounts. A common second step during an implementation includes securing Windows Service Accounts and Scheduled Tasks. CyberArk DNA can provide a full overview of these accounts and their “usages” on the target systems. Onboarding local service accounts is often easy, and thus another quick win for your privileged account security program.

Next stepPhase 2 – Definition and planning