super user or super threat?
TRANSCRIPT
![Page 1: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/1.jpg)
SUPER USER OR SUPER THREAT?KNOW WHEN USERS PUT YOUR BUSINESS AT RISKPresented by Matt Zanderigo and Kevin Donovan
![Page 2: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/2.jpg)
Who is ObserveIT?
Risk of Privileged Access
Examples of Risky Admin Scenarios
Brief Demonstration of ObserveIT
AGENDA
![Page 3: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/3.jpg)
WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital
The leading provider of User Behavior Monitoring for Application Users, Admins and External Vendors
![Page 4: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/4.jpg)
APPLICATION ACCESS
App Admins App Users
PRIVILEGED ACCESS
(Windows Admins, root, DBAs, System Admins,…)
(Developers, IT Contractors, Network Admin,…)
Shared Accounts Named Accounts
Entitlement changes Logging Utilization
![Page 5: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/5.jpg)
PRIVILEGED ACCESS: THE ‘ROOT’ OF
TODAY’S BIGGEST BREACHES
78.8M affected by Anthem breach, DBA
account compromised
56M affected by Home Depot Breach, Privilege Escalation
to Blame
76M affected by JPMorgan Chase breach, obtained admin privileges
![Page 6: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/6.jpg)
Penetrate Establish Foothold
Open shell and run commands to learn
orientation:
• Who Am I?• Host name• Location of directory
service
Escalate Privileges Move Laterally Complete
Mission
Uploads and executes malicious software
Scan memory for active sessions and extract passwords
Hackers attacks:
• URL Interpretation• Input Validation• SQL Injection• Impersonation• Buffer Overflow
LETS EXAMINE AN ATTACK
Hackers Log into AD to get a targeted list of machines
Hackers leverage credentials to compromise data on machines
![Page 7: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/7.jpg)
Provisioning &
Governance
_____________________________________________________
User Monitoring
_____________________________________________________
Password Vaults
_____________________________________________________
PRIVILEGED ACCESS MANAGEMENT
Visual Audit Trail of all privileged user sessions
App & Access usage Reporting
Detailed session analysis: sudo, privileged escalation, backdoors…
![Page 8: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/8.jpg)
Escalated privileges
_____________________________________________________
WHAT SHOULD BE CLOSELY MONITORED AND ALERTED UPON
Configuration
changes _________________________________________
____________
“The enterprise needs deep and real-time insight within
privileged sessions”
Lateral MovementUnauthorized activity
![Page 9: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/9.jpg)
CONFIGURATION CHANGES
Changes via Embedded Scripts
Changes to Active Directory
Changes within Registry Editor
![Page 10: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/10.jpg)
EMBEDDED SCRIPTS
![Page 11: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/11.jpg)
![Page 12: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/12.jpg)
ACTIVE DIRECTORY
Password Resets, Adding Users, Changing Groups, Modifying Access, etc.
![Page 13: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/13.jpg)
REGISTRY EDITOR
Edit and Modify Specific Values• Firewalls• User Access Control • Applications / Software• Windows Components
![Page 14: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/14.jpg)
UNSECURE ‘SHELL’TELNET suffers from security
problems.
TELNET requires a login name and password (when exchanging text).
Hackers can easily eavesdrop using snooper software to capture a login name and the corresponding password even if it is encrypted.
TELNET has been largely replaced by the more secure SSH protocol.
![Page 15: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/15.jpg)
ESCALATED PRIVILEGES
‘rm’ ‘cp’ with ‘sudo’
Creating “backdoors”
‘leapfrog’ logins
![Page 16: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/16.jpg)
‘RM’ ‘CP’ WITH ‘SUDO’
SURMCP
![Page 17: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/17.jpg)
SUDO Into Root Shell
![Page 18: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/18.jpg)
Modifying the Ping Command
CREATING “BACKDOORS”
![Page 19: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/19.jpg)
![Page 20: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/20.jpg)
![Page 21: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/21.jpg)
‘LEAPFROG’ LOGINS
![Page 22: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/22.jpg)
Challenge:
The Board of Directors of Ally Bank established a Privileged User Access (PUA) project for all sessions that are accessing data on 160 servers in-scope for PCI and SOX compliance.
Their 5,000 privileged users represented a significant risk in their organization, so they are rolling out Password vaulting (Lieberman) and needed to implement a monitoring program in parallel
Solution:
Needed a monitoring system to collect, alert, and report on the specific use of applications, functions, or access to specific information
![Page 23: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/23.jpg)
Challenge:
Needed to comply with SOX, HIPAA, PCI mandates surrounding the audit and logging of privileged access to 1,130 servers.
SOX, HIPAA, PCI mandates must include a date/time stamp as well as proof of what happened in all privileged sessions on regulated servers.
Solution:
Holistic view of configuration changes across environment
Real-time alerts and data exported to SIEM (IBM Qradar)
Reports centered around privileged access as a whole
![Page 24: Super User or Super Threat?](https://reader036.vdocuments.us/reader036/viewer/2022062420/55b354cbbb61ebc2728b45dc/html5/thumbnails/24.jpg)