How Attackers Use Your Privileged Accounts

When you think about your privileged accounts being misused, what do you picture? Passwords that offer widespread access being hacked by shady remote attackers. Malicious insiders going rogue and using privileged access to share, delete, or modify your most confidential files.

But the reality of a privileged account hack is significantly more complicated – something that starts long before your passwords are in the hands of an attacker.

In a recent white paper, privileged account management (PAM) experts Thycotic describe the ‘Anatomy of a Privileged Account Hack’ – the steps involved in compromising your security and the action you should be taking to keep your data safe.

The seven phases of a privileged account hack

While insider threats remain a serious issue for businesses that fail to enforce their password rotation and account removal policies, it’s external attacks that present the most complicated, hard-to-track risk.

That’s by design. While using an administrative password to remove or modify files doesn’t sound particularly clever, today’s attackers follow a sophisticated path from zero access to a pervasive, often undetectable presence inside your network.

  1. Reconnaissance: Like burglars eyeing your home from across the street, attackers spend up to 90% of their time analysing your network, your business, and your employees.
  2. Tricking users: Using the intelligence they have collected, attackers trick employees into disclosing their private passwords – and while few of us think we’d fall for a phishing attempt, a series of 10 emails has a 90% chance of snaring its target.
  3. Deep exploration: With user-level access, an attacker can really get to know how your network and operations run from day-to-day.
  4. Escalation: Many end-user accounts already offer admin rights but, if not, an attacker will use techniques to elevate their level of access.
  5. Maintain access: Privileged account attacks aren’t discrete moments – hackers use tools and malware to stay inside your network long-term, even if you close the original point of access.
  6. Strike: Having prepared carefully, the attackers conducts malicious activity from stealing confidential data to encrypted drives or destroying information.
  7. Disappear: The final step in a breach is removing the signs of access, while potentially leaving alternate routes open for subsequent attacks.

Securing accounts is just one part of PAM

Just as the actual moment of attack is just one part of a privileged account hack, effective protection and incident response is more than enforcing best practice on your accounts.

In practice, PAM is about understanding what’s happening with your privileged accounts at any given moment. It’s about understanding what has happened in the minutes, hours, and weeks that follow a potential breach.

And it’s something that must go further than your privileged accounts themselves, securing your user accounts and giving your employees the tools they need to stay safe.

Find out more about how privileged account hacks work – and what you can do to lower your risk.

Get your Thycotic, Anatomy of a Privileged Account Hack white paper now.

Written by