One can not avoid the slew or reports of the hacks – from Colonial Pipeline to the all the victims known and unknown from the latest Log4j hack. This brings to question of the hacks and identity Access Reviews – how can this process, usually associated with compliance is a vital practice for a secure enterprise.
First the hacks.
I don’t need to cite any of the latest hacks – if you need any details – just go to to data breaches in the Information is Beautiful website and look up data breaches – it’s overwhelming.
But let me say something you may not know. There is a documented pattern to the activities of these hacks. Of course, you might be asking… why would hackers follow a playbook? Wouldn’t this reveal their hand.
Not really – is the answer. Hackers follow a pattern of behavior but variate and improvise with the details of the steps.
The researched and documented steps are called the “Cyber Kill Chain” – first detailed by Lockheed Martin security researchers in 2011. By quantifying steps – they help the “good guys” come up with mitigation methods for each of the actions.
It’s important to note – there are many documented variations of these cyber kill chain – or “kill chain” for short. And many address different aspects of hacks and help understand different types of attacks. But this purpose we’ll stick to the original – these steps include:
– Actions taken to survey the target via both private and public means
– Creation of attack mechanism to exploit the identified vulnerability
– Transmission of the malware
– The execution of the malware
– The installation and persistence of the attack.
6. Command and Control
– Communication back the hackers C2 (command and control) center
– Data exfiltration, ransomware, spyware, Remote Access Trojans (RATS)
The key to many of these steps is a concept called “Privilege Escalation”. Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. In English, the raising of privileges of the identities that the hackers stole, created or compromised.
In this way – they can more effectively:
- Move across the enterprise in search of valued resources (lateral movement)
- Install w/ persistence (e.g. the key to APT, Advanced Persistent Threats)
- Communicate to their common-and-control (C2C) centers
This is where access reviews and identity triggers come in.
Enterprise grant users a certain level of permissions to do their jobs – this is identity management (IAM). Of course, there are changes to the permissions because of changes in roles, applications, locations, etc. It is imperative that enterprises know and review the users change permissions – especially to admin groups that have the permissions to install software, execute lateral movement and communicate to outside resource. The act of reviewing the permissions is called Identity Governance (IGA).
To secure against the steps of the cyber kill chain – a constant vigilance on our identities is needed. That is an enterprise needs a quantified and regularly scheduled IGA program.
Access reviews do just that – by having 1st line and system managers review these identities and their privilege changes hacker efforts can be detected.
And identity triggers in real time – that is identifying changes in permissions as they happen – make the process all the better for IT security and identity governance personnel. Most enterprises who employ identity triggers employ them on privilege groups to help identify, in real time when changes – both good, bad and questionable on key administrative roles.
But to these execute on these access reviews and triggers – a clean, easy to deploy and use access review and identity trigger product is needed. That’s where YouAttest comes in.
Manage Hacks and Identity Access Reviews the Right Way
YouAttest has all the features needed to conduct access reviews and save yourself from all sorts of hacks:
- App Reviews
- Group Reviews
- User Reviews
- Multiple Reviewers
- Revocation Reports
- Siloed Applications Audited
- Time Stamped-Reports
- Export to PDF, XLS or CSV
- Access Request/Access Approval
- Real time Push of Changes – Remove Access/Keep Access
In addition YouAttest can integrate into the enterprise directory or SSO platform to conduct real time reviews based on identity triggers.
—– —– —–
Contact YouAttest Now
Contact us @ YouAttest and we show you how YouAttest can help your organization identify these privilege changes. We look forward to working w/ you to help you create a more secure identities for your enterprise.