Cyber attackers posing as legitimate insiders represent the greatest security risks to organisations, according to a new survey by CyberArk.
These attacks exploit privileged and administrative accounts, otherwise known as the credentials used to manage and run an organisation’s IT infrastructure, says CyberArk.
The company's survey found that while there is increasing awareness about the connection between privileged account takeover as a primary attack vector and recent, high profile breaches, many organisations are still focusing on perimeter defences.
With more than half of respondents believing they could detect an attack within days, CyberArk warns that many IT and business leaders may not have a full picture of their IT security programmes.
Organisations must look beyond the tip of the iceberg with perimeter defences and phishing attacks, and be able to protect against more devastating compromises happening inside the network, such as Pass-the-Hash and Kerberos ‘Golden Ticket’ attacks.
Beyond the breach: Attackers going for complete network takeover
As demonstrated by attacks on Sony Pictures, the U.S. Office of Personnel Management (OPM) and more, once attackers steal privileged accounts they can conduct a hostile takeover of network infrastructure or steal massive amounts of sensitive data, says CyberArk.
These powerful accounts give attackers the same control as the most powerful IT users on any network, the company says.
By being able to masquerade as a legitimate insider, attackers are able to continue to elevate privileges and move laterally throughout a network to exfiltrate valuable data, according to CyberArk.
Respondents of the survey were asked which stage of an attack is the most difficult to mitigate:
- 61% cited privileged account takeover; versus 44% in 2014
- 21% cited malware installation
- 12% cited the reconnaissance phase by the attackers
Respondents were asked what attack vectors represented the greatest security concern:
- 38% cited stolen privileged or administrative accounts
- 27% cited phishing attacks
- 23% cited malware on the network
False confidence in corporate security strategies
CyberArk’s survey highlights that while respondents display public confidence in their CEOs’ and directors’ security strategies, the tactics being employed by organisations can contradict security best practices.
Despite industry research showing that it typically takes organisations an average of 200 days to discover attackers on their networks, a majority of respondents believe they can detect attackers within days or hours.
Respondents also persist in believing that they can keep attackers off the network entirely - despite repeated evidence to the contrary.
- 55% believe they can detect a breach within a matter of days; 25% believe they can detect a breach within hours
- 44% still believe that they can keep attackers off of a targeted network
- 48% believe poor employee security habits are to blame for data breaches; 29% believe attackers are simply too sophisticated
- 57% of respondents were confident in the security strategies set forth by their CEO or board of directors
Organisations fail to recognise dangers of attacks on the inside
Cyber attackers continue to evolve tactics to target, steal and exploit privileged accounts - the keys to successfully gaining access to an organisation’s most sensitive and valuable data.
While many organisations focus heavily on defending against perimeter attacks like phishing, attacks launched from inside an organisation are potentially the most devastating, says CyberArk.
Respondents were asked to rank the type of attacks they were most concerned about:
- Password hijacking (72%)
- Phishing attacks (70%)
- SSH key hijacking (41%)
- Pass-the-Hash attacks (36%)
- Golden Ticket attacks (23%)
- Overpass-the-Hash attacks (18%)
- Silver Ticket attacks (12%)
Overpass-the-Hash, Silver Ticket and Golden Ticket are types of Kerberos attacks, which can enable complete control over a target’s network by taking over the domain controller.
One of the most dangerous is a Golden Ticket attack, which can mean ‘game over’ for an organisation and complete loss of trust in the IT infrastructure, says CyberArk.
“It is no longer acceptable for organisations to presume they can keep attackers off their network,” says John Worrall, CyberArk CMO.
“The most damaging attacks occur when privileged and administrative credentials are stolen, giving the attacker the same level of access as the internal people managing the systems.
“This puts an organisation at the mercy of an attacker’s motivation - be it financial, espionage or causing harm to the business.
“The survey points to increasing awareness of the devastating fallout of privileged account takeover, which we hope will continue to spur a ripple effect in the market as organisations acknowledge they must expand security strategies beyond trying to stop perimeter attacks like phishing," he says.
The findings are part of CyberArk’s 9th Annual Global Advanced Threat Landscape Survey, developed through interviews with 673 IT security and C-level executives.
CyberArk analysed potential discrepancies between damaging cyber security threats and organisations’ confidence in being able to defend themselves.