SESSION ID:
#RSAC
Lavi Lazarovitz
From Strategy to Tactics: Targeting and Protecting Privileged Accounts
GPS1-F01
Security ResearcherCyberark@LaviLazarovitz
#RSAC
Squirrels Vs. Hackers
* https://www.washingtonpost.com/news/the-switch/wp/2016/01/12/are-squirrels-a-bigger-threat-to-the-power-grid-than-hackers/
2
#RSAC
Cyber Squirrels
http://www.bayd.info/pictures-5412-squirrel_hacker.html
3
#RSAC
Perimeter Compromise
Spear-phishing
1Endpoints infected
2
Attackers gain access
3
Reconnaissance
4
4
#RSAC
Lateral Movement
5
#RSAC
The Reality
The RealityOutside:
The RealityInside:
Attackers cut power Operators could not interfere
6
#RSAC
The Role of Privileged Accounts
Initial foothold
IT to OT
Shutdown power
1
2
3
7
#RSAC
The End (Of The Heist)
8
#RSAC
Swift System
SWIFTNet
6.1+ billionFIN messages
99.999%SWIFTNet availability
99.999%FIN availability
11,000+Institutions connectedto SWIFT
200+Countries & territoriesconnected
9
#RSAC
The Compromised Path
PERIMETER
IT N
ETW
ORK
SWIF
T-CO
NN
ECTE
D SY
STEM
S
RTGS
SNL
32 compromised machines
10
#RSAC
The ExecutionSW
IFT-
CON
NEC
TED
SYST
EMS
SWIF
TNet
US
FED
SWIF
T SY
STEM
S
SNL SNL
11
#RSAC
The Role of Privileged Accounts
Initial foothold
IT to Swift
Execute orders
1
2
3
12
#RSAC
The Strategy
“With regard to narrow passes, if you canoccupy them first, let them be stronglygarrisoned and await the advent of the enemy.”
Sun Tzu
13
#RSAC
DEMO
#RSAC
Highly Threatening Accounts
The Root Cause
#RSAC
10% 50% 100%
Low Medium High
Network Risk Benchmark
#RSAC
17%
44%
39%
Low risk: <10%
Medium risk: 10-50%
High risk: >50%
Those Are Our Networks
#RSAC
Narrowing The Pass #1
Domain accounts Local accounts
One-time passwords
Zoning credentials
18
#RSAC
Narrowing The Pass #2 - Passwords
Eliminate common passwords
#RSAC
Narrowing The Pass #2 - Passwords
Introducing Easy-Peasy
https://github.com/CyberArkLabs/EasyPeasy
#RSAC
WiFi Routers, Smart TVs
Privileged Service Accounts
Routers, Firewalls, Hypervisors, Databases, Applications
Routers, Firewalls, Servers, Databases, Applications
Laptops, Tablets, Smartphones
Power Plants, Factory Floors
Narrowing The Pass #3 – Service Accounts
#RSAC
WiFi Routers, Smart TVs
Compromised Privileged Service Accounts
Laptops, Tablets, Smartphones
Power Plants, Factory Floors
Routers, Firewalls, Hypervisors, Databases, Applications
Routers, Firewalls, Servers, Databases, Applications
Narrowing The Pass #3 – Service Accounts
#RSAC
Narrowing The Pass #3 – Service Accounts
Crackable service accountsIntroducing Risky-SPNs
https://github.com/CyberArkLabs/RiskySPN
#RSAC
Strategy to Tactics
RespondRespond live to
malicious activity
ProtectSecure and manage
privileged credentials
MonitorMonitor privileged
accounts usage
#RSAC
Strategy to Tactics
Narrow the passes, monitor and respond
Privileged Accounts
25
#RSAC
Q&A
26