Credential management is a crucial piece in IT and OT security. Protecting user credentials against attacks should be a top priority. Compromised accounts are one of the most common methods of attack. When an organization’s password security is low, their user access practices tend to lack as well. Once a bad actor establishes a foot hold, they can use that access to move laterally as well as escalate their privileges.
We’re reviewing part of CISA’s Targeted Cyber Intrusion and Detection Mitigation Strategies, looking at the practice of protecting your user credentials and how ConsoleWorks can assist with its identity and password management controls.
What is Credential Management
Credential management is the issuing, managing, monitoring, and revoking of user authentication, such as multi-factor authentication and issuing authorization tokens through role-based access controls (RBAC). By leveraging these controls, it allows for the system administrator to better manage their IT and OT identity store and centralize the access to their fleet of devices across the network.
There is a continuous battle against the theft of user credentials. Being able to secure your organization’s identities will ensure the resiliency and the security of your organization’s computing infrastructure. We previously highlighted one of the worst ransomware attacks in the US, enabled by a compromised password of an account with no MFA. These compromised credentials resulted in a $4.4 million payout to the hackers.
How do Hackers Get Passwords
Passwords can easily be discovered when appropriate controls are not implemented and monitored. Organizations that have not implemented stronger controls such as a centralized password management, (2FA) or an MFA, or obfuscated credentials are more prone to identity and credential theft.
Password hacking tools such as the use of rainbow tables, dictionary attacks, and pass-the-hash techniques are readily available to anyone that browses the internet and are an entry-level effort that bad actors attempt first. These are typically referred to as “brute force password cracking” or “password spraying.” These attacks are accomplished quickly when passwords are not sufficiently complex or guidelines for password management are not in place.
A pass-the-hash attack does not require the plaintext password itself; it exploits weaknesses in the authentication protocols instead. The attacker acquires hashes from the targeted system’s credential storage or through capturing the hash during a user’s session. Once the attacker has the username and user hash values, they can use this information to authenticate without the need for brute forcing a password.
Credential Management Best Practices
Unfortunately, these attacks are very successful and common because many organizations are not implementing appropriate risk-mitigation controls. ConsoleWorks focuses on providing strong controls for password and identity management in order to help OT and IT environments meet and/or exceed CISA’s mitigation techniques.
Proper Permission Management: Establish an appropriate privileged account hierarchy for administrative accounts (e.g., Enterprise Administrator, Domain Administrator, help desk accounts). In a proper hierarchal design administrative rights and administrative responsibility are inversely proportional to each other. For example, Domain Administrators (one of the most privileged accounts) should only be used to administer the domain controllers, while a help desk account (an account with several task responsibilities) should have few administrative rights. This design approach should also include decisions about which hosts will allow the accounts and the manner in which the administrator accesses the devices. Exceptions to these policies should be handled through the creation of temporary accounts that are removed after completing the intended task, or through the use of designated management machines that are heavily restricted using ACLs (access control lists) and/or IPSec. These approaches make it more difficult for attackers to compromise the Domain Administrator account, Enterprise Administrator account, domain controller, exchange server, and other high value targets.
- Carefully consider the risks before granting administrative rights to users on their own machines. The machine is at greater risk of compromise and credentials theft when Web browsing or reading email as an administrator.
- Restrict the use of the SeDebugPrivilege to those users that actually need it. An attacker can use this privilege to perform DLL injection, a technique used by the majority of the pass-the-hash tools, and by other malware. By default, the entire Administrators group receives this privilege, but it should be more restricted than that. Create a specific Debug user,and assign that account the right to use the privilege via the “run as” command, thereby allowing only temporary privilege escalation.
ConsoleWorks provides a platform for organizations to further protect their endpoints by controlling the authentication and authorization within the session as a “man in the middle” or better known as a session broker or proxy. By having ConsoleWorks broker/proxy your device connections, your users will never know the endpoint’s credentials, such as username and passwords. Additionally, the credentials are obfuscated from the user’s view. To further mitigate the potential of compromised passwords, ConsoleWorks can automate password changes on a frequency that is defined by the organization.
As a detective measure, Consoleworks captures and records all activities of a user’s session, thus being able to detect and alert on any type of pass-the-hash or brute force style of attack.
ConsoleWorks also provides command controls and conditional access. Command Control is a mechanism where the user’s access and privileges can be limited to a set of predefined “commands” they can execute. Conditional Access is where the organization’s user identities/credentials are given “threat profiles.”
These threat profiles are determined by the actions a user takes on your network and are compared against a pre-determined risk scoring methodology. If the user begins changing passwords, opening ports, or other threat indicators, their threat counter is heightened and actions can be set to proactively terminate the connection, requesting permission through a workflow, or alerting you immediately.
ConsoleWorks is designed around providing solutions that meet the Zero Trust framework. By enforcing least-privilege controls through role-based conditional access you ensure your organization has a secure access control solution. These controls ensure that the user gains access to your network but has no insight, visibility or privileges to execute commands on any devices within your network unless explicitly authorized.
Network/System Design and Policies: Apply the principle of Internet, DMZ, and intranet zones throughout the network to isolate different trust sectors. A workstation rarely needs to talk to another workstation, or to all the servers. Use infrastructure devices and software to create security zones that group users who need to communicate with each other. This helps to slow or prevent an intruder’s lateral network movement. Use host-based firewalls to restrict incoming connections as another method for impeding unneeded inter-host communication.
- Exercise caution when using a common baseline image to load company workstations if the machine contains active local user accounts, because all images will share the same password. This is especially risky if the owner has not disabled the local administrator accounts. An attacker could use those common credentials to quickly compromise all the machines loaded with this image. For that reason, IT administrators should consider disabling or removing local machine accounts, or at least ensure that local accounts across the network have unique passwords.
- Require that all machines be rebooted immediately after being used by a privileged user. The reboot process clears the user’s credentials from memory, a common target of pass-the-hash tools.
- ICS-CERT also recommends that organizations move away from using LAN Manager (LM) hashes, where possible. LM hashes are inherently weak and can be broken relatively quickly, which allows an adversary to use the actual password instead of relying on a pass-the-hash attack. Not all companies will be able to make this switch because some legacy systems are incompatible. However, system administrators should make every effort to migrate away from those systems to increase their network wide security posture.
- Organizations should consider moving to a multi-factor authentication system (e.g., smart cards) or at least ensure users choose complex passwords that change regularly.
OT has its own specific challenges associated with passwords. These assets’ passwords can be limited, sometimes down to four characters, alphabetical or numerical only. This leaves these assets especially vulnerable in today’s environment.
ConsoleWorks acts as a shield for your assets and the users that need access to them. This is especially important in an organization or industry with ICS equipment in an OT environment. ICS equipment is typically limited on credential management (default user credentials, minimal password controls, no MFA). ConsoleWorks will provide an organization with this type of OT environment with all the appropriate risk mitigating controls to make up for the short comings of these ICS, or IIOT, devices.
Protect Your Users and Their Credentials
Credential management is a critical element in your cybersecurity to get right. It’s why we have built two maturity models to guide you on your path to a mature implementation.
- Our Password Management Maturity Model details the levels of password maturity, design considerations and technologies leveraged to attain robust password security.
- Our Secure Remote Access/Access Control Maturity Model helps with design considerations and traits that enable least-privileged access.
Strong PWM and SRA maturity levels will heighten your defenses against the types of attacks we reviewed today. To learn more about strengthening your cybersecurity maturity, continue keeping your eyes on our updates page as we review more intrusion and detection mitigation strategies.