Illusive Blog June 15, 2022

How to Turbo-Charge Your Privileged Access Management (PAM) Deployment

By Mark Jaffe

Protecting privileged accounts has become more important than ever. Cyber adversaries of all types have adapted their techniques to exploit privileged accounts as their top vector of attack – and it’s working! The increase in cyberattacks in recent years has been enabled by attacker tools and techniques to exploit privileged accounts, as a means to move more quickly and quietly through their victim’s environments without being detected. Recent research from Enterprise Strategy Group confirms this, revealing that the theft of credentials from system memory has become the most commonly used attacker technique for compromising identities.

Given the availability, impact and use of PAM solutions to protect privileged accounts from being exploited in attacks, as well as their important role in regulatory and corporate compliance, PAM system effectiveness has never been more important:

  • For organizations that haven’t deployed a PAM solution: NOW is the time to do so!
  • For organizations that have already deployed a PAM solution: NOW is the time to assess, validate and optimize its effectiveness by continuously discovering privileged accounts that regularly go unenrolled in PAM.

Continuous Discovery is Dependency for PAM Effectiveness

“You can only protect what you can see” is a phrase we’ve commonly used in cybersecurity. Unfortunately, given the current state of widely available attack tools and techniques, attackers are now better able to find and exploit privileged credentials than enterprise security teams are able to discover and protect them with a PAM solution.

For example, best practices suggest that local admin accounts should be enrolled in a PAM solution. Unfortunately, there is a proliferation of unmanaged accounts and forgotten local admins in every organization because of the lack of continuous visibility into their existence. Happy days for attackers. Rough days for cyber security teams!

In fact, earlier this year our research revealed that 87% of local admin accounts are not enrolled in a PAM solution. In one instance, during the analysis of a financial services organization, Illusive discovered more than 55 percent of local admin accounts were not enrolled in Microsoft’s Local Administrator Password Solution (LAPS) – a failing grade! Attackers leverage these accounts to disable endpoint security controls and install their tools, often to help them gain access to privileged domain accounts.

The speed of change in IT can also result in unmanaged accounts. Best practices for PAM enrollment tend to get overlooked or skipped. As a former IT administrator, I’ll admit that I have created privileged accounts in the past without enrolling them in PAM. We can probably all appreciate the scenario where a system performance issue causes an urgent requirement for a system change that is most quickly resolved via the creation of a temporary privileged account, which gets used and then forgotten about in the quick dash to resolve the issue. IT and security teams are only human, after all, and are being stretched to do more and more every day.

Maybe you raised an eyebrow when I described these risks around privileged accounts as vulnerabilities. Although our industry tends to use the term vulnerability to describe code-based exploits, the ability for attackers to exploit privileged accounts to move laterally without detection also qualifies it as a vulnerability. Simply run one of a few modern tools that attackers use to scan endpoints, such as those described in “View From The Attacker: The Tools,” and you’ll quickly appreciate the importance of remediating identity vulnerabilities, which are easily exploited by attackers.

Accelerate PAM Discovery with Automation

PAM solutions work extremely well in thwarting attacks on accounts they manage, but they obviously do nothing for privileged accounts that are unknown to the teams deploying PAM. Unfortunately, most PAM discovery tools are limited to static snapshots of identity directory structures and quickly become outdated – even before deployment! They also often overlook privileged accounts on endpoints, and provide little, if any, insight into how and from where privileged accounts have historically been used so that PAM deployment teams can understand the impact of vaulting an account’s credentials.

Now that attackers have automated tooling to discover vulnerable privileged accounts, the key to success (pun fully intended) for cybersecurity and identity teams is to match their automation in discovery. By automatically and continuously discovering a complete manifest of privileged accounts, a PAM solution can protect these critical accounts BEFORE ATTACKERS attempt to exploit them.

For those that have tried, the comprehensive discovery of privileged accounts across an environment has proven to be a significant and intractable challenge. I’ve heard this from security teams and CISOs on numerous occasions. I remember hearing a respected security professional share “Discovery is an absolute pain in the ass. It has been mostly manual.” I’ve also heard from IAM and security teams that “thousands of privileged accounts are meant to be vaulted, but people just plain forget. Even worse, crafty admins will find ways to circumvent PAM, which creates big gaps.”

The lack of automation to enable this discovery for PAM has been the cause of a lot of extra work and headache for PAM deployment teams, who have been forced to conduct manual discovery through numerous cross-functional team discussions, scripts, logging tools, spreadsheets and aspirin. And unfortunately, it only adds insult to injury knowing that the data becomes almost immediately out of date after it’s collected. Argh!

Know the Unknown to Unlock PAM’s Full Potential

The creation of unmanaged privileged accounts for even a short period of time creates great risk for any organization; therefore, discovery must be continuous – especially given the fast pace of change to identities and systems in most organizations.

But beyond continuous discovery, it also needs to be comprehensive. That is because there are a raft of identity risks and management challenges that can only be solved through enhanced visibility:

  • Cached Credentials – Privileged accounts and credentials frequently get stored in endpoint and server system memory – where attackers easily steal them. This also includes credentials in endpoint applications, such as ftp, filezilla, and web browsers, as well as RDP and VPN sessions that haven’t been properly closed – it’s like leaving the key to your business under the door mat. To reiterate a previous point, the theft of credentials from system memory has become the most commonly used attacker technique for compromising identities.
  • Shadow Admins – We’ve written in-depth about shadow admins, which are essentially user accounts that are privileged outside of best practices, and aren’t easily visible to IT or security teams. Shadow admin accounts remain unmanaged by PAM solutions because the IT organization is usually not even aware that they exist. Visibility into the accounts can help to enroll them into PAM or to change their privileges so that they don’t need to be managed.
  • Context and Insight – IT admins need to know HOW and WHERE privileged accounts are used so that they can assess the impact that enrolling any given privileged account into PAM could have on the integrity of any other systems or applications.
  • Prioritization – Finally (although really this comes first), comprehensive discovery can help PAM teams focus on the most vulnerable privileged accounts – those that aren’t already enrolled in PAM – which can be a huge time saver when dealing with thousands of accounts.

On the flip side of the coin, enhancing PAM with continuous and automated discovery also enables better management of other identity controls and processes:

  • MFA – Continuous identity vulnerability discovery can optimize MFA deployments by identifying privileged accounts that are not enrolled in MFA.
  • Password Management – According to Illusive research, 21% of admins use default account names and 62% of passwords have not been changed in more than a year. These sorts of misconfigurations occur frequently because organizations lack visibility into these policy violations which are as easy to fix as forcing regular password resets.
  • Misconfigured Account Policies – Admins can introduce risk when they log into service accounts that were only intended for non-human use. By their nature, the credentials of these accounts rarely change – not even for years. Visibility can illuminate these risks – and likely policy violations – by simply setting the account so that it cannot be used for interactive login. Without visibility, this policy cannot be created.

Plan Your Work to Make Your PAM Work for You

As an important and valuable security and compliance control, PAM is only as effective as the comprehensiveness of its deployment. Continuous, comprehensive visibility into the privileged accounts, and where they’re used, has been virtually impossible in the past. No longer! Check out Illusive SpotlightTM to turn on the lights to privileged identities and the security and compliance risks they pose in your environment and turbo-charge your PAM deployment. Get started quickly with a complimentary identity risk assessment.