Reconsider Best Securing Admins First
I frequently hear CISO’s and security admins trying to best secure system administers first and best. For example, if they are thinking about trying or getting multifactor authentication for the first time, they will deploy it on the system administrators first. The thinking is that compromised system administrators are highly privileged and valuable accounts that if compromised will more easily lead to the keys to the kingdom. Plus, they are great first customers for anything new. They know how to troubleshoot and already know everyone on the IT involved with the project. It’s win-win.
But here’s why you shouldn’t always secure the system admins first and best.
It’s because the vast majority of successful attacks that lead to full system compromises begin at regular workstations and users. The users might even be admin on a particular system (e.g., Salesforce, accounting, etc.), but their compromise was most likely accidental…the attacker just happened to compromise them first. It’s just a numbers game.
Seventy to ninety percent of all successful breaches happen because of social engineering and social engineering works equally well on all types of users. In my employer’s (KnowBe4) simulated phishing tests, we don’t see admins being less “phish prone†than regular users. Anyone can be phished.
We know that target-specific spear phishing is involved in 66% of successful breaches (https://blog.knowbe4.com/wake-up-call-its-time-to-focus-more-on-preventing-spear-phishing). These spear phishing messages can be directed at system administrators, but are more likely pushed to people in accounts payable, the help desk, c-level officers, or tech support. None of those job are sysadmin types. And when phishers aren’t attacking particular job titles in your organization they are just trying to compromise anyone in your org. It’s just a number’s game and they can use anyone’s device as a step-stone into the organization.
That’s the reason why most social engineering attacks are flooded out across the entire user base, because it’s a pure numbers game, where the attack just hopes anyone goes for the bait. Often someone does. And from any user being compromised to getting all the passwords to your environment doesn’t take too long.
A common hacker ploy is to get their first initial access on anyone’s device. From there, they elevate themselves from the regular user’s security context to local Administrator (on Windows) or root on Linux or Apple. From there, they look for system-wide passwords. On a Microsoft Windows box, they will usually look for system-wide highly privileged accounts being used with local services (very common) and dump those password hashes. Or they can do a Kerberos dump, grab all the highly privileged accounts with Kerberos Server Principal Names (SPN)s, and then dump those password hashes and crack them.
Sentinel One has a great summary of Kerberoasting attacks: https://www.sentinelone.com/cybersecurity-101/what-is-kerberoasting-attack/.
领英推è
From there, the attacker can use the newly highly privileged account credentials to go get all the other gold on the network. First, they will usually download and crack all the user accounts, including all the highly-privileged accounts, like Domain Admins and Forest Admins. From there, they can take over whatever data and applications they want.
On Apple and Linux computers, they usually install password keyloggers and start looking for vulnerable drive shares. The average hacker goes from compromising a single regular end-user’s workstation to taking over the whole network in a few hours. It’s not hard. There are really good tools and scripts to make the whole process fairly easy. You don’t have to be an uber hacker. Kids can do it, and they do.
An attacker compromising a highly privileged system admin account makes only the first few steps of the long process easier. But getting from a regular end-user security context to a highly-privileged context usually only takes a few minutes…maybe a few hours at most. It isn’t the huge security defense that we all make it out to be. It’s still good to keep the bad guys away from your admin accounts. It does make their life more difficult, and anything you can do to make them work harder is a mitigation worth having.
But when I see or hear CISOs and security people moving to first protect…or possibly only protect the sys admins of their network, I want to give them a little advice.
You’ll probably get more bang for your buck by protecting your regular end users first.
Why? Because it’s a number’s game most of the time. And you have far more end-users than system administrators to worry about.
It’s best if you protect everyone, equally, from the start. But if you have to do it in phases, if it were me, I’d start securing my regular end-users first. They are the bulk of your problem, simply because of their numbers.
That’s my advice for today.
ISTEM Cybersecurity Teacher ?? | CyberPatriot Coach | CISSP | CSAE | CIOS | CSIS | MOS Expert | Eagle Scout ??| Trekker ??
1 å¹´I never thought of it that way but that makes a lot of sense! Thank you for this.
Cloud Security Architect at Long View Systems | CISSP | CCSP
1 å¹´Interesting perspective, Roger. Thanks for sharing.
Author of Designing Secure Software: A guide for developers
1 年"You’ll probably get more bang for your buck by protecting your regular end users first." ... but assuming admins are a tiny fraction of the whole, why exclude them from the first deployment? Alternatively, if "admins first" means "everyone else within a few weeks" then no problem, right? My 2 cents: "Never delay rolling out phishing-resistant MFA to all."