Zero Trust: How Just-in-Time Access Helps Mitigate the Risk of Zero-Day Attacks
Traditional IT security models focused on one thing: keeping the bad guys out the network. Anyone inside the network was physically in the corporate office and logged on to a machine set up and managed by the IT team, so they were trusted implicitly.
That model no longer works. Today’s world of cloud resources, remote workers and user-owned devices has blurred — if not entirely erased — the notion of a network perimeter that could be defended. Moreover, security experts are more acutely aware of the reality of zero-day attacks in which hackers exploit newly discovered software vulnerabilities.
For example, the ransomware gang Clop recently exploited a zero-day vulnerability in MOVEit Transfer, a file transfer tool from Ipswitch, to steal sensitive data from many organizations, and is now extorting ransom from them in exchange for not leaking that information. According to the CISA security advisory , one mitigation tactic is strict control over accounts with administrative privileges, including implementation of just-in-time (JIT) access.
Indeed, implementing JIT access as part of a Zero Trust model can help organizations achieve the control they need over accounts with administrative privileges to block many zero-day attack. This article will help you better understand why JIT access is emerging as a game-changer in strengthening our defenses against cyber threats.
What is Zero Trust??
Zero Trust is a security model based on a simple premise: “Never trust, always verify.” Zero Trust requires that no user, device or application should be trusted implicitly. Instead, every access request, whether from inside or outside the network, should be carefully assessed.?
What is just-in-time access?
In a typical organization, IT pros have special administrative accounts that grant them elevated privileges to sensitive systems and data. These accounts exist all the time, whether they are being used or not. These accounts are a top target of attacks because an adversary who compromises one of them is well on their way to accomplishing their objectives, whether that’s to steal data, bring down vital systems or do other damage. Moreover, the account owners themselves can misuse their accounts, either accidentally or maliciously.
To reduce these risks, organizations can replace risky standing privileged accounts with just-in-time access. Here’s how it works: A user needs more access than they currently have to accomplish a particular task. The most common example is an IT pro who needs to perform an administrative task, such as installing patches or changing a system configuration. But it might also be a business user who has been assigned to cover for a colleague and needs temporary access to additional data or applications to complete that task.
The user requests the access they need. If the request is approved, they are provided with an ephemeral account that grants exactly the permissions they need, and that account is deleted immediately after they complete the task.
Notice that the user is never given a standing administrative account that they could misuse or that could be compromised by an adversary. Nor are they given more access than they need, which limits the risk that they can cause damage either deliberately or by mistake.
What are the benefits of JIT access as part of a Zero Trust approach?
As we have seen, just-in-time access supports a Zero Trust security model by reducing privileged access. It offers all of the following benefits:
·???Reduced attack surface: JIT access reduces the organization’s attack surface by replacing standing privileged accounts with temporary, least-privileged access granted through a defined approval workflow. Adversaries find it much harder to accomplish privilege escalation and lateral movement, reducing the risk of security breaches.
·???Compliance and auditability: JIT access helps organizations meet compliance requirements by enabling them to limit privileged access and enforce separation of duties and the principle of least privilege . Moreover, comprehensive JIT access solutions provide auditing of privileged activity: Auditors can review access logs and verify that access was granted based on legitimate business needs.
·???Operational efficiency: By automating the process for requesting, approving and granting JIT access, organizations can improve security and compliance without hurting productivity. A quality JIT solution empowers users to access the resources they need when they need them, without excessive hurdles or delays.
How can Netwrix help organizations adopt JIT?
With Netwrix Privilege Secure , you can replace your risky standing privileged accounts with ephemeral accounts that provide just enough access for the task at hand. With this solution, you can:
·?Get dynamic and continuous visibility ?into all privileged accounts across all endpoints.
·?Replace risky privileged accounts with just-in-time privileged access — without hurting administrator productivity.
·?Get a single control point for all just-in-time access, with the option to require multifactor authentication (MFA).
领英推荐
·?Monitor and record privileged user sessions to enable investigations, satisfy auditors and ensure accountability.
·?Visualize, analyze and manage your attack surface with dashboards tailored to executives and IT pros.
?? Once an adversary has used a zero-day vulnerability or other method to gain foothold in your network, they use various lateral movement and privilege escalation techniques to achieve their goals. To learn how you can block, detect and mitigate common techniques, read the following articles in our attack catalog: Pass the Hash Attack , Pass the Ticket Attack and Golden Ticket Attack .
?? Watch an epic cyber battle between white-hat hacker Brian Johnson and Netwrix’s own PAM expert Martin Cannard. We’ll all get to see in real time how well Netwrix Privilege Secure defends against multiple attacks, including:
·???Abusing local admin access (commonly granted to far too many users!) to dump cleartext credentials from memory
·???Establishing backdoor access by creating a new local admin
·???Moving laterally from one compromised system to gain local admin rights everywhere
·???Abusing wide-open RDP access to remote into a system with admin access and then dump out a copy of the AD database or exfiltrate other sensitive content.
·???Using Pass the Hash to authenticate via RDP
·???Performing a ticket-stealing attack
·???Using a password spraying attack to discover accounts that haven’t been logged into in a long time and might well have weak passwords
??? Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity and infrastructure.
For more information, visit www.netwrix.com .