Specialty Podcast: Privileged Access Management Tools (PAM) in CyberSecurity

Intro (00:00):

You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Bobby Horn (00:09):

Welcome to another episode of the Alliant Specialty Podcast. My name is Bobby Horn, I'm the co-leader in the cyber division of the Alliant Management Professional Solutions Group. With me today is George Glass and Keith Wojcieszek from Kroll. George Glass leads the applied intelligence team that manages the MDR platform. He's going to be providing us with some detailed information on the importance of privileged access management tools. George, Keith, nice to have you.

Keith Wojciezek (00:33):

Hey, nice to be here, Bobby. Thank you.

George Glass (00:35):

Great to meet you.

Bobby Horn (00:37):

Great to have you both. George, to start off, the first question is, what exactly is privileged access management and what is its importance of it to insureds?

George Glass (00:46):

Sure. Privileged access management is an overarching suite of ideas whereby you are trying to control the amount of privilege or access that certain accounts or users have, and really the main goal of it is to try and give these accounts, users, service tokens the very least amount of privilege as possible in order to do their job or run an application effectively. And the reason it's so important is if a threat actor was to breach an environment, steal some tokens, phish a user, you really want to provide that particular adversary with the least amount of lateral movement capability or access as possible. So that means if you have an account with very little privilege just enough to do that particular job, ideally you are containing that threat actor to that one particular account. It can't elevate those privileges to an administrator account, and that actor is essentially stuck in that particular account. They can't move naturally.

Bobby Horn (01:54):

That's great. Really good overview. We've seen more on, more on the underwriting side for our clients, a lot more questions around having a PAM tool in place and more specifically the amount of accounts that users have with respect to domain admin privileges within an IT environment. Can you talk about, you know, I guess when you have more domain admin accounts with privilege, what's the concern there? Right. Obviously, more users with domain admin privileges are more susceptible to an attack.

George Glass (02:23):

Yes, absolutely. That's precisely the goal of many ransomware actors. When they get initial access into an environment, what they're looking for is the key to the kingdom, the domain administrator account. From there lateral movement to a domain controller and the propagation of ransomware from that particular location. The domain administrator account can do all of those things very, very easily, and that's exactly what we've seen threat factors do for years, now. In addition to that, even if we sort of take a step back from a domain administrator account and just have a more broadly privileged account that has access to other areas, from there, more credentials are probably forthcoming to a particular threat actor. Say there's a service account that can access the cloud, okay, well, all of a sudden, the threat actor can access your cloud environment. So, it's very important to keep those accounts separate and maintain very rigid controls in when those accounts are used. You know, some accounts really should just be used as a break glass protocol for when some specific patching work needs to be done, for example. And again, the access to those accounts needs to be very strictly controlled.

Keith Wojcieszek (03:35):

Yeah, it's funny. So, you know, we talk about the PAM accounts and looking at access, you know, access is everything, right? It's going to be to tell you if you can get into a certain area, you know, grab whatever, and it could be for an authorized purpose, you know, whatever for, you know, a managed user. And then second, it could be, if you’re looking for, on a threat actor side, you could look at an insider threat actor that, you know, just maybe a disgruntled employee or whatever it is. But also, one of the things that I want to make sure is addressed here is, you know, the PAM tool is great, right? It really does limit access and really homes in and audits what's going on. But another aspect, we may get into this later, is updates.

You know, even if you have a PAM account, you have this access going in there. If you don't have that particular software updated, there is, I mean, I've seen it in the wild where, they go and they've breached that and they're able to access your entire network because there's a, there's a critical update. We've had cases where they gain access into that and they're able to move everywhere because of what it contains and what the account is. So, you know, understanding that even if you have this tool in place that that patching and almost like George was talking about, the patching itself also includes the software of the PAM too. So, you know, it's just interesting that there's always this caveat to make sure everything is up to date, you know, to include, you know, your PAM accounts too. So, I just want to add a little of color to that because, you know, we do see all kinds of access with these threat actors. They're so created and you're not, you're not dealing with the average person here when it comes to these threat actors. You're dealing with some very sophisticated people without looking for any way in and to include, you know, exploiting whatever type of software you have.

Bobby Horn (05:15):

That's a good point. So, even if you do have a mature privileged access management tool in place without updating the software behind all that, it doesn't really matter. We have seen clients, you know, when we have an application process, right, they'll come back that they have hundreds of domain admin accounts and a lot of times they don't even understand kind of the breadth of what they have in place. And when we do a little more digging, especially after having conversations with underwriters, they're able to actually lower that number to some, in most cases into single digits. Can you talk about maybe some of the different types of accounts, the types of service accounts are in place and how you're that number to number, especially so more favorable to the underwriters.

George Glass (05:58):

Yeah, sure. I'll take that one. So, there are a number of different ways that an organization may choose to set up their account. In my opinion, domain administrator accounts are really the most highly privileged and should be used in application rollouts, patching, and to break our scenarios where there's an emergency, or something needs to happen very quickly. Those particular accounts should be the most stringently controlled and have, you know, requisite logging to understand when those accounts are being provisioned if new ones are created or deleted. Moving back down the scale, there are opportunities to deploy maybe service accounts. Those are typically used for applications services to interact with each other, those sorts of things. Just because those accounts may not be used by a person does not mean that they're not highly privileged. So again, those applications need the requisite logging to understand what those accounts are doing, understand if there are strange behaviors, something out of the ordinary because a threat actor can become that service and control that application if they so wish. And then what we, we see quite often is local administrator accounts, administer a particular endpoint to allow users to install software, and again, this is typical for sort of engineering functions, developer functions and things like that.

Bobby Horn (07:21):

That's a great point. So clearly, it's important to understand, kind of, what your exposure is to your service account. We have heard that rarely, or in some cases I had the owner tell me that there's never been a ransomware attack that did not involve an overprivileged service account. Is that any truth to us, George, in your experience?

George Glass (07:39):

I'd certainly say that that is the first thing that a threat actor will move to look for. We've seen firsthand accounts of these things happening through our IR work. We've seen threat actors’ playbooks where, you know, that is the first thing that they try to do is move to try and find a very highly privileged account. And they do that in a whole raft of ways, can be as simple as looking through documents and Excel spreadsheets on the machine itself. Or it could be something like using a local administrative account to move laterally to another machine or to log into a file share where okay, all of a sudden there are credentials here for a confluence. And on that confluence instance, there are all of the other accounts that you need. There are any number of ways they could do it, they could do it through vulnerability. But the majority of things I've seen typically do involve some amount of overprivileged accounts.

Bobby Horn (08:36):

That's good that my underwriters aren't telling me any lies. Right, about best practices on the threat active side, right? They kind of have their ways of getting a new network. What are the benefits of having a PAM tool in place and what are some best practices that you aren't sure should be on the lookout for?

George Glass (08:52):

For me, it's, it's a lot about separating the responsibilities of the account in such a way where compromising one doesn't mean you, you, you can skip eight steps of the cyber core chain and your main administrator level in addition to that, tools like this can help you prepare for a breach as well in such a way that you can start at a very low privileged user. Someone that doesn't need an awful lot of access. They're mainly using office tools that they don't need to install applications on their machine, that you could map that user to other accounts, or maybe ways of escalating privilege that could potentially lead to a domain-wide compromise, and that's very, very difficult. Without these sorts of tools, you'd have to do an awful lot of legwork just to get the information you need in such a way that you could do that sort of analysis without a tool.

Bobby Horn (09:44):

Interesting. And, you know, I guess I should ask the next question, how difficult is it to implement a PAM tool? And as I said earlier, more and more underwriting is focused on these types of controls, and certainly more and more carriers just saying, you know, without a PAM tool, they're not able to underwrite the risk. How difficult or how easy is it to get a PAM tool in place?

George Glass (10:06):

Well, I'll give you my best consultant answer, and that is, that depends. It depends on the amount of accounts, the type of work that you are doing, and the type of access that your users typically need, you know, it’s a very complicated process. And that's exactly why these tools exist. And there are some tools like certain EDR products that have some level of access management built into them where you can do some of the analysis that I was talking about earlier and enforce some of the controls. And then, you know, there are entire suites of privilege access management tooling that can do everything from the local accounts through to email and SaaS products as well. So, you can really scale it to what your business or organization needs. That in a lot of cases, the amount of complexity, will also lead to obviously a greater deployment time as well.

Bobby Horn (10:56):

Thank you, George. I do appreciate that level of insight there and Keith as well for your commentary on that. I think that takes care of our conversation today around privilege access management. I’d like to thank George Glass and Keith Wojcieszek again from Kroll for your time today. We certainly hope that the information today you've been provided with is informative. For more information, visit us at www.Alliant.com.