5 min read time

The Crucial Role of Least Privilege and the Synergy of People, Processes, and Technology

by in Cybersecurity

In the ever-evolving landscape of cybersecurity, it's crucial to stay ahead of the curve and be vigilant as threat actors evolve their attacks to exploit weaknesses in us as humans, our procedures and technology.

Both MGM Resorts and Caesars Entertainment have experienced impactful cyberattacks. According to a recent Reuters interview with Okta's Chief Information Security Officer (CISO), it was disclosed that these attacks were part of a series of incidents involving five Okta clients targeted by a threat actor known as UNC3944. These attacks were likely conducted in affiliation with the ALPHV/BlackCat ransomware operation and occurred over the past few weeks.

This Okta blog states that the attacks started with an unnamed client, possibly MGM Resorts International. A highly privileged user’s Multi-factor Authentication (MFA) factors were reset through a social engineering attack against the client’s helpdesk.

Using this first privileged account, the hackers moved laterally through the system evading detection by using the initial account to raise the privileges of other accounts until they were able to access a highly privileged Okta Super Administrator account.

Once the hackers had access to Okta Super Administrator accounts, they were able to extract passwords from an Okta sync server deployed within the victim's IT infrastructure. They then proceeded to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.

Additionally, Okta itself became a target of social engineering attacks, including a method known as CrossTalk, which involved cross-tenant impersonation.

Evolving threats

These recent exploits of Okta’s customers have highlighted how cybersecurity software vendors can become a target.  It is a harsh reality that every software vendor, no matter how diligent, may eventually face a cybersecurity attack like what’s happening to Okta.

From the software vendor perspective, we need to prioritize the security of the solutions we are deploying and minimize opportunities threat actors can exploit by leveraging secure design principles and testing methodologies. Recent security breaches have prompted many organizations to reevaluate the "good enough" cybersecurity solutions they’ve deployed. They are now seeking vendors with a proven security track record, and that's where we shine. We have consistently demonstrated our dedication to safeguarding our clients' assets and continuously enhanced built-in security controls and incident response procedures to help increase the confidence of our customers.

The exploit of CrossTalk to target other tenants in the Okta SaaS environment reminds us that multi-tenant environments are a popular target of threat actors. When contemplating deployment options, you may want to consider environments that provide a heightened level of security by isolating client data and processes. This can include off-cloud (on-prem), private cloud, or single tenant hosted deployment options. NetIQ is striving to provide a wide range of deployment options to our customers. We will always prioritize security and take extra precautions to ensure our customers’ data remains protected.

The NetIQ approach

In the context of the Okta-based exploits, there are several ways that NetIQ could have helped protect or detect a similar attack:

  • NetIQ PAM (Privileged Account Manager) delivers privileged user control, tracking and auditing for multiple platforms, which can help mitigate against privilege escalation attacks: Mitigating these attacks is crucial because it prevents malicious actors from gaining unauthorized access to sensitive systems and data. By limiting attacker’s ability to escalate privileges, organizations can protect critical assets, maintain data integrity, and ensure that only authorized individuals can access and modify sensitive information, reducing the risk of data breaches and system compromises.
  • SSPR (Self Service Password Reset) can minimize helpdesk intervention, thus lowering the chances of a social engineering attack. In this case, the attack was against MFA, but password resets also are the target of social engineering attacks.
  • DRA (Directory and Resource Administrator) can eliminate the need for too many privileged accounts by delegating only the rights they need to do their job without providing too much.  It can also have a policy set that will not allow an assistant admin to add someone to a security group without already being a member of that group. Change Guardian will pick up that a change was attempted or made outside the remit of DRA and report on it and revert it using DRA Workflow Automation.
  • Risk Service provides adaptive access through the risk assessment of user access to applications or services. The Risk Service could have identified abnormal behaviors of circumvented administrator accounts as they were used by the threat actor to set up counterfeit Identity Providers or other activities.

It's not just the technology

Additionally, we need to recognize that technology is not a panacea that will stop the kind of social engineering attacks that UNC3944 is executing against targets like MGM and Okta.

Kevin Mitnick is a well-known hacker and computer security expert who has written extensively on the topic of social engineering prevention. Mitnick has observed that "When it comes to social engineering, even the most advanced technology on the planet can’t protect you if an attacker convinces you to hand over your password."

Social engineering tactics are constantly evolving, so organizations must remain vigilant, adapt their security measures, and stay informed about the latest threats and trends in social engineering attacks. Additionally, fostering a culture of security within the organization is essential to achieving effective social engineering mitigation. Note, Webroot offers Cyber Awareness Training for employees that could help raise awareness and mitigate employee susceptibility to these types of attacks.

Conclusion

Least privilege is a critical concept in cybersecurity, limiting access and permissions to only what is necessary for individuals or systems to perform their tasks. This approach is pivotal in mitigating escalated privilege cyberattacks, where attackers gain higher levels of access than they should.

However, effective cybersecurity goes beyond just implementing least privilege. It necessitates a holistic approach involving people, processes, and technology. People must be educated and vigilant to recognize and report potential threats. Processes need to be in place for monitoring, incident response, and continuous improvement. Technology, such Identity Access Management and User Entity Behavior Analytics (UEBA) systems, must complement these efforts.

Ultimately, mitigating today's cyber threats requires a unified effort where these elements work in harmony, with least privilege as a foundational principle, to ensure a robust defense against escalating cyberattacks.

Labels:

Identity & Access Mgmt