Privileged Account Management Bypass

Written by Jean-Camille LOISEAU & Anup Tripathi | Published 31 July 2021

What is Privileged Account Management ?

Organizations are hosts to thousands of critical assets. Securing and monitoring accesses to these assets is essential to control who can access what, when, how, for which reason they are permitted to do so, etc.

Attackers on the other end will use every tactics and techniques possible to gain access or privileges to resources and defeat or bypass any control mechanism that is set up to defend the organization from misuse.

Privileges are a combination of rights and permissions. An admin account or a machine account will usually have more rights and privilege than a regular standard user account and this will be possible through rights and permissions allocated to this privileged account enabling it to perform any actions or access any data on a machine.

In the context of defense in depth and layered security, enforcing access control or access management models and tools supporting least privilege contribute greatly to the overall security of the organization reducing risks of lateral movement or privilege escalation but also making the detection of such malicious activities easier.

There are different access control models that can be enforced:

• Discretionary Access Control (DAC)

• Role Based Access Control (RBAC)

• Rule Based Access Control

• Attribute Based Access Control (ABAC)

• Mandatory Access Control (MAC)

All can be used in isolation or combination to further contribute to the overall security of the organization. Ultimately what matters is that accounts that are bestowed with higher than normal privileges must be closely monitored and segregated.

Whether they are machine accounts or user admin accounts of some kind, privilege accounts should exist within the following rules:

• These accounts should be tailor made to carry out their task on a specific set of designated target

• The people who need to utilize these accounts must be clearly identified and no one else should be able to use them

• The usage of these accounts on any system must be closely monitored to understand exactly which person used the account, when, from where, and what for.

• The usage of these accounts should ideally be video taped to ensure traceability of actions

• The passwords of these accounts should be randomized, impossible to guess, change often and more importantly unknown even from the very admin that utilize them.

To achieve all these goals, there are software solutions in place such as CyberArk. CyberArk suite enables an organization to:

• Lock in all privileged accounts within "safes"

• Control the access to each safe by a few select and managed individuals

• Enforce just-in-time access for any identity – human or machine

• Enforce video tapping of any activities carried out with the check out account

• Enforce automated password rotation of an account after it's been checked in by the user

• Execute continuous discovery of potential new privileged accounts and credentials,

• Enable secure remote vendor access to the most sensitive IT assets

What is Privileged Account Management bypass ?

While it is essential for any organization to enforce Privileged Account Management (PAM) using a tool like CyberArk, the reality on the ground, is that both the users and attacker will do everything to bypass PAM solutions.

This is more and more prevalent an increasing amount of people work away from offices, or because the actual work is carried out by external contractors sitting in a different country.

In our experience, we found the administrators of critical assets were used to have unfettered universal access and had, at least at first, difficulties to adapt to a model that enforced extra PAM related steps in comparison with a simple: "RDP to the asset with their personal admin admin account":

1. Open a PAM safe within PAM interface,

2. Check out a designated account with a comment why they needed it,

3. Remote log on to the target system from within the PAM interface

4. Log off and close the remote access session after their work is carried out

5. Check the privileged account in with a comment on activities carried out

6. Close PAM Safe and log off PAM interface

This is in line with a recent 2020 Remote Work Study published by CyberArk:

• 67% dodge corporate security policies to be more productive, including sending work documents to personal email addresses, sharing passwords, and installing rogue applications.

• 69% use corporate devices for personal use.

• 57% allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping,

• 82% reuse passwords, 12% more than in CyberArk’s previous report.

• 54% have received remote work specific security training.

Attackers are obviously on the same boat and will do anything to avoid security measures. Increasingly, virus and worms are also designed to attempts bypassing any security measures.

This is why PAM is critical. The ability to monitor and detect suspicious events in an environment is very important, but without a clear focus on what presents the most amount of risk – unmanaged, unmonitored and unprotected privileged access – the organization remains vulnerable.

Implementing PAM as part of a comprehensive security and risk management strategy enables organizations to record and log of all activities that relate to critical IT infrastructure and sensitive information – also helping them simplify audit and compliance requirements.

This also means that when implementing PAM, an organization must setup rules (such as firewall and flows) and controls to enforce that no one can bypass it and that if a privilege asset, system, or account normally secured by PAM is access outside of PAM, a priority security alert is immediately raised for the Computer Security Incident Response Teams to act upon.

How do I detect to Privileged Account Management Bypass alert?

How do I respond to Privileged Account Management Bypass alert?