Looking Back on Black Hat 2018: Four Key Learnings from This Year’s Event
Two weeks ago I attended the Black Hat USA 2018 conference: As one of the largest cybersecurity events in the world, it’s always interesting to hear the key themes and trends the industry is buzzing about. Here are my observations on four actionable takeaways from the 2018 conference.
The Philosophy of “Zero Trust”
Zero Trust was arguably the most-repeated term among attendees at Black Hat 2018 – and perhaps the most hotly debated. Key takeaway: Zero Trust is more of a philosophy than a specific approach. It’s not (yet) an industry standard, and each implementation is highly dependent on the organization type, risk preference, available resources and other factors.
Zero Trust is based on the idea that everything is a threat until proven otherwise – it’s a direct response to the ever-present possibility of malicious lateral movement in the network. Imagine a fortress, in which every building is surrounded by fences and every door is locked. Just because you make it through one door doesn’t mean you can access any others. The network is highly segmented into a variety of perimeters aimed at stopping an attacker from escalating privilege from one weak point. Implementing a successful Zero Trust strategy means determining where your sensitive data lies, mapping how information moves within the environment, gating assets and monitoring your traffic, and determining rules for how any aspect of your organizational environment can be accessed.
While “Zero Trust” is a great tagline, and offers a good direction for the future of best practices in an organization’s security posture, it still needs time to mature: there continues to be disagreement on what sum total of security postures add up to best practices for a true Zero Trust policy – not just a marketing tagline. How do organizations start to put these into practice? Identity and Access Threat Prevention can move an organization towards Zero Trust today. In addition, it also offers greater flexibility and understands shades of gray within the threat landscape, and can use adaptive policies to respond to threats and verify in real-time with multi-factor authentication.
Monitoring Cloud Credentials is Critical
Security monitoring for cloud environments is unfortunately still in an infant stage, and the industry has a long way to go in order to get to a fully encompassing monitoring solution.
Security capabilities for the three large cloud providers (Amazon, Microsoft and Google) are lacking. Numerous Black Hat sessions demonstrated the importance of detecting credential use from outside of the organization via third-party tools, as this can be an indication of malicious behavior. For instance, AWS currently does not provide this capability.
API usage is another significant challenge. In general, APIs pose security vulnerabilities for cloud environments given their customization abilities for a wide range of applications, and they tend to add attack vectors potentially unrecognized by the organization. (Consider: unsecured APIs often end up in lists of “most significant cloud vulnerabilities.”) There are a number of API calls that, if detected, suggest a high probability of malicious activity. For instance, some APIs may try to circumvent IT policies to gain unauthorized access to data within the cloud. If your organization uses a public cloud environment, it is critical to understand which APIs are allowed: these often have access to the core code base of your cloud provider.
To effectively monitor cloud credentials and manage access, organizations should take care to assign users specific access, ensuring that users are not over-privileged and ideally that no one person can compromise the entire system. Organizations should continue to monitor how applications are accessed, and have rules and enforcement for suspicious logins (such as banned locations), as well as continuously updating their policies and security posture. Finally, organizations should unify visibility: continuous monitoring for users, privileges, access patterns and accounts across all platforms, whether cloud, on-prem or hybrid is what is required.
Password Vaults Won’t Stop Lateral Movement
There are inherent security problems in using password vaults. We often think we’re safe – “if I don’t even have my password, how can the attacker have it?” Unfortunately, this isn’t the case: an attacker can simply take the password from the clipboard after you copy it from the vault’s web portal, and use the RDP client setting to launch a software after a remote session start. In addition, even though the password may not be exposed, if the source workstation uses RDP (not in restricted mode) the credentials will be exposed on the target. So if an attacker reached a server you use daily, they will constantly get your updated credential even if it is stored and changed by a password vault. (Note: some experts recommend password vaults for nearly all consumer users.)
On this point, a special note of recognition to Sean Metcalf for a great discussion on this topic in “Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it.”
So what can we do? Employ a proper defense-in-depth methodology and make sure to always protect ourselves from lateral movement techniques, no matter how much we think our credentials are safe. Expect that attackers will always find a way and act accordingly. Identity and Access Threat Prevention is a key component of any strategy to address the inherent, constant risk that credentials are compromised: organizations should have a holistic view of who is accessing what, when, where and how.
Organizations Should Leverage MFA (if you aren’t already)
One of the top recommendations for any organization, and even consumers, is using multi-factor authentication. For hardening administrative access, MFA is one of the most important tools at our disposal. Using smart policies that both identify anomalous user activity and access high-risk assets in the organization to enforce MFA is paramount. This will hinder the lateral movements attempts of attacker and will reduce the attack surface of assets in the organization. MFA is arguably one of the most important tactics of a Zero Trust approach, as it offers a significant roadblock at various granular levels of the perimeter (or micro-peterimeters) and significantly deters lateral movement. Even if an attacker is able to get past multi-factor, it can delay their movement to increase likelihood of detection.
Simply put, multi-factor authentication is one of the most important steps you can take to secure your organizational assets and data. As it so happens, Preempt is vendor-neutral and can both complement and extend a typical MFA deployment from a wide range of vendors, including Duo, OKTA, SecureAuth and many others!
Posted by Roman Blachman on August 24, 2018 4:00 AM