Dude Check Your Privilege! Privileged Account Management Solutions

so this ising part umur years experience the last six have been um basically just security operations and I was uh Computer Engineering security operations and inci detection I always tell people that ERS are The Unsung VI of the industry because well a pentester can go home and you know like what assessment they're working on when it comes to Blue teers you don't really always get to workiz spot like criminals and you know like attackers to really work on so and then

CCC my favorite color is pink when I was a just look so weird anyway like I remember my parents taking me to a flea market once and I saw an old record and I was really petrified myself for the first time so before we start a couple things to take in consideration um this is going to be a Windows based environment discussion I'm not saying that this type of solutions cannot be deed in Linux it is possible to do it I've personally never seen it and I've never seen anybody do it but you know like they say just because you've never seen something doesn't exist manag solution and I'm going to be refering as Secrets as anything that is a priv

privilege credential aips credentials tokens anything that would you privilege I'm G to refer

to the B so I normally like to start my presentations with kind of like a short Rand of story and um this is kind of going to be the case and it's something we were talking about yesterday in it you kind of get crucified if you like something else or you like reading stuff outside of it this is this is nothing to do I have a point I'll get to it AC so in 1975 Argentine writer for K's Bast published a compilation of short stories with his main story title The Book of s so it's about a book collector who's chilling at home and gets a knock on his door from a traveling salesman Al what made it so special was that J

left the son in the didn't have a beginning or so he started to get so addicted to it so passionate about it um the book itself was very complex the numbers the page numbers in Polo and the sequence and it was very complex because it was written in a langage put an understand so he decided to get rid of it and say I'm going to put it away because this is could cause a lot of distress so the takeaways of the story is like on the book how we needed to be treated with caution and how we needed to be safeguarded which is exactly how we would treat a PR account now we're going to get to what's

found so a lot of people use pre as access management and pre as account Management Solutions as interchangeably ter interchangeable terms and they're not the same they're compl different things so aival ACC management solution is a security mechanism that enables organizations to manage and keep an eye on the behavior of PR privilege users so a p is a sub component of PR previlege access management so now what is a privileg account management solution this is a solution that focuses specifically on managing accounts with elevated assets so this application administrates an audits accounts data accessed by privilege users but what does this even mean well there's certain accounts that need special permissions for us to perform certain tasks for

example application deployment or server configuration server patching um network configuration database management so anything that would could get us to potenti break something or compromise sensitive information those are the kind of accounts we want to be a little bit extra so the RO and as everybody knows STP start stand for skill so first skills um my old ball used to say that one good s admin is worth 100 professionals and I have mix feeling about that because I feel like it's important to have a good understanding of it security and how this Ty applications could potentially be misused that what would happen if they about comence as for tools we would need backups we would need

databases auth indication mechanisms if we want to integrated with our environment we would need directory Services put in place and would also need Network segmentation and the question that I've had people ask me in the past why do I need Network segmentation for this type of applications well in the event that you know like you got compromised you want to make it a little bit trickier for the attacker to get there I mean this is basically what's folding all your important secret so I mean they're already you might as well make it a little bit more challenging as for data we would need our laws we would need an incident response mechanism in place and approval

workflow and basically looking to get this is very important and it's something that a lot of the times that get gets ignored we would need a list of our most critical applications and the accounts associated with them I have a story to share later CL core components so the core components of a pth that's going to be your web server so that's our user interface basically everything that we can poke around cck just mess with or admin panel or folders or settings anything that we can poke around with that's going to be a as for distributed engine that's going to be the service that does of the Dirty Work and by Dirty Work I mean for

example password changes password rotations hards account pration anything that connects us to directory services that's what to shoot is going to be good database is going to be storing all the SEC information what kind of information would it store well the name of the accounts the person who added it the date that it was added we might even get to see or password but obviously we're not going to see it in claim text we're going to see a hash version of it and um so for those people who are really really dedicated to it um there's going to be a talk regarding passwords like later today so you don't want to miss that another core component is active

directory so that's for group of users and chronization so that's going to be your directory Services more for components so we have sides each engine is normally assigned to a single side so think of a side as a bucket or items for example um let's say victorious SEC well Victorious has offices in London they have offices in New York they have something in Shai just everywhere so each one of these locations would have a different site right so if a site goes down they can still rely on other ones so each one of them is going to be assigning work items um side connector this is going to be the service that holds the work items

for deter size and each one of them is going to have a distributed in versus cloud and this is a discussion that we normally see everywhere regardless of what time what type of solution we're working with I've had people ask me in the past well when it comes to a p what should I do should I say stay in P or should I go Cloud the answer is it really depends it depends on the law depends on your budget depends on your organization depends on your company depends on how you see the company 5 years from now so everything agree that what a user what um you're responsible for or an administrator is responsible for youy an application on

PR and let me tell yall dating of C on PR you learn to love energy drinks so you really do so it's not just okay I'm going to go on the server and I'm going to run the Pat and we're all happy we all love each other no like you basically have to create a backup of of your database you have to basically just Bo your server in maintenance mode and make sure that all the secrets are synchronizing correctly you also have to create a back of your web server as well so basically it's just taking care of each one of your core components and making sure that they're all orchestrating their work corre and you like

new vers going on cloud you don't get to do anything other than keeping your distributed live and like I mentioned before as a sugar engine is going to be the server that is going to be connecting your web application with your directory services so unless you really really trust your vendor and you really know what they're doing you feel very comfortable with other people crossing into your environment 99% of the time you're going to need to have an server acting as your distri additional features what kind of cool stuff can we do and this is something that I've seen on the past and I've seen it on Twitter and I'm just like no I'm not going to

say anything because we all know Twitter is the perfect place to have a different opinion um people saying okay PS are just like a glorified passal and I'm like um no that's not how it works I'm a strong believer that if you're paying for something you got to get more bank for so make a m out of it so other than storing passwords there are more stuff that we can do so Discovery and what kind of stuff that we can can we discover we can discover for example uh domain accounts service accounts and the services are associated with uh just assets within our domain for example I was talking to a friend a couple months

ago and he was telling me well I was given hey here's some budget feel yourself and he was like okay fine I'm I'm going to work on that and I'm looking for an asset management solution but in the meantime I'm just going to make use of my Discovery feature that my P is giving me and what my EVR is telling me and get me some visibility it's not IDE but it's better than having nothing I mean it's telling me my assets it's telling me my operating system what's about to be you know like end of life cycle so I still get to see some the visibility of what's in my now har so think of a harat as a

mechanism or a device to communicate with our directory services like hey I'm going to post you are you alive yes okay okay that's good so this is a way to verify that an account a Dom main account is still valid reporting so there is three ways to do this so what i' like to call it the ugly way the freeding way and the also free way so the best way to do this is integrating this type of solutions with your sim and that gives you a little bit more option to customize like if it doesn't if the reporter trying to create doesn't have any particular feels you can just get play a little bject just kind of mess around make it

however you want it to right that's if you integrated with your s another thing is this type of solutions normally offer prap reports that you can download and just you know like it's going to let you see whatever you need to see like last accounts created um who created those accounts users that have been disabled you us users and then if you really like being nerdy and geeky or whatever you could go into your database servers and just be able to see query and whatever data you need that's another way to do this um auditing so this how those Solutions are going to come with their own logs for you to look at and investigate um and you know like revie

existing loss that would pretty much you know like deta the auditing process uh another option that we have or another cool you know feature that we have is password generator so instead of coming up with you know like passwords like solar was one to three or okay I'm going to come up with a comp password um you can just click a button and it's going to automat automatically generate a password for you right and if you're synchronizing your account with active directory or your director Services you don't really have to worry about going in there and just changing it you can just you know like change it from your P you that's it um policies creation so think of a

policy as a set of rules that you can apply to multiple secrets in one single shot right and the most common policy creation that you're going to see is the one for a cation my personal opinion my personal experience this is the most powerful feature that you're going to find in a path and it's also the most dangerous you can really really brace something and you can really really make a lot of people upset that happens so Side Story here I used to work for a university last year and I was working on a project where I had to create a rotation policy for all the existing service accounts right so using the discovery feature I downloaded

the accounts that I sell I you schedule a meeting with or the department just kind of had a conversation with them this is what we have this account rotated are you guys okay with it sure I'm Co with it fine so I schedule the rotation policy for all the secrets to get rotated Saturday at 2 a.m. turn sou that one of those Secrets was a set of our coded credentials into a checkin system for a library for students to go in right so end of the story I rotated that secret it was hardcoded I wrote a checking system for the students to going to the library so oop see um so anyway we all learn from it um

and I was lucky to work it was the library system that I broke I would have been the most hated person um well another feature that we have is templates creation so whenever you're storing a secret you basically get to select and customize What fields do you want to have whenever you're storing here's an example so I have the secret template name the name pattern description if I want to put any additional notes all history which is going to let me see prior passwords a lot of people don't and they can still use this feature it's it's there uh validate pass requirements if you whenever you're storing a secret you needed to indicate if your password

needs to be a certain L that's another option to and in here I'm just kind of showing this is in a more generic way how fers and secret like when rules of permissions so whenever you're granting access to somebody to your path you're not just going to give them all the exess that they can you want to keep it a very bare minimum amount of permissions for them to perform what they need to do no more and no less right so in here you get to be a little bit more granular if you want this person to just have access to only reading permissions you can have that if you want them to change or files or you

just don't want to do anything other than hey this are the secrets of the cast you cannot see the CL you cannot see anything just very basic best practices General best practices um rest personal PR accounts to one user I really don't see any actual logical reasons for one user to have hey this is my admin account for me to update databases this is my admin account for me to apply P this is mymin account for you run of my own computer no you just want to keep one for user and you do not need to be sharing them either so uh you want to keep One account per ad like as a one individual one um unless it's pretty

much like a third party vendor you're running out of licenses and you need to you know like share an account that would make sense but we pretty much want to stick to non peration to the point where if somebody's breaking something or performing some activity they shouldn't be doing you want to be able to track that Activity one To Who It originally originated keep today privileg accounts learn from my mistake guys just don't start you know like rotating passwords and you don't know what you're changing so you want to keep a list of who has access to what um limit the scope of BR accounts goes back to what I was mentioning you want to give people a very fair minimum

amount of permission for them to do what they to do disable account that are nonuse I mean if you're not using something there's no need for you to keep it um and forces thr cap policy and require MFA so this is something we're going to see everywhere and one thing that we need to keep in mind is MFA the pass policy that's not a deal I mean this is just like adding one you know like one more layer of protection but there isn't such thing as hey this is a packable they cannot get us like no I mean you're just making me a little bit trickier for the [Music] attack the lame approach and I like to

call it the lame approach a monitor um I normally like telling people that this type of solution well it Security Solutions in general but especially pals are like skin ha for two reasons number one just because something works for somebody or one of your friends doesn't necessarily mean that it's going to work for you and to as you get older this stuff like you need changes you get a little bit more mature you know like you need different stuff that's the same thing that happens with your organization you get more users you don't like to provide more assets you're loving more stuff so something to keep in mind so think of Ls the kind of information that we need to

have recording recorded from all of our applications so in a p the type of blogs that we want to be looking at is going to be you know like their own app app ation laws generated by the P itself and wi laws why do we need weent laws because we also want to you know like be able to analyze the health of the application itself you know like if a distributed engine dies you want to be able to investigate what happened right if a password gets rotated you want to be able to see if it get Chang why didn't get changed what happened who had access to it so since everything is synchronizing with direct

Services you want to keep your window andb audit so there's really not much of a point of keeping logs if you're not looking at them right so that's just kind of logging and auditing go together for a monitor there's two ways that you can do this if you're integrating your P solution with your sin they're going to let you customize whatever alerts that you want plus a p P event subscriptions which basically what they do is they tell you whenever an Adine is loing in whenever a Secret Gets Leed um whenever you see something a little bit out of the ordinary okay like who is so and so why did they just try to rotate the secrets or why are they

copying and pasting stuff um so that's another option but you have for evaluate so it goes back to what I was mentioning okay you have your logs you add you audit and your monitor but this is a whole R rep process right so you're not just going to keep with the ls that you have and just hey everybody's happy I have this solution in place I'm good to go no you want this to be a recent repeat and evaluate this whole entire process at least I don't know like it really depends on organization but once every six mons that's kind of um additional recommendations so when most recent security object sign know the invol system again that doesn't just go for

your web server that's also for your distributed engine that's also for your database for example let's just say there is a zero date and okay it doesn't affect my web server but it affects the other service that I have it affects my database it affects you know like something else so that's why you want to keep every single system involved up to dat and the whole security CES um ensure the appropriate bags are in place so a lot of people say you know like's say I don't do back like I don't believe even creating a a manual back myties that's fine what you can do which is not ideal but could also be done you

create a snapshot of your system right so so you kind of work with your em system administration department and we to a prior version of the server event that something crashes and goes wrong well you have that option to to Prior maintain a good contact with your vendor so this does me okay we're best friends and I'm going to go to these coffee game and he's going to send me you know like LS of my birthday you know yeah so you'll just have to have that relationship bu too where you have good communication and you know more they are given something order to happen you have a of cont um consider commercial ered tools again this is going to be a defens in

death approach right your EDR is going to save the day right this is a combined effort the CIT account management practices so if somebody is requesting access to your pth just because you can ask for something doesn't necessarily mean that you're going to get it right you have have to have a processing place so have this person for example create a ticket and you know like okay a ticket was created now we have something recorded and you know like we have a paper trail that this request was put in place okay we assign it to all the old parties uh which Super Municipal why are they trying to access this do we have approval yes no and you know like at

least you have something to go back um enable and event notifications so again this is a combined effort between your pth and your windowed logs so if you see some suspicious activity or something a little bit out of the ordinary you could be nothing but at least you got 95 and then you know like with your logs and um you know like information that God l in the past you can you know like have a really good visibility and start an investigation um understand service level agreements so by slas we need to say who is responsible for what where do we draw the line okay I'm a friend what is my vendor responsible for versus what

am I supposed to be doing right so it's just basically having a clear idea of what you're supposed to do or your better is supposed to be responsible um ensure change management processes in place so I change management for example how do we make changes in here right so you want to make sure that whenever a change gets made this gets communicated to the users that changes can be rolled back that this changes are tested if you never ever ever under any circumstance you want to test in production you know like right um that this gets pre previously approved by all the old parties and um again important that this is something that could be rolled back

into it goes back to what I was saying always keep a good backup of your service Uber hack um I'll never forget this because I was on P when this happened and um I had just you know I the did back a shower then was going to go take a nap oh my gosh I had people just blowing up my clothes just like did you see this so I didn't work for the vendor that was involed but I was doing a lot of work with them so this is a really interesting approach um attack so um the attacker it's an individual so what happened was at consultant it's always a consultant um godish text message

right they got efficient text message and something for some from somebody pretending to be from it like hey your password is about to expire click here if want toet it so the cons clicks on the link and takes into a fake portal a inter your username and password and that's how the attacker gain access to social engineering uh with those obtain credentials the attacker log into the corporate so it's like okay yes I have my password the attacker found Network shade so he was just kind of looking around trying to find something interesting what you can do with it the network share contain a power shell script and the script contain credentials from four and user and

secret server goes back to what I was saying before always always always be very careful with hard coded credentials so I in my case I wrote the library system this people um so the script contain credentials for an non user in secret server so this is the part that triggers me the most people use the word account in user interchangably this was not an account this was an actual user so um there was an actual users credentials hard code to the scrip not a service account it could have made you a service account and you know like limit the target of theack not do that um things to consider and by things to consider are everybody feels like okay you know

like if you have done this you would have never g t and you know like let me push the solution for you and you're not going to get no like we really