Dude, Check Your Privilege! - Privileged Account Management Solutions - Melina Phillips

hi um well um before I I start I just want to say thank you all for taking the time to watch my presentation this is a really really exciting topic for me breaks my heart that I wasn't able to make it there on side and in person but um yes um anyway so this is do check your privilege privilege man Solutions and how they can either become your besti or totally run your day so uh how about me oh sorry I don't think it was putting me in the next slide yay awesome and I not quite sure how to yeah anyway so um just I'm kind of going to do the boring intro for now it's um offensive security

ER with N9 years of it experience um my very first is all security operations and um yeah I honestly tell people that blue teamers are are like the unsung hero of the whole entire um industry because while a pester can finish their assessments and then go home and you know like just relax when it comes to computer crime and you know like it never stops you know like criminals don't really work at 9 to5 so that's just a very interesting approach to look at um security operations and incident detection and then like the boring alphabet to CCNA yada YB um so out of the certifications that I have the one that I consider my baby

and the one that I pretty much learned from the most was SSB because honestly I feel like it really gives you a good foundation of how it General integrates with security and that's a it's really bu up my favorite color is pink um when I was a kid I was a veryy FY boy he was just like a weird looking and um yeah throwing in a random fact I guess so before we actually start um couple things to keep in mind so this whole entire discussion is going to be based on a Windows environment I'm not saying that thisp soltions cannot be deployed in Linux it can be done but I personally seen it a lot more

happening in a Windows environment um it's like my dad says just because you don't see something doesn't mean it doesn't exist it's there I just haven't seen it that often uh well Pam stands for approval take Management Solutions and I'm going to be repairing as secret as anything that you can use as priv privilege credentials so that would be your API Keys um passwords SSH Keys token certificates anything that you can log into something that could give you privilege access that's going to be a secret um the book of sand so I normally like to start my presentations with a little bit of a random story or a random short story and that's kind of what I'm

going to do right now I promise this has a point and I'm going to try to get there quickly so in 1975 Argentine writer jge borz published a compilation of short stories with his main story title The Book of sand so um this is a story about this guy that is a book collector and he's just kind of chilling at home and gets a knock on his door from a traveling salesman offering him this book um he was told that it was called The Book of sand because neither the book or the sand in the desert had a beginning or an ending so it was just like a NeverEnding number of pages they didn't follow any particular sequence

they were very very complex and they were written in a language that he couldn't understand so he started getting so obsessed with it that he was just like okay this I'm going to put the brakes on this just going to get rid of it because it's very complex and it's really consuming me so takeaways of the story the complexity of the book the fact that it needed to be treated with caution and that it needed to be safeguarded because it was put in the National Library of Argentina hidden so people couldn't find it Well complexity caution and safeguarding it that's exactly how we would treat a privileg account and then what's a pound this is

just going to be like like a short intro so privilege access management privilege access management is a security mechanism that enables organizations to manage and keep an eye on behavior of privileged users including their access to crucial Business Systems and they what they can do while they're logged in so a privilege account management solution is a sub component of privilege access management so this brings me to a next Point what is a privilege account management solution so this is a top of solution that focuses specifically on managing accounts with elevated access this application administrates and audits accounts and data access by privileged users so what does this even mean all right these are the top of accounts that

require a little bit of special permissions or special rids for us to perform a task what kind of tasks well for example example application deployment database management patching network configuration system administration Cloud infrastructure infrastructure setting up so anything that could potentially get us to either break something or compromise sensitive information those are those are the top of accounts we want to be a little bit extra careful with the road to success starts with STDs yay so as everybody knows STD stands for skill sets tools and data so what kind of skill sets would we need so my old my old boss used to say that one sis admin is worth a 100 it Security Professionals

and there might be some truth to to to the to the whole thing but um what I'm trying to say is we really want somebody who has a good understanding of it security and how this type of applications could potentially be weaponized or

misused and then what kind of tools would we need well we would need backups databases right we would also need um you know like web servers as for data what kind of data would would we need in this case well it's a very common occurrence and it's extremely recommended to log this to um integrate this type of applications with your sim right we also need a workflow approval and the reason why we need that is just because somebody um turns in a request to access a Pam or to access certain Secrets doesn't necessarily mean that they're going to get it right so we want to be able to track that request and send it to the you know like

pertaining or the correct stakeholders and then another piece of additional data that we also need and it's extremely important and it often gets ignored is we need um a list of all our critical applications and the sensitive accounts Or the critical accounts that are involved with them and I actually have a story to share pertaining this so I'll do that in a little bit core components those are going to be the core components of a account management solution so web server for example that is the user interface and you know like everything that a user can be clicking on like their folders their admin panel their settings anything that you can poke around and click on that's going to

be on your web server distributed engine this is the service that does all the dirty work and by Dirty Work I mean connecting you to ad for example password rotation password changes um hardbeats account synchronization um you know like synchronizing active directory groups with your Pam everything that actually requires some leg work that is going to be done by your distributed engine database your database that is going to be storing Secrets information and um what kind of information is it going to be storing for example Secrets names when was it created the user that created it and you might even get to see the password but obviously you're not going to see a plain text version of it you're GNA

you're going to be able to see a hash version so that's still pretty helpful and um active directory right for group and user synchronization distribution more of the another couple of core components we have sides each side well each engine is normally assigned to a single side so what does this mean think of a side as a book of work items for example let's just say Victoria Secret Victoria Secret is a company that has offices in New York they have something in London they have something in Paris I believe well each one of their locations would have a different site right so if something goes down they can still rely on a couple of other

sites side connector is going to be the service that holds the work items for the terman sites and we're going to having one distributed engine or at least is recommended to have one engine side um versus cloud and this is a type of discussion that we're going to see all the time regardless of which type of solution but you know like in my experience I've really had a very very interesting experience I guess with un Prim Solutions I've had people you know like reach out to me and ask me what should I do should I go or Cloud the answer the answer is it really depends it really depends on your budget depends on your

organization depends on how you think everything is going to grow depends on you know like who's going to be deploying the solution and maintaining it because this is just completely two completely different things so it really depends so everything that you all see with a green check mark that says on Prem well here everything that is just there with a green check mark it's going to be everything that user or the personation is responsible for that's in green so web server distributed engine is bad voice on pram is really really a night mayor because it doesn't mean hey I'm going to run the patch and I'm happy and you know like everything works out no you also

have to update each one of the servers that are involved in the whole entire solution you also have to update your web server you have to put your um web server your main application in maintenance mode you have to create backups of your databases you have to create backups of your distributed engine so yeah you really learn to love energy drinks so as for um everything that is in Cloud well the only thing that is your 100% your responsibility that's going to be your distributed engine and as I said before your distributed engine is going to be that host that is going to perform all the dirty work and synchronize with their um directory

Services additional features what kind of cool stuff can we do so this is the reason why I brought this to um or um I wanted to discuss this and this is something that I saw on Twitter months ago I remember somebody saying hey um a Pam is nothing but a glorified p revolv and I'm like it is not I am really a firm believer that whenever you're paying for something you gotta get more back for your book right so no it is not it is not a glorify Pastor Vault there's a lot of more stuff that we can do with it so for example we have Discovery and what kind of stuff can we discover well

we can discover um domain accounts service accounts the services that are associated with it um you know like some of her hosts um why I'm saying this um I remember I was talking to a friend a couple months ago and he was just like well I'm going to start building my sock from scratch like I switch jobs it just gave me budget and they were just like hey go crazy I'm in the process of finding a Pam but in the meantime I'm sorry I'm in the process of finding an asset management system but in the meantime what I'm going to do is I'm going to make use of the discovery feature that I have in my Pam and

whatever my EDR is telling me and that's going to give me a really good starting point to have visibility on what's what's on my network right so it's not ideal you still need you know like an S management system but it's really really going to give you an excellent starting point hardbeats so think of a hard bit as a mechanism to see if an account is still there and alive right if it's still synchronized with your directory Services it's like saying hey you account are are you allive in there yes I'm here okay cool awesome and you can still configure your about to notify you every time you know like an important account loses it's

heartbeat so you can have it you know like either send an email or if you have U if you have it integrated with your sim it's going to create an alert so it's really good stuff reporting so there's three ways that you can do this you can either integrate your pound with your sim and you can you can customize your own fields and create your own alerts and download your own reports it really requires a little bit more of leg work but in my opinion that's the best way to do it so you can integrate it with your sim but this type of applications also have predefined reports so you can download so what kind of information you know

like can you see from a pretty F report you can see the number of Secrets the new users that have logged in um you know like secrets that were removed secrets that don't have a hardbeat password rotations so just general information and you want to get a little bit more nerdy and you know like more in- depth what you can do you can just go directly into the um database servers that are connected to the application and you can just customize and create your own SQL query so that's my least favorite way to do it but um it can also be done auditing so this type of applications have logs of their own right so they tell you

whenever there's a system failure whenever um a service that is involved with this application is really not synchronizing or working correctly um whenever an account has been removed it has logs on its own right so we have recorded this information and whenever we're reviewing it then that's when we're auditing password generator so another cool feature that we have in here is we can just whenever we're adding an account we can just click on a button and it's going to autogenerate a password for us right we don't really get to okay I'm just going to do solar wind one three because that's everything I have been use in for all my passwords no and you get to

decide the length of the password the complexity if you want to be able to exclude any characters so that's good password changing um since this type of application integrates with your directory Services you can just click on a button and it's going to automatically change the password with without you having to go into active directory or you know like any application that you change it from policies creation so out of all the features in here polies creation is my very best favorite it's my favorite feature but at the same time the most dangerous one repair and make a lot of people angry so think of polies creation think of policies in general as a set of rules that you can

apply to multiple secrets in one shot right so the most typical type of policy creation is going be one for password without you having to just like click on any individual account so a story I wanted to share and this just um last year well a couple years ago I used to work for a university and I deploy one of the solutions where we're working on a project in order to rotate service accounts and store them securely right so using the the discovery feature I found several service accounts that were really not you know like did really have a password rotation or the passwords had not been changed in a while so anyway so I looked at all the

accounts I exported them I had a conversation with their systems administrators and our develops department and they were just like okay go ahead please rotate this account I created a policy that established rotation every Saturday at 2: a.m. turns out that I ended up breaking a hardcoded account I ended up breaking a library system for students to go check into a library right and the reason how this happened the reason why I did it was the set of credentials was hardcoded into one of its GRS right so I just rotated the account credentials were hardcoded so students were not able to check into the library for like a couple days um oopsie so moral of the

story this is what I was mentioning earlier really really keep a good list of all your critical accounts right and all your critical applications at least there was a library Sy system and not a behavioral system because I'm pretty sure I would have made a lot of people angry templates creation so by templates creation I mean basically you get to decide what feels do you want on your screen whenever you're storing a secret so this this is a template for example you see the secret name the name pattern description if you want to add any additional notes like hey do not rotate this password or this is just for me to see only um all history the

history feature is going to let you see prior passwords um secret name history validate password requirements on creation so it doesn't really let you save the secret onless admits the password require requirements or or complexity requirements so pretty cool stuff this is what a folder structure would look like yeah these are pretty generic accounts but this is pretty much what a you know like a web structure panel would would look like roles and permissions so whenever we're granting access to some somebody to a p so they're able to look at certain Secrets obviously we want to for them to perform what they need to do no more and no less so for example um these are the

type of the most generic type of permissions that you're going to see appending data change permissions create directories create files delete Secrets some people are only able to example just look at Secrets look at them they're not able to copy any passwords they're not able to change them they're just able to see the list of accounts and that's it and you know like again this is really going to vary and this is really going to depend based on the person's role well in an Ideal World you want to give people the very least amount of permission so you can customize it and get creative with it best practices this these are General best practices for your Pam um restrict

Personal Privilege accounts to one per user there really should be no reason whatsoever why two admins are sharing um a domain account right we want to be able to track all activity to the original person who was performing it right so this is really going to defeat the point of non-repudiation um I'm thinking unless this is a third party application that has nothing to do with your directory services and you know like you're kind of struggling for licensing then I guess that could be understandable but you want to keep one domain account per admin um do not allow admins to Share account this goes back goes back to what I was mentioning and should be really

one per user keep an up toate list of all your privilege accounts so you you have to have a good idea of what's on your network right you could potentially break something or just think of this type of solutions or think of your asset you know like as bigger amount of assets bigger Target bigger Target bigger chances of you getting compromised so limit the scope of privileg accounts so it's pretty much what I was mentioning before you want to keep people the very least the amount of access just for them to do what they need to do disable accounts that are not in use if you're not using something there's really not a point to keep it

there so um something that I've seen a lot of companies doing and again this is really going to depend um okay you have your accounts and somebody lives a company so you disable the account and you move it to a different OU and after six months you review what's in that OU and if those accounts still need to be used or not or there's a reason to keep them so again this is just like a general good practice enforce a strong password policy and require MFA one thing to keep in mind there isn't such thing as hey this is unhackable nobody's ever going to break in so what we're doing just establishing this to controls is pretty much making it a

little bit tougher for an attacker to break in right chances are it's still going to happen there's still you know going to break in but you just want to make it a little bit trickier for them the lame approach so I normally like telling people that pound Solutions well it Security Solutions but this goes specifically for Palam they're like skin care for two reasons number one just because something works for somebody doesn't necessarily mean that it's going to work for you it's like okay my best friend has this skincare routine I'm going to try it too it may or may not work so that's one of the reasons and another reason is as you get older or your organization

gets older the stuff that you need changes right so this exactly goes to um this exactly um happens with your organization too right so you want to start logging the activity involved with a Pam so what kind of logs would we need in this case well we would need the application logs yes but it's also recommended to have win event logs right so whenever an account gets disabled whenever a new user gets added whenever um you know like somebody changes a password those are RN event logs and it's also recommended to integrate this with other solutions that you already have in place audit so there's really no point in you know like recording activity you're not

going to be evaluating it's like okay I got my logs and that's it I'm done bye no you really have to take you really want to take a good look look at them monitor so if you're integrating this with your sim you want to create alerts Whenever there is suspicious activity happening right okay this person is longing in at um 4 in the morning on a Sunday or you know like this doesn't really look right why is this person trying to done so many secrets in such a short period of time so anything that looks a little bit Eve or weird that's why you want to keep an eye on and another you know like step is evaluating right a very

common misconception and this is something that I've seen happening before is okay I got my logs and I'm looking at them and I have alerts and that's it I'm done I'm good to go no this is a whole rinse and repeat process right and this doesn't only apply to pams but to most solutions in general right um again you have your alerts and you have your logs but doesn't mean you're good to go right you want to keep an eye on it is this alert still you know like useful um do we have all the logs that we need are there any gaps that we need to fill in right so best practice would be just um having this exercise

done like six months so basically just as a sanity check additional recomendations keep the most recent security updates and all involved systems right so just because there use a zero day and it doesn't affect your pound directly okay it doesn't affect my web server but it could still affect your distributed engine it could still affect your database server so make sure that every single core component is up to date ensure the appropriate backups are in place a lot of people just go like well I don't like doing backups of my web server and this one enre thing is boring and it takes a lot of my time well you have the option to um create

backups of your virtual machines and if something really goes wrong you can just um return to a prior version of it or a prior image of it so you can just work directly with your system administrators or there's still that option but it's important to keep a good backup um keep good contact with your vendor so a lot of people just go like I don't even know who is my point of contact so you want to know who that is you know whoever is selling you this solution so you can reach out to them if you have any questions uh consider commercial EDR tools something that I've said before and E is really not going to save the day this

is just one additional layer that is going to make it trickier for the attacker to break in right so um think of the defense and depth approach right you have your EDR and you also have your firewalls and you also have your VPN and you also have you know like your Pam and you also have security training for your users and you also have your uh you know like your web application firewall so it's all this controls that you're put putting in place right it's not just one solution I mean it's not just one control document account management practices right so who has access to what a good example would be like hey somebody's requesting to have access

to a database server right so this person placed a ticket and that ticket gets routed to the correct you know like group for the application owner and it gets evaluated okay what do you need access for how do how long do you need this access for right so you're just you know like documenting anything that involves granting access so you can go back to that request enabl event notifications so again this type of applications have the ability to notify you whenever something is suspicious and if you integrated with your sim you can customize alerts on your own understand service level agreements so basically this is where where do we draw the line when it comes to responsibility what are you

responsible for versus what is your vendor responsible for so who does what Ure change management process is in place okay what do I mean with change management well for example never ever ever testing production that is one thing make sure that changes could always be rolled back make sure that changes get approved make sure that and users get inform when there's going to be a change um make sure the changes can you know like be reviewed so all of those little steps it's basically like a sanity check when it comes to making a change Uber hack so I remember when this happened because um I was actually on PTO and I had a lot of people messaging me that day like I

don't even get that many messages on my birthday and everybody was like hey did you see what happened um so there was a pounding Bol in this case so attack narrative just to kind of like a general VI what happened um an attacker targeted an individual it was a consultant because it's always always a consultant um so then they access they gain access via social engineering they just basically sent the text pretending to be from it like hey your password has been expired click on this link if you want to change it so with this um you know like the consultant click on the link and they changed their password and anyway um the hacker logged into the

corporate VPN with the new credentials and then the attacker found a network share that they were they were able to access um the network share contained a Powershell script and the script contained credentials for an admin user in secret server a lot of people use the word account and user interchangeably this wasn't this wasn't just an account this was an actual domain user right so things to consider I'm not going to say Hey you know like they were never going to pack you if it wasn't because you took the steps no what I'm trying to say is if they had taken different steps the scope of the account could have um the scope of the

attack could have been Limited right so AES for examp just because I create new account active directory that doesn't need full Pam access I still have to licens that account and I still have to right so rules what permissions do I have so they were given that particular account more access than it actually needed um and another thing it was important this is basically what popped into my head the moment that I read that alerting right of applications and I know this Tye in particular they were using which is secret server it g so what they do is whenever somebody's poking around or even looking at privilege accounts you get a notification through your email

right and I know I also know that secret server can be integrated with your sim so you have you have that option of a second layer of protection so I'm really not bashing on but again what I'm trying to say is the attack could have had a different out for sure final look so this is final recommendations um en numer your assets like I said before just bigger amount of assets bigger Target bigger Target bigger chances of you getting no seriously enumerate your assets think of my story and learn from my mistake um I broke an application because we didn't really have a list of um critical accounts so keep that in mind because you really don't want to

break something um create a good rotation policy so you can create you can customize your own policy and you get to choose which Secrets want to be or which which secrets you want to rotate so just be very careful with that so automatic rotation is really a good practice review access rights who has access to what and why do they have that access should they be having that access should we remove them that's something that you want to keep in my too think of the lame approach log audit Monitor and evaluate right just because we have logs and just because we have alerts doesn't mean we're good to go right this should be a ROM repeat process

always don't exclusively rely on your pound solution to save the dat again defense and DEP this is just one more layer of control when it comes to your Solutions and your I Security Department right that's

it thank you so much Molina