Have you ever gotten that phone call?
You know, THE phone call when you least expect it. Where one of your best clients has ransomware.
The business owner is freaked out and are terrified of what will happen.
Why would you ever get a call like this?
Maybe someone might have clicked a link or gone to a malicious website. I’m not going to focus on that type of incident today.
In many cases, one of their employees has access to a wide-open folder share inside of their network. And that folder has everything. All of their salary information. All of their sales. Every contract. Every HR file. Basically, everything needed to run their business. Completely accessible to the attack. The boss finds out at some point that these types of files were exposed to other employees, accessed by a contractor, or some other user in their office and they freak out. They realize this is a big deal and start asking about who accessed the information.
How often does something like this happen? (… more often than you’d think!).
And maybe the first thing you’re thinking is how do we fix this? That’s not what they’re interested when they call your phone in a panic. The VIP who stops everything to call you is interested in who accessed what AFTER this information was viewed.
And that’s one of the big challenges here when it comes to permissions and managing those permissions. Ultimately, this is something you would have to do before an event happened. But it isn’t something that people fixate on until that event took place. And in many cases, if you haven’t set up the right permissions up front, no one is really interested in fixing the problem because it doesn’t have a visible benefit right now. There are bigger fish to fry.
What least privilege comes down to is we give users just the minimum level of access that they need. The minimum permissions that they need to do their job on a daily basis.
Today I want to force you to think about the problem a little bit.
What we want to do is we want to give them the minimum level of access. They need to perform their normal daily job. And if they have to get additional responsibilities, then we were the want to provide those, those capabilities just in time.
Or we want to have a separate account that they login to get to those.
Least privilege goes beyond just users. We are also talking about software.
For a service or a process or any type of software, we're given a minimum level of access for it to perform it function. We don't want to have a service account running on a workstation that's running instead of as a system account, it's running as a domain admin account. We've given it too many privileges. Like instead of just privileges on that local machine where it needs them, we've given them privileges across the entire Active Directory.
What about devices? They should work the same way.
When we think about least privileges, we want to think about devices in a way that they're only given enough access to perform the required task.
If you think about it, do we need phones to be on the same network? Should they be able to access servers?
Well, probably not.
That's what this all comes down to when we talk about least privilege about devices. is just making sure that those devices only have enough access to perform their required tasks.
Why is this so important?
It Reduces the Attack Surface — The first one is very simple. This reduces attack surface.
You don't have as many accounts running around, and as many devices, running around as many software services, or processes running out there, that have great, huge amounts of privilege inside of the organization. If somebody gets one of those very low-end users to click a link, now that user doesn't have access to a lot of things.
By the way, this is one of the things that our tools depend on. They depend on, somebody messing up privilege settings, and giving a user much more responsibility.
When we analyze environments, the reason we are able to capture so much is because users have too many permissions… Too much responsibility. We abuse those responsibilities. We abuse the different processes on the machine, having more responsibility, or more access than they really need.
Reducing this attack surface is a critical piece, because this is how attackers get in. This is how they can get a foothold.
Least Privilege Implemented Improperly — when you have the least privileged implemented properly, you basically eliminate lateral movement.
And how does this work? If a user is only able to access the device that they have access to, they can't access other devices. There are no accounts on that computer that can access a bunch of other machines, and there are no domain administrator accounts on that device.
All of a sudden, we've got a situation where we have a much lower threshold to protect, because lateral movement is much harder when there aren't accounts.
There aren't other opportunities to spread laterally.
It Creates Better Stability—let's go back to that device for a minute. We have an IOT device that's on the same network as a server. While the IOT device starts having network card issues, let's say that it starts creating a packet storm. I've seen this happen.
Maybe it's a smart TV that starts creating a packet storm because it's really not well designed.
When there's an issue with the firmware, it starts creating a lot of chatter on the network. Aall of a sudden, if it's on the same wire as the server is on. All of a sudden, we've got a problem where the servers starting to go down.
Let's say we have a process running and it has domain admin rights rather than system level rights, and all of a sudden it starts going haywire. It can stop other user processes which the system might not be able to access.
There are a lot of reasons.
This is where least privilege really comes in handy. It makes it so that we don't have as many situations where we have full system outages.
The take home? Permission levels are important. If you’re not closely managing your client permission levels, you’ll eventually have a big mess to clean up. And if you’re not inspecting permission creep across your environments, you may soon be dealing with an emergency.
