Osirium protects against Real World Attacks

How Osirium defends against real world attacks

The Verizon 2015 data breach investigation report gives an in depth analysis of 2122 confirmed data breaches and nearly 80,000 security incidents in 2014. From this data we can see the real world attack vectors and how effective they are against organisations.

Here we take each of the threats in turn and show how Osirium effectively counters them. Before we start, the report shows us how the threat actors have been changing over the years. It shows that the bulk of threats (approx 80%) are external, there is a growing but significant threat from partners (1.5%) and the rest are internal. These are the figures based on the near 80,000 security incidents, actual breaches show that internal attacks have a higher success rate.

The 2015 report differs considerably from the 2014 format. This year Verizon have chosen to show methods used to gain access to the data. Most of the methods are used to exfiltrate the privileged credentials, however some methods use a Command and Control process to gain proxy access to privileged accounts.

The common factor is that they all make use of privileged accounts, which is obviously really, privilege is always needed to gain access to commercially sensitive data.

It is still the case that most credentials are simply stolen (approx 45%), the methods would include shoulder surfing and exfiltrating password text files and spreadsheets. Phishing (just over 20%) is broken out as a separate item, but in this case it means fooling the user to enter their privileged account details. Keylogging (approx 7%)has been on the decline over years but this is matched by an increase in RAM Scraping (Just over 20%), this is a technique of reading data directly from operational memory and is associated with both hash detection and direct access to credit card details.

To expand a little on RAM Scraping, whenever you map a drive or have a remote session to another machine a hash of your credentials is held in memory. The hash is based on a one way algorithm so there is no mathematical way to go from the hash back to passwords. However, there is generally a one to one map between passwords and hashes, for example 'Password1' will always map to the same hash. The internet is now a rich source of these hash mappings. So if you or your staff are using one of the 3 million commonly found passwords then a captured hash could point straight to their password.

This year, brute forcing is not specifically mentioned against the data based attacks, however it is on the rise against 'Point of Sale' systems (6.8%), and indeed the report shows a shift towards breaking into organisations by hijacking POS devices and they using their credentials to compromise payment systems. The point here is that devices as well as humans can be privileged users.

Human Factors

The decline of brute forcing and the increase in stealing credentials could be a strong indicator that the password message is getting through. Given enough motivation and rules, humans come up with good passwords, however they are not so good at remembering them. Our research on our own Privileged Task Automation module shows us that by far the most popular task is 'Domain Password Reset'. This then drives us humans to find places to store passwords. The criminal community then switch their efforts to the next weakest link, which is where we store the passwords or fooling us into revealing them.

Osirium Defences Separate the users from the privileged device and application account they need

This is a very simple and effective approach. The users identify themselves to Osirium Privileged User Management, Osirium present them with a list of devices, applications, tasks and roles that have be assigned. On each choice, Osirium performs the single sign-on or initiates the task. The passwords are never revealled to the user and never cross into the domain of the users system.

  • Defeated: Stolen Credentials These are not available at the desktop or any mapped drive.
  • Defeated: Phishing Attackers cannot phish credentials a users doesn't have or know.
  • Defeated: RAM Scraping No hashes will be held on the user's system since Osirium is handling the remote sessions.
  • Defeated: Brute Forcing Osirium creates and refreshes long and machine complex passwords for all the accounts that it manages.
  • Defeated: Third Party Compromise Osirium avoids the need for VPNs etc by given third parties and contractor access to only the systems they need and only within the role assigned to them.

Dealing with the insider and partner threat

People need privileges to get work done, quite often some of the most privileged tasks are outsourced (e.g. system management and anti-malware management). In many cases these outsourced tasks are outsourced again to niche specialists, or wherever the IT labour is cheapest. Now the contract is the only basis of trust you have with your outsource suppliers. Many Managed Service Providers realise this and use Osirium themselves to control access to both their own and customers systems.

Many of the outsources tasks are repetative, for example AV tools updates and help desk functions. Whilst the tasks themselves would require considerable privilege its not always necessary to grant them to operators. Osirium's Privileged Task Automation module allows you to packages and parameterise tasks.

At the end of the day there are always some users that will abuse the privileges granted to them (55% of insider attacks according to the Verizon report). After Osirium has helped to deliver a 'least privileged model' there is still a chance that the remaining privileges will be abused. As a deterent Osirium has Privileged Session Management This records session along with keystrokes and therefore clearly assigns who did what and where on your systems.

This functionality is wrapped up as Third Party Access Protection

  • Defeated: Privilege Elevation With Task Automation, the operators are not granted the privileges in the first place.
  • Deterred: Command and Control Crimeware This no longer has direct access to the applications since Osirium starts them on behalf of the users. It cannot start or use background processes since the secure tunnels that Osirim provides would not be available. The only option is to take over the foreground process which is directly unde the eyes of the user.
  • Deterred: Malpractive If a privileged user knows that all their actions are recorded they are much less likely to transgress in the first place.
  • Defeated: Third Party Access to unauthorised systems Osirium prescribes exactly what systems and which roles can be used, there is no opportunity to network scan.