Wherever There's Ransomware, There's Service Account Compromise. Are You Protected?

Until only a few of years ago, only a handful of IAM experts understood what service accounts are. In the past years, these stealthy Non-Human-Identities (NHI) accounts have become one of the most targeted and compromised attack surfaces. Assessments reveal that compromised service accounts play a crucial role in lateral movement in over 70% of ransomware assaults. However, there's an alarming disparity between service accounts' breach vulnerability and possible damage, and the existing security methods to limit this risk.

In this article, we discuss what makes service accounts such an attractive target, why they are outside the reach of typical security management, and how the new method of unified identity security may protect service accounts from compromise and misuse.

Active Directory Service accounts 101: Non-human identities used for M2M#

In an Active Directory (AD) context, service accounts are user accounts that are not connected with human persons but are used for machine-to-machine communication. They're developed by administrators either to automate repetitive activities, or during the process of installing on-prem software. For example, if you have an EDR in your environment, there's a service account that is responsible for fetching updates to the EDR agent on your endpoint and servers. Apart from being an NHI, service accounts are not different from any other user account in AD.

Why do attackers go target service accounts?# Ransomware criminals depend on compromised AD accounts – ideally privileged ones – for lateral movement. A ransomware attacker would execute such lateral movement until gaining a footing that's strong enough to encrypt many devices with a single click. Typically, they would do so by accessing a Domain Controller or another server that's used for software distribution and exploiting the network share to execute the ransomware payload on as many workstations as possible.

While any user account would serve this function, service accounts are ideally suitable due to the following reasons:

High access privileges# Most service accounts are established to access other computers. That unavoidably indicates that they have the appropriate access credentials to log-in and execute programs on these computers. This is precisely what threat actors are wanting, since compromising these accounts would provide them the ability to access and execute their harmful payload.

Low visibility# Some service accounts, particularly those that are connected with an installed on-prem program, are known to the IT and IAM personnel. However, many are generated ad-hoc by IT and identity professionals with little documentation. This makes the effort of keeping a monitoring inventory of service accounts near to impossible. This plays nicely in attackers' hands since compromising and exploiting an unmonitored account has a considerably better possibility of going undiscovered by the attack's victim.

Lack of security controls# The typical security methods that are utilized for the prevention of account compromise are MFA and PAM. MFA can't be applied to service accounts since they are not human and don't possess a phone, hardware token, or any other extra element that can be used to validate their identity beyond their username and passwords. PAM solutions also suffer with the security of service accounts. Password rotation, which is the key security control PAM systems utilize, can't be applied to service accounts owing to the fear of failing their authentication and interrupting the vital operations they govern. This leaves service accounts essentially exposed.

Want to learn more about securing your service accounts? Explore our eBook, Overcoming the Security Blind Spots of Service Accounts, for deeper insights into the problems of safeguarding service accounts and gain assistance on how to tackle these concerns.

Reality bytes: Every organization is a potential victim regardless of vertical and size#

It was previously remarked that ransomware is the great democratizer that doesn't discriminate between victims based on any criteria. This is truer than ever in relation to service accounts. In the last years, we've examined occurrences in firms from 200 to 200K personnel in banking, manufacturing, retail, telecom, and many others. In 8 out of 10 situations, their attempted lateral migration involved the compromising of service accounts.

As usual, the attackers educate us best where our weakest connections are.

Silverfort's Solution: Unified Identity Security Platform#

The new security category of identity security presents a chance to turn the tables on the free reign enemies have had so far on service accounts. Silverfort's identity security platform is founded on a patented technology that allows it to have continuous visibility, risk analysis, and active enforcement on every AD authentication, including, of course, the ones made by service accounts.

Let's examine how this is utilized to deter attackers from exploiting them for nefarious access.

Silverfort's service account protection: Automated discovery, profiling, and protection # Silverfort allows identity and security teams to maintain their service accounts safe in the following manner:

Automated discovery# Silverfort observes and analyzes every AD authentication. This makes it easier for its AI engine to recognize the accounts that have the deterministic and predictable behavior that distinguishes service accounts. After a brief learning time, Silverfort gives its customers with a comprehensive inventory of their service accounts, including their permission levels, sources and destinations, and other data that maps the activity of each.

Behavioral analysis # For every recognized service account, Silverfort creates a behavioral baseline that contains the sources and destinations it regularly utilizes. Silverfort's engine continually learns and enhances this baseline to represent the account's activity as precisely as possible.

Virtual fences #

Based on the behavioral baseline, Silverfort automatically constructs a policy for each service account that initiates a preventive action upon any departure of the account from its typical behavior. This action might be just alerting or perhaps a complete access restriction. In that method, even if the service account's credentials are hacked, the attacker won't be able to use them to access any resource outside the ones specified in the baseline. All Silverfort's user is needed to do is activate the policy with no further effort.

Conclusion: This is the moment to act. Ensure your service accounts are secured#

You'd best get a hold of your service accounts before your attackers do. This is the genuine frontline of today's danger scenario. Do you have a mechanism to view, manage, and safeguard your service accounts against compromise? If the answer is no, it's just a matter of time until you join the ransomware stats line.

Want to learn more about Silverfort's service account protection? Visit our website or contact out to one of our specialists for a demo.

Post a Comment