Mitigating Credential Theft - Using Hospital Protocols as an Approach Part 1

March 2, 2016 by Allen Broken, Principal Security Architect

Administrative credential theft, whether it is an actual systems administrator’s logon or the logon associated with an application or service with administrative credentials, is the most dangerous vulnerability on my customers' networks. This is for two reasons:

  1. The tools and techniques for stealing administrator credentials are well known, highly automated and generally available to threat actors

  2. Very few corporate networks were designed to mitigate this threat.

This creates a cybersecurity environment where the attackers can easily compromise an entire corporate network by stealing Active Directory administrative credentials. The worst part about this - it can happen in a matter of hours or days while the attacker can remain undetected for months. My frustration with this situation, from an industry perspective, is how quickly people jump to a solution without really understanding the problem. I’ve seen customers become aware of the issue and then immediately jump to a conclusion like:

  • “I need multi-factor authentication to protect my admin accounts”
  • “I need advanced end point protection to keep the bad guys out”
  • “I need….”.

The list goes on. However, solving the problem of administrator credential theft is not about implementing a single new control or practice. Effectively protecting your network from this type of attack requires a different approach to security.

Fundamentally, I believe that in a world of potentially compromised systems we have to think and act more like the medical community. When I go to a hospital, the first thing I notice about the people there is they assume I’m sick. They have special clothes and equipment for both protecting themselves from anything I might be bringing with me as well as following processes for ensuring they aren’t passing on whatever I have to others. When they come to see me they are wearing protective gear that they also rotate between patients. Put in cybersecurity terms - they assume breach and act accordingly.

Beyond that, the hospital is really careful with the handling of powerful remedies. When it comes to medications, they are tightly controlled on the floor with computerized systems for checking in and checking out medications for patients. This is tightly controlled and audited to ensure that medication is only dispensed appropriately. Finally, the source of all the medication, the Pharmacy, has even more controls with highly-trained individuals in charge of the when and how the medicine is released to floor level systems.

As I think about this model, I see adoption of this model as a potential end state for mitigating the administrative credential theft scenario. In my next blog post I will talk about how this could be implemented in a typical corporate network.