Years ago, the infamous Nigerian prince exemplified the phishing attack – a spray-and-pray approach targeting the masses in the hopes one person would take the bait.
Today’s attackers are much more sophisticated, having essentially adopted the tactics of targeted marketing. Two-thirds of organizations have seen an increase in spearphishing attacks aimed at specific end users, according to Proofpoint data.
Increasingly, the target user works in IT. Three-quarters of IT pros report being the target of a phishing attack, one Ivanti survey found last year. That compares to 35% of sales professionals and 27% of executives.
This comes as little surprise considering the role of today’s IT workers. “They grant access to the data, they configure the software or the device – and they have a lot more access than they should,” said Srinivas Mukkamala, Ivanti’s chief product officer. “If attackers get someone with admin privileges, they get the trophy.”
Admin accounts are valuable because they let attackers move laterally through an organization, behaving like a normal end user accessing servers, applications, or endpoints as part of their day-to-day work. The problem is exacerbated by poor privileged access management policies, Mukkamala said: A combination of more admin accounts than necessary and more access to mission-critical systems than the accounts need.
In some cases, an attacker will extract the data they seek and get out. But if they find additional vulnerabilities, they could stay a while. That’s been the case with attackers exploiting the Log4j vulnerability, who lie in wait, undetected, until an organization has its defenses down.
If attackers have a compromised admin account, then there are plenty of vulnerabilities to tap, Mukkamala said. These include:
- Software code libraries left unprotected on a server.
- Applications running on the public cloud that expose databases or containers due to poor cloud configuration settings.
- Real customer data used in a testing or development environment.
- Data that was collected but never used and sits on the public cloud.
- Applications or devices using API keys to automatically authenticate themselves and grant access to each other.
“It could be a human, a software application, or a device that has the data – but the common denominator, no matter the route you take, is still the human,” Mukkamala said. “The human’s the weakest link. That’s why attackers target the humans.”
The human element reflects another reason that IT professionals are such valuable targets for attackers, said Bob Wilson, a research advisor with Info-Tech Research Group.
“Even if an account doesn’t give you elevated access to systems, you still have an ID that’s going to be trusted by other individuals at the organization,” he said. This access could be a starting point for a social engineering attack against someone who does have access to what an attacker wants.
Remove vulnerabilities and attackers will move on
Since attackers seek access, one of the best first steps for organizations is to limit the access that IT professionals have.
In his former role as The University of Southern Mississippi’s technology security officer, Wilson and his CIO took a two-pronged approach to this. One was to give those in maintenance and support roles strict permissions for only the systems they needed. Another was to give IT staff a separate account, with extremely limited privileges, for tasks such as accessing email.
Wilson said organizations could go a step further and remove email as a channel for conducting business – using web portals for help desk tickets, financial software for submitting and paying invoices, and so on.
“You’re still going to have email, but if you start to expect to only see email from specific people for specific reasons, phishing becomes easier to spot,” he said. “If the comptroller has another way to ask you for money, then you’re not going to fall for an email attack.”
Thinking like attackers can also help organizations protect themselves, Mukkamala said.
A common example is insecure applications. If software is overdue for a security patch or is otherwise susceptible to code manipulation, whether it’s running a query or executing a file, then the IT accounts responsible for that software are attractive targets.
If these vulnerabilities are no longer there, then attackers will move on to someone else’s IT team.
“Most organizations are testing their applications periodically, but they’re making changes continuously,” Mukkamala said. “If you deploy multiple times a day, you need to test multiple times a day.”