1.
External Attacks Against
Privileged Accounts
How Federal Agencies Can Build a
Layered Defense in Preparation for a
Layered Attack

2.
What’s Privilege got
to do with it?
The least-privilege approach has
gained a lot of credibility recently
thanks to one notorious name:
Edward Snowden. In this highly
publicized breach classified
information was accessed via
privileges. In response NSA
announced it would reduce system
administrator privileges by 90%.
“Insider and privilege misuse” was identified once
again by the 2016 Verizon Data Breach
Investigations Report as one of the highest ranking
basic patterns of confirmed breach activity. Topped
only slightly by miscellaneous errors.
MISCELLANEOUS ERRORS
INSIDER & PRIVILEGE MISUSE
PHYSICAL THEFT

3.
Internal threats may be malicious (designed to cause
harm) or unintentional (the result of human error),
exposing weaknesses in the agency’s defenses and
policies. Regardless of intent, insiders can do
significant damage quickly, as they are already
inside perimeter-layer security.
External threats are designed to exploit vulnerabilities in
networks and endpoints; they often seek to gain a foothold
where they can act as an insider. Once an attacker gains
administrative access, it is easy to make configuration
changes that enable the installation of malicious software,
and alter security controls for unfettered access to
sensitive information.
Understanding the Threat to Privileged Accounts
Not all insiders are created equal. What happens when an external threat starts to
look like an insider?

4.
Malicious Threats are Surprisingly Predictable
ATTACK PRIVILEGED ACCOUNTS
TO GAIN ENTRY INTO THE
INFORMATION SYSTEM
ACCESS ANOTHER ENDPOINT
REPEAT UNTIL REACHING THE
DESIRED SYSTEM OR DATA
TAKE ACTION
STEAL DATA, ATTACK
THE SYSTEM
We know what you are saying - how
can that possibly be? But external
attacks tend to follow the same general
pattern. Attackers want to gain control
over as many privileged accounts as
they possibly can to work laterally
across your agency network until they
find what they are looking for.

5.
Exploiting Privileged Accounts
Try to long on
with elevated
privileges trying
a simple Run
should do the
trick..
Survey local
user privileges
- which groups
do they belong
to?
Bait and wait…
place an infected
file and wait for
another user to
open it…infecting
a second
endpoint
Crawl through
the endpoint’s
memory…are there
any plaintexts
passwords, domain
credentials and
Kerberos tickets ?
To the attacker getting
into your system is just
problem solving …if one
tactic doesn’t work just
try another, and another,
and another.

6.
A Layered Defense for a Layered Attack
Your response to the potential threat of an external
attack should address all three attack layers.
Be proactive today so you are ready to
stop malicious actions tomorrow.
Gain
Entry
Access
Endpoints
Take
Action

7.
Defend Against Gained Entry
User Education
It’s tough to counteract a person’s natural curiosity. We just want to
click that link! Keep phishing top of mind for users. What to look for
and what to do if they receive something suspicious.
Endpoint Protection
Ensure users are running only approved applications with the
proper privileges to stop malware before it is installed.
Vulnerability Management
99% of exploited vulnerabilities occurred more than a year after the
vulnerability was identified and published! Deploy a solution that
automatically identifies and rectifies vulnerabilities across the
network. Native tools are rarely sufficient.

8.
Defend Against Access
Least Privilege
Called out in nearly every Federal Cyber Strategy and Mandate, this
is a real game changer in protecting your agency’s information
systems. Don’t Grant privileges to users. Grant privileges to
applications and tasks without providing administrator credentials.
This helps IT achieve control and close potential security gaps.
Privileged Password Management
Ensure all passwords are randomized and rotated automatically on
a scheduled basis, or upon check-in. This reduces the threat
surface by reducing the window of time an exploited password can
be utilized.

9.
Defend Against Malicious Action
Behavior Analytics
Implementing automated solutions that set baselines for normal
behavior, observes changes and identify anomalies that signal
critical threats . This can isolate questionable behavior to detect a
threat early. This capability is specifically addressed in NIST
SP800-53 guidance on control IR- Incident Response.
Session Recording
The worst case scenario becomes reality- an attacker gains entry.
Now what? To be FISMA compliant you must be able to remediate
and report on the incident. Beyond compliance you need to keep
moving ahead to achieve your mission. Session recording allows
you to track how those exploited credentials were used through
replay of the session. Now you can form a complete remediation
plan based on fact and report as required.

10.
Next Steps
1. Prepare today so you are ready to stop
breaches tomorrow.
2. Assess your systems- can you prevent
entry, access and action?
3. Talk to a solutions provider about how to
address gaps.

11.
Trust the solution relied upon by more than 200 federal
departments, agencies and all five branches of the US Military.
Learn more about BeyondTrust solutions for Privilege Access
Management, and Vulnerability Management in government.
www.beyondtrust.com/government
federalsales@beyondtrust.com
800-234-9072