CSO Perspectives (Pro) 8.15.22
Ep 84 | 8.15.22

Privilege escalation.


Rick Howard: Hey, everybody. Rick here. During our break between season nine and season 10, the leaders of the International Spy Museum down in Washington, D.C., just south of the sanctum sanctorum, asked me to come over to give their staff a primer on cybersecurity. Dr. Andrew Hammond is the museum's historian and curator and host of his own podcast called "SpyCast" that's also part of the CyberWire's network of shows. His people are amazing. They know a little bit about everything regarding the history of the spy world and especially about cyber-espionage and cyber conflict. Dr. Hammond asked me to provide a deep dive into all things cyber to his staff, and I was only too happy to oblige. And by the way, if you haven't visited the Spy Museum, I highly recommend that you put it on your list of things to do the next time you visit the capital. The building is gorgeous. And I could literally spend a week in there and still not have seen everything. Their bookstore is to die for. And you all know that I'm all about the books.


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: As usual with these kinds of discussions, though, you know, conversations with people who aren't day-to-day InfoSec professionals, the questions at the end tended to be about their own personal ComSec, or communication security. How should they secure their own personal computing environments at home and for their family members? I have a standard set of two recommendations that I give to crowds of this type that are easy to do and don't take much time. The first is to not store any files locally on your laptop. If you regularly spend any time in your personal life creating Office documents or videos or audio, make it your practice to always store them in the cloud somewhere. If your document of record is stored locally and your machine crashes or, God forbid, it gets stolen or lost, all of those files are gone permanently. So don't do that. Cloud storage is cheap. Your internet connection these days is relatively stable. Take advantage. 

Rick Howard: The second recommendation is a bit more technical but not much. Make sure that your normal day-to-day user account doesn't have administrator privileges. Many people forget about this little configuration, but the fact is that if your account gets hacked in the future and you have administrator privileges, the hacker now has administrator privileges on your local machine, too, and can change anything he or she wants. To fix this, just create another account, make sure it doesn't have administrator privileges, give it a different password than the admin account and use that for everyday activity. 

Rick Howard: Now, these two recommendations won't prevent potential compromise or catastrophic failure in the future, but what they will do is reduce the potential damage. And that's what I want most of all. And that second recommendation is what we're going to talk about today - privilege escalation and how to reduce the chances that some adversary will be able to do it. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good ol' US of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: So I tell all my family members about my two recommendations for personal ComSec to-do's. Do you know how many follow my advice? Let me see. Let me count it up. That would be none. That shows you how much power and influence I have in my family. Be that as it may, in the corporate world, protecting administrator privilege is an essential component to preventing material cyber impact to any commercial, academic or government organization. As adversaries move laterally within their victim's networks, they seek to elevate their privilege wherever possible. A case in point is the NSO Group's Pegasus software. It allows an operator to gain complete control over a targeted phone via a zero-click exploit, an exploit that requires no user interaction in order to trigger the malicious code. This is achieved by hackers sending unsolicited messages to the targeted device using only the phone number. They format the messages in such a way as to leverage software vulnerabilities within the messaging system on the phone. 

Rick Howard: According to the MITRE ATT&CK wiki, Pegasus uses mobile phone technique T1404, exploitation for privilege escalation. Another example is the Cozy Bear supply chain attacks that targeted the SolarWinds' Orion product line late in 2020. Cozy Bear hackers compromised the SolarWinds network first and then inserted a backdoor Trojan into the Orion software update package. Once Orion customers installed the package, the Cozy Bear team could then log in remotely. From this initial beachhead, they moved laterally within the victim's networks seeking administrator accounts. According to the Microsoft Security Response Center, the Cozy Bear hackers went after the SAML system, the Security Assertion Markup Language, the heavyweight XML variant that facilitates one computer to perform both authentication and authorization on behalf of other computers. Quote, "Once in the network, the intruder then uses the administrator permissions acquired through the on-premise compromise to gain access to the organization's global administrator account and/or trusted SAML token signing certificate. This enables the hacker to forge SAML tokens that impersonate any of the organization's existing users and accounts, including highly privileged accounts," end quote. Yikes. 


Tim Allen: Oh, no. 

Rick Howard: Thinking in terms of first principles in general and zero trust specifically as a strategy, there are several tactics to consider. We need an identity and access management program, or IAM, that consists of three parts - identity governance and administration, or IGA, privileged identity management, or PIM, and privileged access management, or PAM. And when I think about these competing acronyms, I'm reminded of one of my family's favorite movies, "The Wizard of Oz." 


Rick Howard: Even though my three children are all over 25 years old, it's still a regular in the rotation for our summer backyard neighborhood movie theater schedule. The scene that reminds me of IAM, though, is the one when Dorothy, The Tin Man and The Scarecrow are about to meet The Lion for the first time. They're in a dark part of the woods, and they are worried about wild animals that might eat them. They hold hands with each other and begin slowly walking the yellow brick road, chanting - lions and tigers and bears, oh, my; lions and tigers and bears, oh, my. And then The Lion jumps out and roars at them. 


Bert Lahr: (As The Cowardly Lion, imitating lion roaring) 

Rick Howard: When I read research and essays on IAM, I can't help myself from chanting - IGA and PIM and PAM, oh, my; IGA and PIM and PAM, oh, my. But then again, I'm a movie nerd. 


Rick Howard: According to Gartner, quote, "IAM is the discipline that enables the right individuals to access the right resources at the right times for the right reasons," end quote. The U.S. National Institute of Standards and Technology, NIST, has a similar definition, quote, "the processing technology required to ensure the right people and things have the right access and the right resources at the right time," end quote. It appears that nobody at Gartner and NIST had access to a thesaurus so they could use a different word other than right to define IAM. But, you know, who am I to judge? The bottom line is that you can't do zero trust without IAM. You can't limit access by a need-to-know parameter unless you have a system of systems that can describe all the legitimate people and devices and code, what those things are authorized to connect to and even modify, and then a way to enforce the policy. Identity governance and administration, IGA, is the internal group of IT security and business leaders who define the policy. Privileged identity management, or PIM, is the system that dynamically manages all the identities. Privileged access management, or PAM, is the system that enforces the rules created by the IGA against the identities in the PIM. 

Rick Howard: The Cozy Bear attacks on the SolarWinds Orion platform highlight a key point. Especially in the Infrastructure as Code era that we're all in now, there are certain legitimate DevOps mechanisms within the code that should require elevated permissions to run, like the creation of SAML tokens. In other words, you don't want Kevin, who updates the menu of the company cafeteria website every day, to have permission to create SAML tokens. That would go against the very nature of our zero-trust strategy. You don't want some random software module either that nobody is watching to have permission to elevate privilege and make changes to the system. Now, I'm not picking on SAML. There are probably hundreds of infrastructure transactions within your environment that should require some sort of elevated permission to execute. The point I'm making here is that as security practitioners, we should know what each of them are, assess whether or not the compromises of each would be material if it happened and, for those breaches that would be material, devise one or more zero trust controls that would limit access to the bare minimum of employees, contractors and software components to get the job done. I would also watch the process like a hawk for abnormal behavior because if I was an adversary, that's what I would go for. And lastly, for the more critical systems, you might even insert a human in the loop to slow things down and to make sure that nothing untoward is happening with the proposed change. 

Rick Howard: It's like that opening scene to my favorite hacker movie, "WarGames." Two Air Force officers played by long-time that-guy character actors John Spencer - probably most famous for the TV show "West Wing" - and Michael Madsen - remember, for "Kill Bill" and "Reservoir Dogs," among many others - just arrive at their underground nuclear missile station somewhere in the Midwest. As soon as they sit down, they get the order to launch their missiles. But the system is under two-person control, meaning that one person can't launch a nuclear strike on their own. Both officers have to turn their launch key at the same time. Now, that's a nice safety feature. We don't want some Air Force person who just got dumped by his significant other the night before to decide to take out the world and kill 20 million people, I'm just saying. One warning here, there is some strong language in this next clip. If you got little ones in the area, you might pause for a second. 


Unidentified Actor: (As character) Skybird, this is Dropkick with a red dash alpha message in two parts. Break. Break. Red dash alpha. 

John Spencer: (As Jerry) Stand by to copy message. 

Unidentified Actor: (As character) Red dash alpha. 

Michael Madsen: (As Steve) Standing by. 

Unidentified Actor: (As character) Romeo. Oscar. November. Charlie. Tango. Tango. Lima. 

John Spencer: (As Jerry) I have a valid message. Enter launch code. 

Michael Madsen: (As Steve) Entering launch code. 

John Spencer: (As Jerry) Launch order confirmed. 

Michael Madsen: (As Steve) Holy shit. All missiles enabled. 

Unidentified Actor: (As character) -30. 

John Spencer: (As Jerry) Get me wing command post on your direct line. 

Michael Madsen: (As Steve) That's not the correct procedure, Captain. 

John Spencer: (As Jerry) SAC - try SAC headquarters on the HF. 

Michael Madsen: (As Steve) That's not the correct procedure. 

John Spencer: (As Jerry) Screw the procedure. I want somebody on the goddamn phone before I kill 20 million people. 

Unidentified Actor: (As character) -20. 

Michael Madsen: (As Steve) I got nothing here. It might've been knocked out already. Sir, we have a launch order. 

Unidentified Actor: (As character) Three... 

Michael Madsen: (As Steve) Put your hand on the key, sir. 

Unidentified Actor: (As character) ...Two, one. Launch. 

Michael Madsen: (As Steve) Sir, we are at launch. Turn your key. 

John Spencer: (As Jerry) I'm sorry. I'm so sorry. 

Rick Howard: Two-person control is probably not something that all of your privileged actions require, but maybe a handful do. It's something to consider. According to BeyondTrust, an identity management vendor, here are some examples of typical action items that require elevated privilege - and this is not an exhaustive list by any means - things like local host administrative changes, like the example at the top of the show - you don't want Kevin making admin changes to the corporate laptop. Domain administrative changes, application service accounts, cloud and virtualization administrator consoles, DevOps environments and IoT device changes. In your own environment, you can probably think of many, many more. 

Rick Howard: One last thing to consider. The systems and data inside the IAM program are the keys to the city. In other words, the IAM system I have designed to reduce the probability of material impact by implementing a set of zero-trust rules has itself become a material system on its own and has to be protected in the same manner I protect all the other material systems in the business. How's that for some recursive security logic? The thing that I have built to protect my material assets has itself become material. 


Unidentified Person #1: Well, I'm up to the challenge, Jim. 

Rick Howard: I'm reminded of the BBC's version of the Sherlock Holmes TV show that ran from 2010 to 2017. During the "Reichenbach Fall" episode in season two, Sherlock's nemesis, Moriarty, claims to have a piece of electronic code that can unlock any protected system. He demonstrates the veracity of the claim by simultaneously opening the vault to the Bank of England, unlocking the cells at Pentonville Prison and securing the throne room where the crown jewels are kept with him inside, all via his mobile phone. If hackers take control of my IAM system, they essentially have the same power as Moriarty. They can bypass all the security controls and become my own nemesis. Here's a clip from the episode that demonstrates the impact with Benedict Cumberbatch playing Sherlock and the absolutely fantastic Andrew Scott playing Moriarty. He talks first. 


Andrew Scott: (As Jim Moriarty) Every fairy tale needs a good old fashioned villain. What's the final problem? I did tell you. But did you listen? How hard do you find it, having to say, I don't know? 

Benedict Cumberbatch: (As Sherlock Holmes) I don't know. 

Andrew Scott: (As Jim Moriarty) Oh, that's clever. That's very clever, awfully clever. Speaking of clever, have you told your little friends yet? 

Benedict Cumberbatch: (As Sherlock Holmes) Told them what? 

Andrew Scott: (As Jim Moriarty) Why I broke into all those places and never took anything? 

Benedict Cumberbatch: (As Sherlock Holmes) No. 

Andrew Scott: (As Jim Moriarty) But you understand. 

Benedict Cumberbatch: (As Sherlock Holmes) Obviously. 

Andrew Scott: (As Jim Moriarty) Off you go then. 

Benedict Cumberbatch: (As Sherlock Holmes) You want me to tell you what you already know? 

Andrew Scott: (As Jim Moriarty) No. I want you to prove that you know it. 

Benedict Cumberbatch: (As Sherlock Holmes) You didn't take anything because you don't need to. 

Andrew Scott: (As Jim Moriarty) Good. 

Benedict Cumberbatch: (As Sherlock Holmes) You'll never need to take anything ever again. 

Andrew Scott: (As Jim Moriarty) Very good. Because? 

Benedict Cumberbatch: (As Sherlock Holmes) Because nothing. Nothing in the Bank of England, the Tower of London or Pentonville Prison could possibly match the value of the key that could get you into all three. 

Andrew Scott: (As Jim Moriarty) I can open any door anywhere with a few tiny lines of computer code. No such thing as a private bank account now. They're all mine. No such thing as secrecy. I own secrecy. Nuclear codes - I could blow up NATO in alphabetical order. In a world of locked rooms, the man with the key is king. And, honey, you should see me in a crown. 

Rick Howard: That is chilling. And Andrew Scott is fabulous in that role. And what he's talking about is directly apropos for the IAM situation we're discussing here. We have to protect the IAM system with systems with the same strategies that we use to protect the entire organization, zero-trust, intrusion kill chain prevention and resilience because they are material to the business. If a hacker compromises your IAM system, he is the ruler in the kingdom of locked rooms. 

Rick Howard: And that's a wrap. As always, if you agree or disagree with anything I have said or you just want to talk about Sherlock Holmes, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's csop@thecyberwire - all one word - .com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. Next week, we're going to be talking about crisis planning. So you don't want to miss that. 


Unidentified Person #2: Same bat time, same bat channel. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.