During our break between season nine and season ten, the leaders of the International Spy Museum here in Washington D.C. asked me to come over and give their staff a primer on cybersecurity. Dr. Andrew Hammond is the museum’s historian and curator and he hosts his own podcast, called SpyCast, that’s also part of the CyberWire’s network of shows. His people are amazing. They know a little bit about everything regarding the history of the spy world, and especially about cyber espionage and cyber conflict. Dr. Hammond asked me to provide a deeper dive into all things cyber to his staff and I was only too happy to oblige.
And by the way, if you haven’t visited the Spy Museum, I highly recommend that you put it on your list of things to do the next time you visit the capitol. The building is gorgeous and I could literally spend a week in there and still not have seen everything. Their bookstore is to die for.
As usual with these kinds of discussions though, you know, conversations with people who aren’t day-to-day InfoSec professionals, the questions at the end tended to be about their own personal COMSEC (Communications Security). How should they secure their own personal computing environments at home and for their family members? I have a standard set of two recommendations that I give to crowds of this type that are easy to do and don’t take much time.
The first is to not store any files locally on your laptop. If you regularly spend any time in your personal life creating office documents or videos or audio, make it your practice to always store them in the cloud somewhere. If your document-of-record is stored locally and your machine crashes or, god forbid, it gets stolen or lost, all of those files are gone permanently. So, don’t do that. Cloud storage is cheap. Your internet connection these days is relatively stable. Take advantage.
The second recommendation is a bit more technical, but not much. Make sure that your normal day-to-day user account doesn’t have administrator privileges. Many people forget about this little configuration but the fact is that if your account gets hacked in the future and you have administrator privileges, the hacker now has administrator privileges on your local machine too and can change anything he or she wants. To fix this, just create another account, make sure it doesn’t have administrator privileges, give it a different password than the admin account, and use it for everyday activity.
These two recommendations won’t prevent potential compromise or catastrophic failure in the future, but what they will do is reduce the potential damage. And that’s what I want most of all.
Privilege escalation: A key intrusion kill chain step.
Aside from personal COMSEC, protecting administrator privilege is an essential component to preventing material cyber impact in any commercial, academic, or government organization too. As adversaries move laterally within their victim’s networks, they seek to elevate their privilege wherever possible. A case in point is the NSO Group’s Pegasus software. It allows an operator to gain complete control over a targeted phone via a zero-click exploit, an exploit that requires no user interaction in order to trigger the malicious code. This is achieved by hackers sending unsolicited messages to the targeted device using only the phone number. They format the messages in such a way as to leverage software vulnerabilities within the messaging system. According to the MITRE ATT&CK Wiki, Pegasus uses mobile phone technique T1404: Exploitation for Privilege Escalation.
Another example is the Cozy Bear supply chain attacks that targeted the Solarwinds Orion product late in 2020. Cozy Bear hackers compromised the Solarwinds network first and inserted a backdoor trojan into the Orion software update package. Once Orion customers installed the package, the Cozy Bear team could login remotely. From this initial beachhead, they moved laterally within the victim's networks seeking administrator accounts. According to the Microsoft Security Response Center, the Cozy Bear hackers went after the SAML system (Security Assertion Markup Language), the heavy weight XML variant that facilitates one computer to perform both authentication and authorization on behalf of other computers. “Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.”
IAM: IGA and PIM and PAM, Oh my!
Thinking in terms of first principles in general and zero trust specifically as a strategy, there are several tactics to consider. We need an Identity and Access Management (IAM) program that consists of three parts
- Identity Governance and Administration (IGA)
- Privileged Identity Management (PIM)
- Privileged Access Management (PAM)
When I think about these competing acronyms, I'm reminded of one of my family’s favorite movies: “The Wizard of Oz.” Even though my children are over 25 years old, it’s still a regular in the rotation for our summer, backyard neighborhood movie theater schedule. The scene that reminds me of IAM though is the one when Dorothy, The Tin Man, and the Scarecrow are about to meet the Lion for the first time. They are in a dark part of the woods and they are worried about wild animals that might eat them. They hold hands with each other and begin slowly walking the yellow brick road chanting, “Lions and tigers and bears, oh my! “Lions and tigers and bears, oh my! And then the Lion jumps out and roars at them.
When I read research and essays on IAM, I can’t help myself from chanting “IGA and PIM and PAM, Oh My! IGA and PIM and PAM, Oh My!” But then again, I'm a movie nerd.
According to Gartner, “IAM is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.” The U.S. National Institute of Standards and Technology (NIST) has a similar definition: “[The process, and technology required] to ensure the right people and things have the right access to the right resources at the right time.”
It appears that nobody at Gartner or NIST had access to a thesaurus so that they could use a different word other than “right” to define IAM, but who am I to judge?
The bottom line is that you can’t do zero trust without IAM. You can’t limit access by a need to know parameter unless you have a system of systems that can describe all the legitimate people and devices and code, what those things are authorized to connect to and even modify, and then a way to enforce the policy. Identity Governance and Administration (IGA) is the internal group of IT, security, and business leaders who define the policy. Privileged Identity Management (PIM) is the system that dynamically manages all the identities. Privileged Access Management (PAM) is the system that enforces the rules created by the IGA against the identities in the PIM.
Privileged Access Management (PAM).
The Cozy Bear attacks on the Solarwinds Orion platform highlight a key point. Especially in the infrastructure-as-code era that we’re all in now, there are certain legitimate DevOps mechanisms within the code that should require elevated permissions to run; like the creation of SAML tokens. In other words, you don’t want Kevin, who updates the menu for the company cafeteria website everyday, to have permission to create SAML tokens. That would go against the very nature of our zero trust strategy. You don’t want some random software module, that nobody is watching, to have permission to elevate privilege and make changes to the system either.
Now, I'm not picking on SAML. There are probably hundreds of infrastructure transactions within your environment that should require some sort of elevated permission to execute. The point I'm making here is that, as security practitioners, we should know what each of them are, assess whether or not the compromise of each would be material, and for those whose compromise would be material, devise one or more zero-trust controls that would limit access to the bare minimum of employees, contractors, and software components to get the job done. Beyond this, I would watch the process like a hawk for abnormal behavior. Lastly, for the more critical systems, you might even insert a human in the loop to slow things down and make sure that nothing untoward is happening with the proposed change.
It’s like that opening scene to my favorite hacker movie, War Games. Two Air Force officers, played by long time “that guy” character actors, John Spencer (probably most famous for the TV Show, West Wing) and Michael Madsen (loved for Kill Bill and Reservoir Dogs, among many others) just arrive at their underground nuclear missile station somewhere in the Midwest. They get the order to launch their missiles but the system is under two-person control, meaning that one person can’t launch a nuclear strike on their own. Both officers have to turn their launch key at the same time.
That’s a nice safety feature. We don’t want some Air Force person, who just got dumped by his significant other the night before, to decide to take it out on the world and kill 20 million people. I'm just saying. In terms of cybersecurity and first principles, this is not something that all of your privileged actions require, but maybe a handful do. It’s something to consider.
According to BeyondTrust, an identity management vendor, here are some examples of typical action items that require elevated privilege (not an exhaustive list):
- Local host administrative changes
- Domain administrative changes
- Application service accounts
- Cloud and virtualization administrator consoles
- DevOps environments
- IoT device changes.
You can probably discover many more.
IAM is a material system of systems.
Another thing to consider, the systems and data inside the IAM program are the keys to the city. In other words, the IAM system I have designed to reduce the probability of material impact by implementing a set of zero trust rules, has itself become a material system on its own, because of the information contained within, and has to be protected in the same manner I protect all the other material systems to the business. How’s that for some recursive security logic?
I'm reminded of the BBC’s version of the Sherlock Holmes TV show. During the The Reichenbach Fall episode in season 2, Sherlock’s nemesis, Moriarity, claims to have a piece of electronic code that can unlock any protected system. He demonstrates the veracity of the claim by simultaneously opening the vault at the Bank of England, unlocking all the cells at Pentonville Prison, and securing the throne room where the Crown Jewels are kept with him inside all via his mobile phone.
If hackers take control of my IAM system, they’ve essentially become my nemesis, my Moriarity. They can bypass all the security controls. We have to protect the IAM system-of-systems with the same strategies that we use to protect the entire organization: zero trust, intrusion kill chain prevention, and resilience.
“Customer Guidance on Recent Nation-State Cyber Attacks,” Microsoft Security Response Center, Microsoft.com, 13 December 2020.
“Definition of Identity and Access Management (IAM),” Information Technology Glossary, Gartner, 2019.
“Identity & Access Management,” by NIST, 30 June 2016.
“Lions and Tigers and Bears, Oh My! - ‘the Wizard of Oz’ (1939),” By Farr, Best Movies, YouTube, 27 October 2016.
“Moriarty Steals the Crown Jewels - the Reichenbach Fall,” Sherlock, YouTube, 3 June 3, 2016.
“One Identity Named a Leader in 2022 Gartner® Magic QuadrantTM for Privileged Access Management (PAM),” by Tori Banser, One Identity, 22 July 2022.
“PAM vs PIM,” by Madhuri Yerukala, Mindmajix, 22 April 2021.
“Pegasus for IOS,” MITRE ATT&CK, 2017.
“Pegasus (Noun),” by Rick Howard, The CyberWire, 12 April 2022.
“Turning the Titan Missile Key,” by Sara Mowery, YouTube, 23 May 2014.
“War Games - Opening Scene - ‘Turn Your KEY, SIR!’” by Potentium, YouTube, 31 January 2017.
“What Is IAM? Identity and Access Management Explained,” by David Strom, CSO Online, 8 April 2021.
“What Is Privileged Access Management (PAM)?” by Beyondtrust, 2015.