The privileged user on a network is so-called because they can access sensitive and often highly confidential resources. If a cybercriminal can compromise the account of a privileged user, they have the keys to the corporate castle.
Research by FINN Partners and Centrify found that in 74% of cases of a data breach, the attack began at the door of a privileged user. Analyst firm, Forrester, sets the rate even higher at 80% of data breaches being associated with privileged credentials.
No matter which stat is the more precise, the point is that privileged access leads to data breaches. Therefore, Security Awareness Training for privileged users is vital.
Here are the best practices to ensure that this training is successful.
Privileged users bring a unique level of risk to an organisation. This risk level justifies focusing on this group and building a security awareness campaign that considers the role of the privileged user in a cyber attack.
Cybercriminals target privileged users because of their access rights. But privileged users need these access rights to carry out their work: this conundrum is a perfect scenario that enables spear-phishing and other social engineering scams.
A single mishap by a privileged user, and bang! The hacker is in the system. Once in the corporate network, attackers can use various techniques and technologies to move across the network, even enhancing access rights, (lateral movement) to locate data and/or install malware such as ransomware.
The attacks against privileged user accounts often involve a large amount of surveillance. The gathered intelligence is used to create tailored, highly believable, spear-phishing emails. Hybrid work has exacerbated the issue, according to the FBI in a recent notice. The notice contains details of scams that involve multi-part cyber attacks against privileged users, cybercriminals using reconnaissance, voice phishing via phone (Vishing), and spoof web pages that are then used to steal second-factor authentication codes, and circumvent security measures such as VPNs.
This complex mix of clever cybercriminal tactics means that technology alone cannot prevent a cyber attack against a privileged account user. Security awareness is a must have to ensure that these users do not inadvertently hand over the corporate keys.
The following three baselines for best practises are used when developing a Security Awareness Training package for privileged users:
Role-based Security Awareness Training is a framework to provide tailored training based on a role type in an organisation. Why is role-based training a good idea? Cybercriminals adjust their tactics to reflect an enterprise role or target certain corporate jobs for certain types of cyber attacks and scams.
For example, someone in accounts payable is an attractive proposition for a cybercriminal wanting to carry out a Business Email Compromise (BEC) scam that tricks an employee into transferring money to the fraudster’s bank account. Someone with privileged access in HR may be targeted to obtain employee information for tax scams.
Privileged users should be seen as a ‘superuser role’ and Security Awareness Training campaigns should be designed to reflect this. From here, you can then develop a tailored package of phishing and social engineering awareness that fits the types of attacks that focus on privileged access users.
Include Social Engineering in Your Security Awareness Training
Social engineering is used to build up the profile of an organisation and a targeted privileged user to make a cyber attack successful. The recent Lapsus$ group ransomware attacks against multiple companies used social engineering. A post from Microsoft that analyses the attacks explains the importance of social engineering:
“(the Lapsus$ group) focused their social engineering efforts to gather knowledge about their target’s business operations. Such information includes intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships. Examples of these social engineering tactics include spamming a target user with multifactor authentication (MFA) prompts and calling the organization’s help desk to reset a target’s credentials.”
Social engineering scams will take any form that the cybercriminal needs to gather this intelligence. This includes the use of social media, calls to a help desk, and general office calls that help form a relationship; even visits to an office could be used to build up the necessary information to carry out an attack. Social engineering attempts may take months of work to build up the profile of a privileged user, in readiness to carry out a successful attack.
Ensure your privileged users understand the levels that a cybercriminal will go to, in order to make their spear-phishing emails and spoof websites believable.
Know what types of threats will focus on the superuser role. Typically, those with privileged access will be targeted for that access. However, this may also mean that they are part of a wider, more complex, attack chain.
Usually, spear-phishing or spear-vishing (voice-based phishing) is used to steal the login credentials of this group of users. The intelligence gathered by the cybercriminals during social engineering helps to create believable scenarios, emails, and spoof websites to trick the privileged user.
Provide tailored, role-based phishing simulation exercises to educate employees about the tricks used by scammers.
An organisation needs to give certain users privileged access; in fact, creating a hierarchy of access is an important part of identity and access management. But privilege is also a potential vulnerability in an organisation’s armour; a fact not lost on cybercriminals. By using a baseline of best practices in Security Awareness Training for privileged users, you can harden this armour and control privilege.