Who is cryP+o_@$%724, and why is that account logging into our domain controller?

I can guarantee you that someone is asking themselves that question right now, somewhere in the United States.  It has not been escalated yet, but the question is there as someone gets to an access log entry and takes the time to consider it.

The fact that someone, likely a security analyst, is asking the question makes this a problem.  The analyst should know who and what accounts have access to critical tier 0 infrastructure, but that is not often the case in US organizations.  Most organizations do not have a complete understanding of all the privileged access accounts in their organization.  The accounts that administrators, engineers, vendors, and partners use to manage the IT infrastructure have special significance and power well beyond simple access to applications.  They often have the authority to make significant changes and grant new and additional access rights to IT assets.

‍Privileged Access Management (PAM) consists of the cybersecurity process and technologies for controlling elevated or “privileged” access and permissions for users, accounts, processes, and systems across an IT environment. By focusing on the appropriate level of privileged access to the correct IT assets, PAM helps firms reduce their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider compromise or negligence.

While privilege management encompasses many strategies, a central goal is the enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices, and processes to the absolute minimum necessary to perform assigned duties and tasks.  Many analysts and technologists consider PAM as one of the  essential security solutions for reducing cyber risk and achieving high-security ROI.

‍Unknown and unmanaged accounts - A privileged account that is unknown is an account that has been forgotten and lost in the system. Virtually all organizations have unknown accounts ranging from one to thousands. Accounts become unknown for many reasons for example:

•  An account is abandoned when an employee leaves the organization.

•  An account is utilized less and less until it becomes obsolete and forgotten.

•  Default accounts not used on new devices.

Every unknown account increases your vulnerability and presents an opportunity for unauthorized access.  Here are a few things that could happen:

•  An employee finds the account and uses it to make unauthorized changes.

•  A former employee continues to access the account.

•  A bad actor/hacker discovers the account and breaches your organization.

The approach of effective PAM solutions is to employ numerous features to control privileged access and prevent cyber-attacks. PAM can discover privileged accounts across your organization and import them into a secure, encrypted repository—a password vault. Once all privileged credentials are inside, the solution can then manage sessions, passwords, and access automatically. Combine this with features like hiding passwords from specific users, auto-rotating valuable passwords, recording sessions, auditing, and multi-factor authentication, and you will have a strong multipoint defense against external threats.

‍Insider Threats - PAM solutions contain multiple features to safeguard against internal threats. Audit trails and email alerts keep access administrators informed of what’s happening in the IT environment. Session monitoring and recording increase the visibility of privileged account access and usage. There are permissions as well as role-based access controls to give users the access they need to do their jobs. Last but not least, there should be a feature to sever the access users had the moment they leave the organization.

The benefits of privileged access management are a foundational part of any strong security program and are something that all organizations should consider, large and small.