Just a couple of years ago, only a few IAM professionals knew what service accounts were. In recent years, these silent accounts of non-human entities (NHIs) have become one of the most targeted and compromised attack surfaces. It is estimated that compromised service accounts play a key role in lateral movement in more than 70% of ransomware attacks. However, there is a troubling disparity between the exposure and potential impact of hacking work accounts, and the security measures available to mitigate this risk.
In this article, we explore what makes service accounts such a lucrative target, why they fall outside security controls, and how a new unified identity security approach can prevent service accounts from hacking and abuse.
Active Directory Accounts 101: Non-Human Identities Used for M2M
In an Active Directory (AD) environment.service accounts are user accounts that are not associated with people but are used for machine-to-machine communication. They are created by administrators either to automate repetitive tasks or during the installation of local software. For example, if you have EDR in your environment, there is a service account that is responsible for receiving updates for the EDR agent on your endpoint and servers. Apart from the NHI account, service accounts are no different from other user accounts in AD.
Why do attackers target service accounts?
Ransomware actors rely on compromised AD accounts – preferably privileged ones – for lateral movement. The ransomware actor will make these lateral moves until it gains a foothold strong enough to encrypt multiple machines with a single click. They typically achieve this by accessing a domain controller or other server used to distribute the software and abusing shared network access to run the ransomware on as many machines as possible.
While any user account will work for this purpose, service accounts are best for the following reasons:
High access privileges
Most service accounts are created to access other machines. This inevitably means that they have the necessary access rights to log in and execute code on those machines. This is exactly what threat actors are looking for, as compromising these accounts will allow them to gain access and execute their malicious payloads.
Low visibility
Some work accounts, especially those associated with installed on-premises software, are known to IT and IAM staff. However, many are custom-built by IT and identity professionals without documentation. This makes the task of maintaining a a controlled inventory of service accounts is virtually impossible. This favors attackers, as the compromise and abuse of an uncontrolled account is much more likely to go unnoticed by the victim of an attack.
Lack of security controls
Common security measures used to prevent account compromise are MFA and PAM. MFA cannot be applied to service accounts because they are not human and do not have a phone, hardware token, or any other additional factor that can be used to verify their identity beyond username and passwords. PAM solutions also struggle with protecting service accounts. Password rotation, which is the primary security control used in PAM solutions, cannot be applied to service accounts because of concerns about their authentication and the disruption of critical processes they control. This leaves service accounts virtually unprotected.
Want to learn more about protecting your service accounts? Explore our eBook, Overcoming work account security blind spotsto learn more about service account protection issues and receive recommendations for dealing with these issues.
Reality Bytes: Every company is a potential victim regardless of vertical or size
It was once said that ransomware is a great democratizer that doesn’t discriminate between victims on any grounds. This is more true than ever with service accounts. In past years, we investigated the incidents in companies from 200 to 200 thousand employees in the field of finance, production, retail trade, telecommunications and many others. In 8 out of 10 cases, their attempted lateral movement resulted in the hacking of service accounts.
As always, attackers teach us best where our weakest links are.
Silverfort Solution: Unified Identity Security Platform
A new category of security – identity security – provides an opportunity to change the situation on free management, which adversaries used until now in service accounts. Silverfort’s identity security platform is built on proprietary technology that enables it to have continuous visibility, risk analysis and proactive enforcement of any AD authentication, including of course that made by service accounts.
Let’s see how this is used to prevent attackers from using them for malicious access.
Silverfort Service Account Protection: Automated Detection, Profiling and Protection
Silverfort enables identity and security teams keep your service accounts secure as follows:
Automated detection
Silverfort sees and analyzes every AD authentication. This allows the AI engine to easily identify accounts that exhibit deterministic and predictable behaviors that characterize service accounts. After a short training period, Silverfort provides its users with a complete listing of their service accounts, including privilege levels, sources and destinations, and other data that reflects the behavior of each one.
Behavioral analysis
For each identified service account, Silverfort defines a behavioral baseline that includes the sources and destinations it typically uses. The Silverfort engine continuously learns and enriches this base layer to capture account behavior as accurately as possible.
Virtual fencing
Based on the behavioral baseline, Silverfort automatically creates a policy for each service account that triggers a protective action whenever the account deviates from standard behavior. This action can be just a warning or even a complete block of access. Therefore, even if the credentials of the service account are compromised, an attacker will not be able to use them to access any resources other than those included in the baseline. All that is required of the Silverfort user is to enable the policy without any additional effort.
Conclusion: It’s time to act. Make sure your service accounts are secure
You better get hold of your service accounts before your attackers do. This is the true vanguard of the modern threat. Do you have a way to see, monitor and protect your service accounts from being hacked? If the answer is no, it’s only a matter of time before you join the ranks of the ransomware statistics.
Want to learn more about protecting your Silverfort service account? Visit our site or contact one of our experts for a demo.
