Profiling “VIP Accounts” Part 1

Detecting malicious activity is rarely easy, but some attacker methods are more challenging to detect than others. One of the most vexing techniques to counter is credential theft. Attackers that gain control over a user account have access to the assets of that user. If the credentials are for an account with special privileges, like a system administrator, then the attacker may be able to gain access to system-wide resources and even be able to change logs to cover their tracks. Detecting compromise of privileged, or “VIP accounts” is more complex than detecting malware or other overt threats, as we discuss in this blog.

What is a VIP Account?

A VIP account is the most privileged account on a system or application. This account gives the ability to carry out all facets of system administration, including adding accounts, changing user passwords, examining log files, installing software, etc.

VIP accounts are necessary for elevated and privileged actions, as well as being used in very specific situations (e.g. adding a new user account, installing a driver or application). For best practices system administrators often follow the principle of least privilege, which dictates that most created accounts should run under the lowest possible privileges to prevent system wide changes or compromise.

On *nix type systems the VIP account is usually root, which is an account that has access to all files and can change and affect all applications. In Microsoft systems the highest account is usually built-into the system as administrator (This account is disabled in current versions of windows). Standard accounts can perform elevated functions via user account control (UAC) in windows environments.

The modern enterprise is often complex and hierarchical in terms of roles and units. As a result many different accounts with various levels of privilege are usually created in order to assign tasks per roles within the organization. This is known as Role Based Access Control which is a schema that determines the way access is granted, depending on organizational roles.

A good way of applying RBAC at large scale is through the use of LDAP. The LDAP protocol is a technology that allows the authentication and authorization of accounts based on directory information (e.g. organizational unit, location, email addresses, etc). In Microsoft environments Active Directory is the main directory service and can be accessed via LDAP protocol, DNS or kerberos.

The context of a VIP account is given by the levels of authentication coming from the schema, located at the directory service. Based on the defined privileged levels of, these accounts will perform related activities that can be profiled within a network environment.

For example it is very rare to see an administrator account performing certain activities related to standard user behavior like printing, internet browsing and file creation from specific applications that are not related to system administration such as backups, account creation, software installation, etc.

VIP accounts are constantly targeted as they provide a faster path to resources, data and control of a victim organization. As such these accounts which are usually administrators are subject to spear phishing campaigns, brute force or account takeovers by different means. Malicious actors must either target the account holders directly or use methods that provides the path of the compromised account to the higher privileges. One tool that can be used for that purpose is bloodhound.

Another scenario is when an employee or contractor that takes over a VIP account (sometimes referred to as insider theft). This scenario can be much harder to detect as only granular, timely monitoring and analysis of behavior, can provide an opportunity to profile access patterns and distinguish between authorized user access in these cases.

A recent trend in insider breaches and related attacks has involved privileged accounts departing from historical account behavior moving laterally across organizations, and focusing on harvesting particular data sets and credentials from selected systems. Monitoring for the compromised credentials of privileged accounts in specific internal user-centric data is a challenging because of the volume and real time nature of the changing user data. In the follow up to this post we describe a streaming machine learning-based approach to profiling user access patterns and changes in VIP account behavior.