Privileged access is the primary pathway attackers use to achieve high-impact compromises, and protecting both human and non-human privileged identities across on-premises and cloud environments is essential. Mandiant recommends a defense-in-depth PAM strategy—tiering, least privilege, PAWs, MFA, secrets management, detection (high-fidelity session telemetry and anomaly analytics), and practiced response including coordinated credential rotation—to reduce dwell time and blast radius. #Mandiant #GoogleSecOps
Keypoints
- Privileged accounts (human and non-human) are the most critical attack vector and must be inventoried, tiered, and governed with least-privilege principles.
- Stolen credentials and session tokens are rising initial access vectors; organizations should assume breach and enforce Zero Trust, MFA, and PAM with credential rotation and session recording.
- PAM maturity follows stages (Uninitiated → Ad-Hoc → Repeatable → Iterative Optimization) and requires dedicated tooling plus governance, automation, and entitlement discovery.
- Hardening privileged pathways (PAWs/jump hosts, RDP/WinRM/SMB protocol hygiene), endpoint controls (EPM, application allow-listing), and secrets management (vaults, HSMs, automated rotation) reduces credential utility.
- Detection must be privileged-specific: collect high-fidelity signals (PAM checkouts, session transcripts, IdP sign-ins, EDR, network flows), use behavioral analytics/ML, and prioritize high-impact anomalies for automated containment.
- Response requires coordinated enterprise password resets, bulk secret rotation, isolation of admin assets, and staged recovery planning for Tier-0 systems (vaults, IdPs, virtualization, backup infrastructure).
- Tiering and Segregation of Duties (SoD), plus advanced PAM features (JIT/JEA/ZSP, dual approval, session recording) are key to preventing and detecting insider misuse and limiting blast radius.
MITRE Techniques
- [T1078] Valid Accounts – Used as primary access vector through stolen credentials and session tokens: “…stolen credentials have surpassed email phishing… accounting for 16% of intrusions in 2024.”
- [T1110] Brute Force – Targeted brute-force and credential stuffing against high-tier accounts, with recommendations to tune detections: “…treat attempts against super admin/root, PAM/vault, secrets management, IdP break-glass, and cloud control planes as high-severity.”
- [T1526] Cloud Service Discovery (and related cloud abuse techniques) – Attackers target cloud control planes and cloud identities; article calls for vaulting cloud root/owners and pairing PAM with cloud-native PIM/JIT: “…pair your PAM with cloud-native PIM/JIT services… to grant time-bound elevation rather than standing admin rights.”
- [T1003] OS Credential Dumping – Defenses described to prevent memory/LSASS scraping and pass-the-hash/ticket reuse: “…disable WDigest… ensure even if malware lands… it is harder to scrape credentials from memory (LSASS).”
- [T1496] Resource Hijacking / Abuse of Trusted Service Infrastructure – Adversaries target management interfaces and trusted infrastructure for persistence and lateral movement: “…Attackers target these components for persistence and lateral movement, knowing that compromising them can give broad control over an environment.”
- [T1486] Data Encrypted for Impact (ransomware staging) – GPO modifications and tier compromise referenced as steps that enable ransomware: “GPO Modification … Ransomware Deployment, Lateral Movement, Persistence.”
- [T1531] Account Discovery / Permission and Group Discovery – Article emphasizes entitlement discovery and scheduled resource-permission crawls to surface shadow admins: “…run scheduled resource-permission crawls and reconcile deltas… feed these findings into tier mapping and PAM onboarding.”
Indicators of Compromise
- [Account/Role ] Examples of high-risk targets and contexts – domain administrators, service accounts, cloud root/owner accounts.
- [Event IDs / Logs ] Detection contexts – Windows Security Event ID 5136 for GPO modifications; PAM vault checkouts and session transcripts.
- [Services/Platforms ] High-value infrastructure examples – CyberArk Vault, HashiCorp Vault, Azure Key Vault, AWS KMS/Secrets Manager, Microsoft Entra ID, vCenter/ESXi (monitor VM create/delete, role/permission changes).
- [Protocols/Paths ] Admin access contexts – RDP/WinRM/SMB usage and hardened PAW/jump host pathways (monitor bastion logs and MFA outcomes).
- [Artifacts ] Response and forensic contexts – NTDS.dit dumps, DCSync/DCShadow, Kerberoasting activity, and secrets pulled from code/repos/vaults (used as triggers for enterprise password reset).
Read more: https://cloud.google.com/blog/topics/threat-intelligence/privileged-account-monitoring/