Privileged Identity Theft: A familiar theme in the Deloitte data breach

Published on 04 October 2017

Like myself, security professionals reading about the Deloitte data breach in the Guardian must have felt a sense of dread as they came across the sentence

“‘The hacker compromised the firm’s global email server through an “administrator’s ‘account’” that, in theory, gave them privileged, unrestricted ‘access to all areas.’”

Privileged identity theft, the compromise of privileged account credentials, is devastating. This is precisely what we saw with Deloitte’s breach, where the hacker compromised the firm’s global email server through a privileged administrator account which required only a single password.


Undiscovered hack

In my recent blog “Five Process Changes to Mitigate Privileged Account Risk”, I reviewed some quick wins regarding privileged accounts but these are just the beginning. If a company such as Deloitte, with one of the most skilled IT teams in the industry can suffer a data breach, it serves as a warning to all companies that if hackers are able to obtain privileged credentials, perimeters alone will never be enough to keep them out.

As reported by the Guardian, Deloitte discovered the hack in March, but cyber attackers could have breached its systems as long ago as October or November 2016. It’s not uncommon for hackers to go undiscovered for long periods of time like this. In targeted attacks, hackers usually gain a foothold first through compromising a user account and then look for other accounts to compromise with the aim of escalating privileges. By compromising privileged accounts, they can roam IT systems undetected – even for months – under the guise of authorized users.


Deploy an in depth security strategy

While password management – including two-factor authentication – is a good first line of defense, implementing monitoring tools that track privileged users’ activity and notify security teams in case of a potential breach is a necessary part of a defense in depth security strategy. Advanced analytics that examine user behavior in real time to assess if it is normal or unusual, even getting down to minute traits such as changes in typing speed or common spelling errors, provides an added layer of protection.

With these two fundamentals in place – 1) continuously being on the lookout; and 2) looking out for behavioral anomalies – organizations can ensure they’re able to expose hackers at the very moment they gain privileged access to the network.

Our latest white paper “Understanding Privileged Identity Theft”, details the typical attack methods criminals used to compromise credentials, why current methods don’t offer adequate protection, and what measures you can take to stop these threats. You can download it

by Csaba Krasznay

Csaba Krasznay is Balabit's Security Evangelist. He is responsible for the vision and strategy of Balabit's Privileged Access Management solutions. He was elected to the “Most Influential IT Security Expert of the Year 2011”.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

Audit Reporting in Shell Control Box

Shell Control Box (SCB), Balabit' privileged u er monitoring appliance, feature  a comprehen ive reporting y tem, which...

Best Practice for Incident Forensics

Today ecurity incident are a que tion of when, not if: every company, mall and large, face the threat of being a...

Calibrating anomaly scores

In thi blog po t, we are going to di cu how to calibrate anomaly core to make ure that the core are tru ted...

“Lorem ipsum dolor sit amet, consectetur adipisicing elit. Sint minima earum velit, dolorem fuga impedit onsectetur adipisicing dolorem.”

– Lorem ipsum, Lorem ipsum