The ghosts of users past present perfect route into businesses, for hackers
17 November 2017
- by Matt Lock, Director of Sales Engineers, Varonis
High profile ransomware attacks are never far from the headlines these days, but what about the lesser known tactics of a malicious actor looking to steal company data? Hackers looking for the quietest, easiest route into an organisation are now focusing their attention on stale user accounts – these ‘ghost users’ present the perfect channel.
Stale accounts within an organisation are those which are no longer needed; accounts where users have left the company or changed job roles and so the permissions they require have changed. From our own analysis across 80 organisations, 26% of all accounts were those of ‘stale enabled users’. That’s to say, they hadn’t accessed data or logged on to the network for more than 90 days. For one organisation, around 90% of all user accounts were stale. A high proportion of these stale accounts are often a result of communication issues between the IT team and other departments within an organisation. Whilst IT can implement permission changes and account closure, they are heavily reliant on information from other areas of the company.
These ghost user accounts lie dormant, unnoticed from day to day, yet still provide access to systems and data. From a hacker’s perspective, it’s relatively easy to find the ghosts on the network, often through social engineering. It may take a bit of legwork but it’s very simple to build a picture of who may have recently left an organisation, especially if said organisation has a bad track record in managing their accounts. These stale accounts are a great way for hackers to probe without the company being alerted. Imagine what could happen if hackers found their way into the account of a senior level staff member – someone who has left the company or changed roles – with access to a wide range of sensitive information across the organisation. The hacker could use this account to gain access to valuable intellectual property, personally identifiable information and financial documentation, to name but a few.
Many of the stale accounts we see are also service accounts – these are the accounts used to access services such as web servers, databases and email transport. These often have far less governance around them than user accounts and typically have ‘privileged’ access to more sensitive data, as well as open access to all files on a network. This is what makes service accounts particularly vulnerable – if a hacker gains access to a service account, they can largely go unnoticed, roaming around the company network undetected for long periods of time.
Understanding behaviour and taking control of ghost user accounts
Understanding account behaviour is very important in identifying whether stale accounts are being used maliciously. If you understand what is normal account behaviour, you’re in a much better position to recognise when accounts of certain types and privileges are behaving in a way they don’t typically. For example, are users accessing data they don’t normally access? Or why is a service account now accessing potentially sensitive data? Without a dedicated data owner or business leader regularly re-certifying user accounts to ensure only active users have access, understanding account behaviour could be the only thing preventing an organisation from a breach.
With the General Data Protection Regulation looming, organisations need to take control of their data now - or risk potentially damaging and costly consequences. Whilst it’s tempting to lay the responsibility of these stale accounts on the IT team, it’s up to each department and business leader to keep IT informed of personnel changes. It’s easy enough to run an Active Directory script to check which users haven’t logged on for a determined period of time but what happens with that information if the IT team is already overstretched, without the time or resources to act on that intelligence?
To minimise this stale account risk, there are steps and processes an organisation can implement to ensure accounts are active, governed and monitored. First, define where all the data is and then you can examine user behaviour to understand the flow of that data within the organisation – for example, how it’s used and who should be accessing it. Defences can then be put in place by defining who has access and developing strategies to dispose of stale data and accounts. Data access should be granted using a ‘least privilege’ model where only those who ‘need to know’ have access to sensitive information. The good news is that there are now ways to automate this management of access rights and permission – identifying ghost users, especially as an organisation grows, is time-consuming and often considered an afterthought. With the automation of this process, IT teams can save time and improve efficiency.
The issue of ghost users and stale accounts is more than just updating IT housekeeping. If not properly controlled, these accounts represent an attractive and lucrative target, and are a significant risk to an organisation’s security. Establishing processes and procedures for monitoring typical behaviours, user access rights and inactive accounts are among the first, crucial steps to preventing hackers from infiltrating your network.