Privileged Identity Theft: A familiar theme in the Deloitte data breach

Published on 04 October 2017

Like myself, security professionals reading about the Deloitte data breach in the Guardian must have felt a sense of dread as they came across the sentence

“‘The hacker compromised the firm’s global email server through an “administrator’s ‘account’” that, in theory, gave them privileged, unrestricted ‘access to all areas.’”

Privileged identity theft, the compromise of privileged account credentials, is devastating. This is precisely what we saw with Deloitte’s breach, where the hacker compromised the firm’s global email server through a privileged administrator account which required only a single password.


Undiscovered hack

In my recent blog “Five Process Changes to Mitigate Privileged Account Risk”, I reviewed some quick wins regarding privileged accounts but these are just the beginning. If a company such as Deloitte, with one of the most skilled IT teams in the industry can suffer a data breach, it serves as a warning to all companies that if hackers are able to obtain privileged credentials, perimeters alone will never be enough to keep them out.

As reported by the Guardian, Deloitte discovered the hack in March, but cyber attackers could have breached its systems as long ago as October or November 2016. It’s not uncommon for hackers to go undiscovered for long periods of time like this. In targeted attacks, hackers usually gain a foothold first through compromising a user account and then look for other accounts to compromise with the aim of escalating privileges. By compromising privileged accounts, they can roam IT systems undetected – even for months – under the guise of authorized users.


Deploy an in depth security strategy

While password management – including two-factor authentication – is a good first line of defense, implementing monitoring tools that track privileged users’ activity and notify security teams in case of a potential breach is a necessary part of a defense in depth security strategy. Advanced analytics that examine user behavior in real time to assess if it is normal or unusual, even getting down to minute traits such as changes in typing speed or common spelling errors, provides an added layer of protection.

With these two fundamentals in place – 1) continuously being on the lookout; and 2) looking out for behavioral anomalies – organizations can ensure they’re able to expose hackers at the very moment they gain privileged access to the network.

Our latest white paper “Understanding Privileged Identity Theft”, details the typical attack methods criminals used to compromise credentials, why current methods don’t offer adequate protection, and what measures you can take to stop these threats. You can download it

by Csaba Krasznay

Csaba Krasznay is Balabit's Security Evangelist. He is responsible for the vision and strategy of Balabit's Privileged Access Management solutions. He was elected to the “Most Influential IT Security Expert of the Year 2011”.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser