With 80% of breaches linked to privileged access credentials, effectively managing and monitoring privileged accounts often means the difference between keeping your organization secure and a catastrophic cyber incident. All it takes is for the right hacker to gain access to the right credentials and it could cost your business upwards of millions of dollars, not to mention a tarnished reputation and lost customers.
With that, more than ever, prioritizing strict privileged access governance is critical to protecting your organization from cyberthreats lurking both inside and outside the organization. The reality is that traditional validation isn’t enough to keep a privileged account secure; once an IT administrator authenticates with a privileged account, there traditionally has been no further validation of the user or their activity.
In addition to standard authentication controls and policy enforcement, IT security teams need to understand how to effectively identify suspicious activity within the privileged access sessions themselves to mitigate threats. Let’s explore five essential indicators that can help businesses uncover a privileged user that may not be who they say they are.
Unusual Account Log-on Time
Log-on time is arguably the leading indicator of suspicious activity. Since privileged users typically work a standard workday, an administrator logging in on a Saturday at 3 a.m. should raise a red flag and lead to an IT alert.
Tracking time of log-on adds a level of confidence and an extra layer of validation to the access. For most organizations, this is the simplest strategy and should be the first line of defense.
New and Different Typing Style
Keystrokes are just like fingerprints: No two people have the same of either. Our brains work differently and memorize different patterns, making typing cadence unique to each of us.
To determine if an individual using a privileged account is the authorized user, IT administrators can use biometric analytics, which leverage advanced machine learning to learn an individual users’ keystroke behavior, such as typing speed and latency between successive keystrokes, over time. This information not only allows IT administrators to spot suspicious activity easily, but this continuous authentication method also requires minimal conscious effort from the end user, ensuring little to no disruption to their work.
Unusual Window Titles
When monitoring for a potential hacker, something as simple as the title of an application window could lead to their identification. The easiest way to do this is to put yourself in the mind of a cybercriminal. Specifically, think about activities that are clearly administrator-only, as these activities typically involve accessing sensitive systems and data which is a hacker’s ultimate goal.
With particular titles such as export being relevant to both an accredited user and a cybercriminal, it’s important to collect an inventory of all a user’s titles. This will help organizations create a baseline understanding of which titles are common. When abnormal titles occur, this baseline understanding can help security teams identify the activity quickly to stop an attack before it even occurs.
Being aware of a privileged access user’s standard geolocation can help IT security teams more quickly identify malicious activity. When measuring geolocation, it is important to keep two factors into consideration: familiarity and velocity.
To be confident you’ve found a threat, first look at the IP address to determine if it’s considered typical. If the IP address is out of the ordinary, administrators should then check the number of times the account has been logged in to as an immediate next step. In a world where more than 70% of the global workforce works remote at least once a week and work travel is increasingly common, a change in location or IP address alone isn’t enough to raise a serious red flag, but multiple logins over a short period is a tell-tale sign of hacker behavior.
Sudden Change in Session Length
Whether it’s managing Active Directory or a database administrator using SQL Server Studio, privileged accounts perform very specific and well-defined tasks. With this in mind, the duration an application is open and how long a specific credential is logged in could be a direct lead to a malicious threat. For example, if a privileged access user is only in charge of setting up new hire accounts and logs into the company finances for multiple 5-minute time spans, it could mean the account has been compromised.
To be confident that it’s not a privileged user conducting a new activity, organizations need to record the typical activity of each user. Sessions that go against a users’ standard activity then can be easily be spotted to indicate a threat and identify a cybercriminal within the network.
Privileged accounts are the underlying process for businesses of all sizes to control, monitor and audit its information, so the question is no longer whether privileged accounts are at risk, but how businesses can proactively and more accurately identify suspicious activity. By arming security teams with comprehensive visibility into privileged session activity, businesses can identify and stop a cybercriminal quickly, before the damage is done.