Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE

What Are Ephemeral Accounts & How Do They Defend Against Attackers?

Blog >What Are Ephemeral Accounts & How Do They Defend Against Attackers?
What Are Ephemeral Accounts & How Do They Defend Against Attackers?

Privileged Account Management (PAM) software has been around for decades, resulting in many different approaches to securing privileged access to critical assets. Accounts with more access need stronger protection, which is what PAM solutions strive to provide.

Over the years PAM software has evolved from simply vaulting passwords to using proxy servers to handle those vaulted passwords, resulting in blurred lines between the distinction of Privileged Account Management and Privileged Access Management. Despite this important change, the issue remains that there are many standing accounts in any network that have admin or other elevated privileges (resulting in potential attacks such as Shadow Access).

Even as recently as the past couple of years, issues remain with traditional PAM solutions such as:

  • Large attack surfaces resulting from standing super user accounts, personal admin accounts, and standard user accounts with elevated (often unintentional) privileges.
  • Privileged accounts can leave behind artifacts in memory on computers they log-in to (e.g., Kerberos tickets), resulting in the opportunity for lateral movement attacks (such as Pass-the-Hash).

As we’ve previously discussed, we’ve analyzed thousands of networks and found that most have 3-5 admin accounts per physical admin user. When you think about that at scale, an environment with 25 admins could easily have between 75-125 standing admin accounts. Yikes! These admin accounts always exist, are vulnerable to attack, and are the keys to your kingdom (I.e., Active Directory and domain controllers).

So, what can we do to alleviate these problems with traditional PAM? The only way to solve the issue of standing privilege is to remove the privilege entirely when it’s not actively being used – and this is where Ephemeral Accounts come into play.

What Are Ephemeral Accounts?

Ephemeral Accounts typically have short session-based lifecycles; when they are not actively being used, they are typically disabled or deleted. Stealthbits Privileged Activity Manager (SbPAM) uses Activity Tokens, ephemeral accounts that are dynamically created, delivered just in time, and with just enough privilege to perform the necessary privileged tasks. The beauty of Activity Tokens is that when they’re not in use, they’re not left “standing” in the environment and vulnerable to attack – drastically reducing an environment’s attack surface.

Ephemeral Accounts

Simply put, how can attackers obtain their goals (compromised domain admins, Active Directory, domain controllers, etc.) if the privilege to do so only exists while an admin is using it?

For day-to-day administrative tasks, SbPAM provides a secure mechanism to give admins access to the critical resources they need without the usual privileged account overhead or complex access policies.

  • When administrators need to perform tasks, SbPAM creates an Activity Token automatically.
  • SbPAM adds permissions to the Activity Token that is specific to the task
  • The user is connected to a selected server to perform the task, and all activity is recorded for later playback
  • Once the task is completed, the Activity Token is deleted. No privileged attack surface is left behind, including in-memory hashes such as Kerberos tickets.

Ultimately this unique approach, utilizing Activity Tokens (Ephemeral Accounts), results in Zero Standing Privilege – complete removal of vulnerable privileged accounts that drastically reduces your attack surface.

As we’ve seen through the recent explosion of ransomware attacks and breaches, any organization can fall prey to an attack. While perimeter and endpoint defense is still critical, you also need to be prepared for scenarios where attackers successfully compromise a user in the network.

A hallmark of modern ransomware is lateral movement followed by privilege escalation resulting in broad-scale impact. Without the ability to move laterally in the first place, it becomes significantly harder for ransomware or its operators to achieve their goals – thanks to Activity Tokens and Zero Standing Privilege.

Stealthbits Privileged Activity Manager – SbPAM

Privileged Access Management tools have proven to be essential components of information security and compliance programs, yet privileged account compromise remains a nagging issue despite broad-scale adoption of password vaults.

Stealthbits’ approach to Privileged Access Management (PAM) fills the gaps and overcomes the challenges of traditional PAM solutions, providing comprehensive visibility into an organization’s privileged account footprint, surgical control over privileged account usage, and the ability to effectively reduce the threat surface and lateral movement attacks privileged accounts allow.

IDENTIFY THREATS. SECURE DATA. REDUCE RISK. Learn more about how Stealthbits can protect your organization’s privileged accounts, resources, and more, here.

Also, watch this video to learn more about Ephemeral Accounts here!

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *




© 2021 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.