Wherever There’s Ransomware, There’s Service Account Compromise. Are You Protected?

by Esmeralda McKenzie
Wherever There's Ransomware, There's Service Account Compromise. Are You Protected?


Until just a couple of years ago, only a handful of IAM pros knew what service accounts are. In the last years, these silent Non-Human-Identities (NHI) accounts have become one of the most targeted and compromised attack surfaces. Assessments report that compromised service accounts play a key role in lateral movement in over 70% of ransomware attacks. However, there’s an alarming disproportion between service accounts’ compromise exposure and potential impact, and the available security measures to mitigate this risk.

In this article, we explore what makes service accounts such a lucrative target, why they are beyond the scope of most security control, and how the new approach of unified identity security can prevent service accounts from compromise and abuse.

Active Directory Service accounts 101: Non-human identities used for M2M

In an Active Directory (AD) environment, service accounts are user accounts that are not associated with human beings but are used for machine-to-machine communication. They’re created by admins either to automate repetitive tasks, or during the process of installing on-prem software. For example, if you have an EDR in your environment, there’s a service account that is responsible for fetching updates to the EDR agent on your endpoint and servers. Apart from being an NHI, service accounts are not different than any other user account in AD.

Why do attackers go after service accounts?

Ransomware actors rely on compromised AD accounts – preferably privileged ones – for lateral movement. A ransomware actor would conduct such lateral movement until obtaining a foothold that’s strong enough to encrypt multiple machines in a single click. Typically, they would achieve that by accessing a Domain Controller or another server that’s used for software distribution and abusing the network share to execute the ransomware payload on as many machines as possible.

While any user account would suit this purpose, service accounts are best fitted due to the following reasons:

High access privileges

Most service accounts are created to access other machines. That inevitably implies that they have the required access privileges to log-in and execute code on these machines. This is exactly what threat actors are after, as compromising these accounts would render them the ability to access and execute their malicious payload.

Low visibility

Some service accounts, especially those that are associated with an installed on-prem software, are known to the IT and IAM staff. However, many are created ad-hoc by IT and identity personnel with no documentation. This makes the task of maintaining a monitored inventory of service accounts close to impossible. This plays well in attackers’ hands as compromising and abusing an unmonitored account has a far greater chance of going undetected by the attack’s victim.

Lack of security controls

The common security measures that are used for the prevention of account compromise are MFA and PAM. MFA can’t be applied to service accounts because they are not human and don’t own a phone, hardware token, or any other additional factor that can be used to verify their identity beyond their username and passwords. PAM solutions also struggle with the protection of service accounts. Password rotation, which is the main security control PAM solutions use, can’t be applied to service accounts due to the concern of failing their authentication and breaking the critical processes they manage. This leaves service accounts practically unprotected.

Want to learn more about protecting your service accounts? Explore our eBook, Overcoming the Security Blind Spots of Service Accounts, for further insights into the challenges of protecting service accounts and get guidance on how to combat these issues.

Reality bytes: Every company is a potential victim regardless of vertical and size

It was once said that ransomware is the great democratizer that doesn’t discriminate between victims based on any characteristic. This is truer than ever in regard to service accounts. In the past years, we’ve investigated incidents in companies from 200 to 200K employees in finance, manufacturing, retail, telecom, and many others. In 8 out of 10 cases, their attempted lateral movement entailed the compromise of service accounts.

As always, the attackers teach us best where our weakest links are.

Silverfort’s Solution: Unified Identity Security Platform

The emerging security category of identity security introduces a possibility to turn the tables on the free reign adversaries have enjoyed so far on service accounts. Silverfort’s identity security platform is built on a proprietary technology that enables it to have continuous visibility, risk analysis, and active enforcement on any AD authentication, including, of course, the ones made by service accounts.

Let’s see how this is used to thwart attackers from using them for malicious access.

Silverfort’s service account protection: Automated discovery, profiling, and protection

Silverfort enables identity and security teams to keep their service accounts secure in the following manner:

Automated discovery

Silverfort sees and analyzes every AD authentication. This makes it easy for its AI engine to identify the accounts that feature the deterministic and predictable behavior that characterizes service accounts. After a short learning period, Silverfort provides its users with a full inventory of their service accounts, including their privilege levels, sources and destinations, and other data that maps the behavior of each.

Behavioral analysis

For every identified service account, Silverfort defines a behavioral baseline that includes the sources and destinations it normally uses. Silverfort’s engine continuously learns and enriches this baseline to capture the account’s behavior as accurately as possible.

Virtual fencing

Based on the behavioral baseline, Silverfort automatically creates a policy for each service account that triggers a protective action upon any deviation of the account from its standard behavior. This action can be mere alerting or even a full access block. In that manner, even if the service account’s credentials are compromised, the adversary won’t be able to use them to access any resource beyond the ones included in the baseline. All Silverfort’s user is required to do is enable the policy with no additional effort.

Conclusion: This is the time to act. Ensure your service accounts are protected

You’d better get a hold of your service accounts before your attackers do. This is the true forefront of today’s threat landscape. Do you have a way to see, monitor, and secure your service accounts from compromise? If the answer is no, it’s only a matter of time before you join the ransomware stats line.

Want to learn more about Silverfort’s service account protection? Visit our website or reach out to one of our experts for a demo.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.



Related Posts