Apr 15, 2024The Hacker NewsActive Directory / Attack Surface

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.

What is JIT and why is it important?

JIT privileged access provisioning involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so.

One of the key advantages of JIT provisioning is its ability to reduce the risk of privilege escalation and minimize the attack surface for credential-based attacks. By eliminating standing privileges, or privileges that an account possesses when not in active use, JIT provisioning restricts the window of opportunity for malicious actors to exploit these accounts. JIT provisioning disrupts attackers’ attempts at reconnaissance, as it only adds users to privileged groups when active access requests occur. This prevents attackers from identifying potential targets.

How to implement JIT provisioning with Safeguard

Safeguard, a privileged access management solution, offers robust support for JIT provisioning across multiple platforms, including Active Directory and Linux/Unix environments. With Safeguard, organizations can create regular user accounts within Active Directory, without special privileges. These accounts are then placed under Safeguard’s management, remaining in a disabled state until activated as part of an access request workflow.

When an access request is created, Safeguard automatically activates the user account, adds it to designated privileged groups, such as Domain Admins, and grants the necessary access rights to the account. Once the access request is completed, either through a configured timeout period or the user checking credentials back in, the user account is removed from privileged groups and disabled, minimizing exposure to any potential security threats.

How to enhance JIT provisioning with Active Roles

When coupled with Active Roles ARS, One Identity’s market-leading Active Directory management tool, organizations can elevate the security and customization of their JIT provisioning to even greater heights. Active Roles enables more sophisticated JIT provisioning use cases, allowing organizations to automate account activation, group membership management and Active Directory attribute synchronization.

For instance, a Safeguard access request workflow can trigger Active Roles to not only activate user accounts and assign privileges but also update virtual attributes within Active Directory and synchronize changes across the environment.

Conclusion

Just-in-Time provisioning of privileged access is a critical component of a comprehensive privileged access management strategy. By implementing JIT provisioning, organizations can reduce the risk of privilege misuse, enhance security, and ensure that users access privileged resources only when and for as long as necessary. Combining Safeguard with Active Roles allows organizations to implement robust JIT provisioning policies to strengthen security and mitigate risks.

Mar 19, 2024NewsroomGenerative AI / Incident Response

Large language models (LLMs) powering artificial intelligence (AI) tools today could be exploited to develop self-augmenting malware capable of bypassing YARA rules.

“Generative AI can be used to evade string-based YARA rules by augmenting the source code of small malware variants, effectively lowering detection rates,” Recorded Future said in a new report shared with The Hacker News.

The findings are part of a red teaming exercise designed to uncover malicious use cases for AI technologies, which are already being experimented with by threat actors to create malware code snippets, generate phishing emails, and conduct reconnaissance on potential targets.

The cybersecurity firm said it submitted to an LLM a known piece of malware called STEELHOOK that’s associated with the APT28 hacking group, alongside its YARA rules, asking it to modify the source code to sidestep detection such the original functionality remained intact and the generated source code was syntactically free of errors.

Armed with this feedback mechanism, the altered malware generated by the LLM made it possible to avoid detections for simple string-based YARA rules.

There are limitations to this approach, the most prominent being the amount of text a model can process as input at one time, which makes it difficult to operate on larger code bases.

Besides modifying malware to fly under the radar, such AI tools could be used to create deepfakes impersonating senior executives and leaders and conduct influence operations that mimic legitimate websites at scale.

Furthermore, generative AI is expected to expedite threat actors’ ability to carry out reconnaissance of critical infrastructure facilities and glean information that could be of strategic use in follow-on attacks.

“By leveraging multimodal models, public images and videos of ICS and manufacturing equipment, in addition to aerial imagery, can be parsed and enriched to find additional metadata such as geolocation, equipment manufacturers, models, and software versioning,” the company said.

Indeed, Microsoft and OpenAI warned last month that APT28 used LLMs to “understand satellite communication protocols, radar imaging technologies, and specific technical parameters,” indicating efforts to “acquire in-depth knowledge of satellite capabilities.”

It’s recommended that organizations scrutinize publicly accessible images and videos depicting sensitive equipment and scrub them, if necessary, to mitigate the risks posed by such threats.

The development comes as a group of academics have found that it’s possible to jailbreak LLM-powered tools and produce harmful content by passing inputs in the form of ASCII art (e.g., “how to build a bomb,” where the word BOMB is written using characters “*” and spaces).

The practical attack, dubbed ArtPrompt, weaponizes “the poor performance of LLMs in recognizing ASCII art to bypass safety measures and elicit undesired behaviors from LLMs.”