Over 20 years ago, the NSA conducted an exercise named Operation Eligible Receiver 97. The exercise was designed to test the response capabilities of critical Department of Defense Information systems in the case of a breach and the results were alarming. Utilizing publicly available hacking techniques, the NSA was able to compromise the DoD network and gained superuser access into many of their primary targets, administrative accounts.
After concluding a two-year review of the exercise, the importance of tracking privileged user accounts was expressed and can be seen in a number of the controls found within NIST 800-53. These controls serve as a guideline for organizations to follow when protecting against privileged account exploitation.
Operation Eligible Receiver 97 served as the birthplace of privileged user management knowledge for security teams. The consequences of improper management of administrative accounts were demonstrated and documented. Today, over 20 years after the exercise, many organizations continue to struggle with privileged user management.
Current Struggles With Privileged User Management
One of the most important functions of privileged user management is the ability to view the current rights assignments of user accounts within a network at any time. Without this visibility, security professionals cannot see valuable information such as when privilege changes were implemented or who has the ability to access sensitive information.
Additionally, many organizations do not properly lock down permissions on user accounts. When a large number of users receive administrative rights, or rights unnecessary for their business role, the attack surface area grows exponentially. Limiting elevated privileges can reduce unnecessary risk, but this can be challenging for security teams without the proper monitoring solution.
Another difficulty in operating without a monitoring solution is the inability to document changes. Whether there are individual privileges being changed or administrators being added or removed from a domain, the ability to document actions is valuable. Organizations need these changes to be documented not only to improve security posture but to comply with security regulations and frameworks.
Regulations and Standards
Security frameworks and publications such as NIST 800-53 placed emphasis on privileged user management after Operation Eligible Receiver 97 had concluded. NIST 800-53 is a publication of security and privacy controls for information systems and organizations which draws parallels between a majority of industry-specific frameworks (such as HIPAA, FFIEC, PCI DSS). The publication serves as a guideline for any organization looking to improve security posture and clearly outlines various best practices for privileged user management.
These best practices can be seen in the Access Control section of NIST 800-53 and include controls such as
- AC-2 Account Management – Define and document the types of system accounts allowed for use within the system in support of organizational missions and business functions.
- AC-3 Access Enforcement – Enforce approved authorizations for logical access to informational and system resources in accordance with applicable access control policies.
- AC-5 Separation of Duties – Separate assignment of organization-defined duties, document separation of duties, and define system access authorizations to support separation of duties.
- AC-6 Least privilege – Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. 
These functions along with the many other within the Access Control family of NIST 800-53 are a great guideline for organizations to follow. When these controls are partnered with the correct monitoring solution, security posture improves.
Monitoring Privileged User Management
Even with the help of guidelines such as NIST 800-53, security professionals will still benefit from the use of a monitoring solution that provides visibility and documents actions. For example, in most cases, the ability to manage auditing and security logs is only necessary for a select few user accounts. Enabling this privilege on accounts where it is not necessary for their organization-defined duties introduces the risk of an employee intentionally acting maliciously and deleting all records.
(The User Privileges Report lists all user privileges across all domains or just those domains specified in the Domain drop-down. Optionally, the report may be filtered by a specific user and/or computer using the appropriately named Username and Computer text fields. Further filtering by a number of user privileges may be utilized with Privilege(s) drop-down. More details on granted and denied privileges can be viewed by clicking the Privileges button.)
One example of a solution capable tracking privileges to prevent such risk is AristotleInsight®, which continuously monitors user privileges and documents all changes. AristotleInsight enables security professionals to view all privileges assigned to both users and computers and will alert on specified changes. The system provides security professionals with visibility into essential security metrics for privileged user management.
Privileged User Management With AristotleInsight
AristotleInsight was developed to meet the needs identified by Operation Eligible Receiver 97. The system continuously identifies risk, directs remediation, and documents results from security functions such as Privileged User Management, Configurations, Vulnerabilities, Asset Inventory, and Threat Analytics.
Utilizing the revolutionary UDAPE® technology, AristotleInsight collects reliable data from the process level across all devices on an organization’s network. A unique Bayesian Inference Engine sorts through the kernel level data highlighting actionable items to help security teams identify risk, direct the remediation process, and document results. This helps security teams save time and better manage cybersecurity posture.
AristotleInsight is the perfect solution for an organization attempting to build their security process. For organizations with a mature cybersecurity process in place, AristotleInsight is an effective hunt tool.
About the Author:
Josh Paape is an Online Marketing Specialist at Sergeant Laboratories, a leader in security and compliance solutions that allow businesses, governments, and healthcare institutions to comply with regulations and stay a step ahead of criminals. As a graduate of the University of Wisconsin – La Crosse, Josh has experience marketing products from a variety of industries. As a contributor to CDM, he hopes to spark new thought and discussion topics in the information security community.
Connect with Sergeant Laboratories: https://www.sgtlabs.com
Sergeant Laboratories Blog: https://www.aristotleinsight.com
 Security and Privacy Controls for Federal Information systems and Organizations, https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final