๐ ๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ โ Real-World Findings from Security Assessments
๐ฅ ๐ฐ๐ณ.๐ฒ%ย of infrastructures Iโve assessed ๐ฑ๐ผ๐ปโ๐ ๐ต๐ฎ๐๐ฒ ๐ฎ ๐ฐ๐ฒ๐ป๐๐ฟ๐ฎ๐น ๐ฝ๐ผ๐ถ๐ป๐ ๐ณ๐ผ๐ฟ ๐บ๐ฎ๐ป๐ฎ๐ด๐ถ๐ป๐ด ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐
That means no PAW. No separation of duties. No controlled management plane.
And yes โย ๐ฝ๐น๐ฎ๐ถ๐ป๐๐ฒ๐ ๐ ๐๐ ๐ฎ๐ฑ๐บ๐ถ๐ป ๐ฐ๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น๐ ๐ฎ๐ฟ๐ฒ ๐ผ๐ณ๐๐ฒ๐ป ๐ท๐๐๐ ๐ผ๐ป๐ฒ ๐ฅ๐๐ฃ ๐๐ฒ๐๐๐ถ๐ผ๐ป ๐ฎ๐๐ฎ๐ from being harvested.
Too many places still ๐บ๐ฎ๐ป๐ฎ๐ด๐ฒ ๐๐ ๐ณ๐ฟ๐ผ๐บ ๐ฎ ๐ฟ๐ฒ๐ด๐๐น๐ฎ๐ฟ ๐๐๐ฒ๐ฟ ๐๐ผ๐ฟ๐ธ๐๐๐ฎ๐๐ถ๐ผ๐ปย โ no jump host, no PAW, no isolation.
๐ That massively expands your attack surface because highly privileged credentials are being used on untrusted devices.
๐จ Big no-no.
Let’s say a good start could be someย Jump Point/Jump Host/Administration Host, whatever you want to call it, but it ๐๐๐ถ๐น๐น ๐ฑ๐ผ๐ฒ๐ ๐ป๐ผ๐ ๐ฝ๐ฟ๐ผ๐๐ฒ๐ฐ๐ ๐๐ผ๐ ๐ณ๐ฟ๐ผ๐บ ๐ฎ๐น๐น ๐๐ต๐ฟ๐ฒ๐ฎ๐๐…
๐๐ถ๐บ ๐ณ๐ผ๐ฟ ๐ฎ ๐ฃ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ๐ฑ ๐๐ฐ๐ฐ๐ฒ๐๐ ๐ช๐ผ๐ฟ๐ธ๐๐๐ฎ๐๐ถ๐ผ๐ป (๐ฃ๐๐ช)ย model:
โช๏ธ Isolate all privileged tasks from day-to-day user machines
โช๏ธ You donโt need a separate physical box for every admin tier โ virtualization is fine, and you can even combine it with cloud (great talk on this topic from Jake and Eric at Blue Team Con!)
โช๏ธ Host hardware running those VMs must be trusted. If the underlying device is compromised, virtualizing wonโt help.
๐๐ป๐ฑ ๐ฟ๐ฒ๐บ๐ฒ๐บ๐ฏ๐ฒ๐ฟ:
PAWs are only one piece. Implement them alongside a Tiering Model so privileges and management paths are strictly separated before you start moving accounts and services around.
