Using Entropy to Improve Cybersecurity Resilience.
Let's say you have a highly organised pot with marbles in two colours. Imagine that you want to extract a specific-coloured marble from this pot. Should be quite simple, shouldn’t it?
But what if the pot is disorganised and both colours are mixed randomly? How about now? It makes the task of extracting a specific colour more difficult.
So - Entropy is defined as the quantitative measure of disorder or randomness in a system.
In other words:
- If the Entropy of a system (pot marbles) is close to low this means that the system is ordered and organised.
If the Entropy of a system is high this means that the system is disordered.
How does this relate to cybersecurity and GuardYoo?
As part of a GuardYoo Compromise Assessment, a local Account Inventory is performed to provide clarity around the number of active Service Accounts and End-User Accounts that have access to a network.
All Service Accounts should be set up for a specific reason and will operate in a standardised manner, (Low Entropy), while End-User Accounts are used by humans and so do not operate in a standardised manner (High Entropy).
GuardYoo uses Entropy to distinguish humans from "services".
To highlight how this area is a clear and present threat, see the example of a white paper issued by CrowdStrike on the subject.
Service Accounts are particularly important because they are often installed under the central local system account and essentially have local administrator privileges. When compromised, these privileges could potentially grant hackers account access to domain credentials and allow them to laterally move within a network. To make matters worse, Service Account passwords are rarely changed or rotated by IT Teams for fear of disruption to productivity. (The Service Account may be in place so long the IT Team do not know what will happen if they make changes)
- If attackers gain access to a Service Account, they can indirectly access all the resources to which that Service Account has access to. Any users given the role of a Service Account User can use those credentials to access all resources tied to the account and can potentially impersonate the Service Account to perform malicious tasks using their elevated roles and permissions. Essentially, an attacker can go completely unnoticed within a network with the ability to access or manipulate an Active Directory (AD) domain — Thus having the figurative “keys to the kingdom”.
Some key point from the Crowdstrike article are as follows:
- Gaining control of a service account opens a pathway to attaining sensitive data, allowing an attacker to freely roam and explore your network while remaining undetected for weeks, months, or even years. Cybercriminals target service accounts because they prefer the easiest technique for gaining persistent access and appearing to be part of your normal IT operations.
- The original person who set up the service account may leave and neglect to pass on vital information about its purpose.
- The original system tied to a service account may no longer be needed, but the account may live on with no control or supervision.
- Service accounts may have been set up for temporary purposes, such as software installation or system maintenance, but left in place long after their use.
I hope you find this of interest, and can potentially it share with your network as a further example of we in GuardYoo are not just a “product” that looks to block breaches from happening but are focused on helping companies to fully understand how their network truly operates and where their real vulnerabilities lie.
By the way – the Entropy formula looks like this:
If you would like to get in contact to learn more, please reach out - info@GuardYoo.com or send us a message via the chat function.