The Blog
What are the Top Privileged Attack Vectors and Why

What are the Top Privileged Attack Vectors and Why


By Morey J. Haber CTO, CISO BeyondTrust

Each year, Verizon publishes their Data Breach Investigations Report (DBIR), and BeyondTrust publishes its Privileged Access Threat Report. Each report provides valuable data for information and security technology professionals around cybersecurity trends, perceptions, cyberattack methods, causes of breaches, and more. With both reports in front of us, we can make further deductions about cyberthreats, particularly the most dangerous ones—privileged threats, along with the best strategies to mitigate them. That is the focus of this blog.


Deducing the Top Privileged Threats from Available Data

In June 2019, BeyondTrust published this year’s Privileged Access Threat Report. To produce the report, we first surveyed over 1,000 IT decision-makers across a diverse set of industries throughout the U.S, EMEA, and APAC to gauge the perceived threats facing organizations and the risks of privileged attack vectors. The survey generated some noteworthy data around breaches and poor cybersecurity practices:


  • 64% of respondents thought it likely that they’ve suffered a breach due to employee access, and 58% indicated that they likely suffered a breach due to vendor access
  • 62% of respondents were worried about the unintentional mishandling of sensitive data by employees based on the following poor security practices:
    • Writing down passwords (60%)
    • Downloading data onto an external memory stick (60%)
    • Sending files to personal email accounts (60%)
    • Telling colleagues their passwords (58%)
    • Logging in over unsecured WiFi (57%)
    • Staying logged on (56%)
  • 71% of respondents agreed that there organization would be more secure if they restricted employee device access


But what are the attack vectors that drive these opinions—and fears?

According to the 2019 Verizon Data Breach Investigation Report (DBIR), use of stolen credentials is the second most common threat activity attackers leverage to breach an environment (Figure 12 of the DBIR – Top Threat Action Varieties), just below Phishing, and stolen credentials are the leading hacking method illustrated in Figure 13 of the DBIR (Top hacking action varieties in breaches). Additionally, Figure 35 in the DBIR reveals that Privilege Misuse is by far the leading security incident pattern (out of 9 patterns total that are responsible for 98.5% of security incidents).

Stolen credentials are most often used on mail servers leading to a variety of identity-based attack vectors. Unfortunately, the actual techniques used for obtaining and applying stolen credentials are not covered in the Verizon report. But that doesn’t mean the answers are beyond our grasp.

According to the BeyondTrust report’s findings, we can conclude that well more than half of employees and vendors have been the source of a breach, and also that poor cybersecurity hygiene for credentials and passwords are the prime cause for these breaches.


Combining the Verizon and BeyondTrust data points, we can deduce the following as the top privileged attack vector techniques used and why they are an unacceptable risk for any business:  

  • Password guessing
  • Dictionary attacks or Rainbow Tables
  • Brute force attacks
  • Pass the hash (PtH) or other memory-scraping techniques
  • Security question social engineering
  • Account hijacking based on predictable password resets
  • Privileged vulnerabilities and exploits
  • Misconfigurations
  • Malware like keystroke loggers
  • Social engineering (phishing, etc.)
  • MFA flaws using weak 2FA, like SMS
  • Default system or application credentials
  • Anonymous or enabled Guest access
  • Predictable password patterns
  • Shared or unmanaged, stale credentials
  • Temporary passwords
  • Reused passwords or credentials
  • Shadow or obsolete (former employee) credentials
  • Various hybrid credential attacks (i.e. spray attacks) based on variations of the above


Need further validation? Forrester Research estimates that privileged credentials are implicated in 80% of data breaches. The correlation of all three reports reaffirms these conclusions.


Preventing & Mitigating Privileged Attack Vectors

Now, the question becomes – what can organizations and users do to resolve these privileged attack vectors?

To begin, consider the following universal cybersecurity best practices regarding credential and password management:


While the implementation of these concepts may seem daunting and unachievable for many organizations, these goals are practical and well within your reach—but they do require your adoption of a formal Privileged Access Management (PAM) program. PAM, implemented via a true enterprise platform, will enable you to reduce risk, mitigate the attack vectors, and reliably adhere to cybersecurity best practices.

Here’s what a successful PAM journey within an organization encompasses:

  • Password Management for rotation and check in and check out of passwords.
  • Session Management for recording, indexing, filtering, and documenting all interactive sessions.
  • Endpoint Privilege Management to remove administrative or root privileges on any platform including Windows, MacOS, Unix, Linux, and even network devices like routers, switches, printers, and IoT devices.
  • Secure Remote Access to establish sessions based on personas (i.e. vendors or help desk staff), with least privilege credentials and the need to share credentials with approved operators.
  • Directory Bridging to consolidate logon accounts across non-Windows systems like Unix and Linux and have users, regardless of persona, authenticate using their Active Directory credentials in lieu of local accounts.
  • User Behavior Analytics and Reporting to provide complete attestation reporting, certifications, and alerting on inappropriate behavior based on privileged usage.
  • The complete integration of all the above capabilities within an organization’s established ecosystem for change management, ticketing, operational workflow, and security event information managers (SIEMs) in support of security best practices for just in time privileged access.


These practices ensure that credentials and passwords are robustly resistant to hacking attempts. In addition, should the credentials ever become compromised, the risk and damage from any exploit can be mitigated. Reducing the privileges of the credentials to those of a standard user makes it exceedingly difficult for a threat actor to use privileged attack vectors (stolen credentials) as a method of compromise.


Next Steps in Eradicating Privileged Threat Vectors from your Environment

The BeyondTrust Privileged Access Threat Report highlights the fears, knowledge, and security risks that information technology and security professionals deal with every day. Combining these findings with those of the Verizon DBIR and other benchmark studies provides us with further insights into the most common methods used by attackers to breach your defenses.


Stolen Credentials is the top method hackers target to freely navigate their way around an organization. Privilege Misuse is the most common pattern associated with security incidents. The privileged attack vectors responsible for stolen credentials / privilege misuse are well known, and the cybersecurity best practices to mitigate them can be consistently applied via an enterprise privileged access management solution.


The 2019 Privileged Access Threat Report does leave us with one nugget of optimism--90% of those with fully integrated PAM tools are confident in their ability to identify specific threats from employees and vendors with privileged access. How confident are you in your own organization’s PAM abilities?

Interested in more resources on continuing your PAM Journey? Check out:


Buyer’s Guide for Complete Privileged Access Management (PAM)


The Guide to Just-In-Time Privileged Access Management


Or, just contact BeyondTrust.


To learn more about future CIO events, click here.

Share this:
Request more information

You have missed out some details, please try again.

Your Name:
Job Title:
Company Name:
Please answer the above question to prove that you are human.

©2020 Global Business Intelligence | All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies. You can find out how we use cookies here.