SkyArk.. New AWS Stealth watch for shadow IT

A new open-source tool designed to identify Shadow Admin accounts in Microsoft Corp. Azure and Amazon Web Services Inc. cloud environments.

Called CyberArk SkyArk, the tool is designed to help organizations combat Shadow Admins by targeting and securing the most privileged entities in both Azure and AWS environments.

Shadow Admin accounts have sensitive privileges on a network and are typically overlooked because they are not members of a privileged Active Direct group. Instead, Shadow Admin accounts are typically granted their privileges through the direct assignment of permissions.

They’re highly desired by attackers because they provide administrative privileges necessary to advance an attack while having a lower profile than well-known admin group members.

“While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments (i.e. AWS and Azure each have more than 5,000 different permissions),” CyberArk explained. “As a result, there are many cases where Shadow Admins might be created. Despite the appearance of limited permissions, a Shadow Admin with just a single permission has the ability to gain the equivalent power of a full admin.”

SkyArk offers two main scanning modules, AzureStealth and AWStealth, to scan Azure and AWS environments. The tool only requires read-only permissions because it simply queries cloud entities and their assigned permissions before performing an analysis and providing results.

The results can be used by both internal red and blue teams. For red teams, which are used to break into systems to test security, the results can be used to target discovered Shadow Admins through password matching, spear-phishing or a targeted attack on the endpoints of the employee discovered to have admin or shadow rights. For blue teams, which defend against attacks, the results can be used to eliminate unintended admins and remove unnecessary permissions from Shadow Admins.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s