Gateways to havoc: Overprivileged dormant service accounts

Service accounts are non-human identities used to automate machine-to-machine interactions. They support critical functions – such as running scripts, services, and applications like websites, APIs, and databases – and facilitate integrations, operating as a proxy to humans and supporting business processes.

In an ideal world, service accounts have one singular “job”, are granted least privileged access to resources, and are monitored and managed with identity security hygiene best practices in mind. In this utopia, threat actors and data breaches are non-existent.

But this is the real world. Service accounts are often overprivileged, forgotten about and lack proper password security protocols. Some of these once-productive service accounts become dormant over time, making them suitable targets for threat actors.

What makes service accounts dormant?

Dormant accounts are inactive service accounts. While there isn’t one universally accepted time frame for a service account to be considered dormant, generally, 90 days of inactivity is when the definition begins applying. If the service account hasn’t been used to perform operations or access systems after 90 days, or if they are associated with deprecated applications or services, they are considered dormant.

Other parameters of dormant service accounts include outdated permissions or roles assigned to the account that are no longer needed. Redundant service accounts whose function has been replaced by newer accounts are also considered dormant. Finally, the lack of a defined owner to track the purpose of service accounts, their chains of access, and manage and update passwords also make them dormant.

How dormant service accounts become invisible keys for attackers

These seemingly “dead” accounts plague organizations in every industry across the globe because they can easily be exploited. Dormant accounts go unnoticed, leaving organizations unaware of their access privileges, the systems they connect to, how to access them, and even of their purpose of existence.

Their elevated privileges, lax security measures, and invisibility, make dormant service accounts prime targets for infiltration. By compromising such an account, attackers can gain significant access to systems and sensitive data, often without raising immediate suspicion for extended periods of time. During that time, cyber criminals can elevate privileges, exfiltrate data, disrupt operations, and install malware and backdoors, causing total mayhem completely undetected until it’s too late.

The weaknesses that plague dormant accounts make them open doors into an organization’s system. If compromised, an overprivileged dormant account can give way to sensitive data such as customer PII, PHI, intellectual property, and financial records, leading to costly and damaging data breaches.

Even without being breached, dormant accounts are significant liabilities, potentially causing operational disruptions and regulatory compliance violations. Regulators have historically associated identity with users, leading to the development of numerous tools designed to secure human accounts. For example, MFA is a robust security method for user accounts. However, MFA cannot be applied to service accounts – as automated bots, they can’t prove their identity.

In highly regulated industries, overprivileged dormant accounts can lead to non-compliance resulting in legal repercussions, reputational damage and significant fines.

Shifting security perception to modern methods

Traditionally, security practitioners have assumed that the perimeter is the main entry point for threat actors, but the proliferation and growth of cyber threats and rapid advancements in technology have created a plethora of new attack vectors.

To address this, there are now over 3,500 vendors focused on addressing different aspects of cybersecurity. Security practitioners have the daunting task of cobbling together various tools and technologies to protect their organizations and staying up to date with the latest changes and advancements.

However, we live in a new reality that requires professionals to assume that attackers are already in the system. This shift in perspective enables enterprises to better prepare for potential attacks by addressing their internal weak points such as dormant service accounts.

While most enterprises currently rely on static identity vulnerability solutions to detect abnormal activities in both human and non-human (service) identities, these tools often fall short. They provide only a snapshot of current behavior and do not account for dormant accounts, lacking the capability to track changes over time.

The critical first step is to discover dormant accounts, along with their associated services and privileges. Implementing a modern identity security solution with behavioral monitoring and streaming capabilities allows enterprises to find both human and machine accounts and receive real-time updates on their activities, allowing for the continuous monitoring and detection of abnormal behavior.