Mar 17 · 4 min read
By: Brian Gladstein
Abnormal Is The New Normal in Cybersecurity
As an industry, we’re all scrambling a bit right now. Employees are working from home, plans are being re-assessed, and meanwhile every security professional knows that amidst this chaos the adversary will be looking to take advantage of the situation.
Here at Cmd we’ve been helping our customers get control over the things they can control right now. One of the most high-value projects we see companies implementing – low-hanging fruit, so to speak – is 2FA across their Linux cloud or datacenter. Normally a complex project, Cmd can make this deployment easy, scalable, and high-impact.
2FA In Your Cloud / DataCenter is a Quick Win
The environment we’re operating in right now creates an interesting challenge: when all your systems are designed to help identify so-called “abnormal behavior” – what happens when those normal behavior patterns completely change? It’s really hard to identify suspicious activity when all the activity looks different than it did only a couple weeks ago.
So we tighten control by doing things like putting protection in place around your core cloud and datacenter assets – where sensitive data, customer information, and mission-critical services live. While these environments are typically protected by a VPN or firewall (sometimes with 2FA), all too often the systems inside the environment are more akin to the wild west. That’s why issues like lateral movement and privilege escalation can be so hard to spot – many companies just don’t have controls in place to enforce security policy after an attacker gets inside.
That’s why one of the quickest wins you can actually execute right now is deploying 2FA in your cloud or datacenter. You’ll be protecting critical systems and elevating the security and accountability of your remote workforce in one single action.
Cmd + 2FA = Rapid Deployment, Real Protection
Cmd can help you deploy 2FA very quickly within your Linux-based cloud or datacenter. Typically, getting 2FA set up in these elastic environments is a complex project, involving large-scale syncing of identities between your corporate directory and maybe thousands of ephemeral systems. However, Cmd takes a different approach that’s far easier.
With Cmd, you don’t need to modify any accounts or permissions on your Linux systems. Instead, the user is prompted when they log in to enter their 2FA credentials (using whatever system credential they have) and from that point on the identity of the user is tied to the account they use to log in, and any actions they take are associated with it through the Cmd console. This data can also be exported into the auditing system or SIEM of your choice. As you’d expect, if the authentication process fails, the user is blocked from logging in.
Google Authenticator, Duo, Yubico… You Name It
Here’s an example of how this works with Google Authenticator – an easy (and free) way to set up 2FA. Note that all it takes to set Cmd up on the system is executing a 1-second script, which can easily be automated through Chef, Puppet, Salt, Ansible, or whatever deployment method you like.
In this video, watch as:
- The user logs into an SSH session as a user named ubuntu
- Before the login is successful, Cmd prompts to authenticate
- The user selects Google Authenticator and times their one-time password
- Once authenticated the user is able to access the system
- The Cmd console records their session log in real-time, correlating the user ubuntu to their real identity JohnKimble
Protect SSH Access with Cmd and Google Authenticator in Seconds
By the way, you can also set Cmd up to trigger a 2FA authentication on other events – most commonly privilege escalation through sudo. In this example, users can continue to log in as they used to, and are prompted to authenticate (using Duo in this example) only when they need it.
In this video:
- The administrator sets up an action requiring 2FA in order to use sudo
- In the live session, the user attempts to issue a command using sudo
- Before the command executes they are prompted by Cmd to authenticate
- The user chooses Duo but their first attempt fails and Cmd blocks the command
- After a successful second attempt, the command executes as intended
Use Cmd with Duo to Protect Sudo Commands in Linux
There’s More To The Cmd Platform Than 2FA
There are a number of other ways Cmd makes this deployment easy and fast:
- Real-time session & user monitoring: Cmd lets you follow along with what users are doing once they log in, through a very easy-to-understand terminal viewer. It’s like looking over their shoulder – you can follow along with live sessions and even kick suspicious users off the terminal. We call it the big purple button.
- Works for any shell / login method: The authentication check works no matter how the user is logging in or asking for permissions. You don’t have to disrupt your users’ workflows – they can continue to operate the way they normally do.
- Also protects against service account exploits: Let’s say an attacker is able to exploit some out-of-date web service and pop a shell – even in that case Cmd’s 2FA protection will keep them from doing anything with those escalated privileges.
- Compatible with any major Linux distro: Cmd is lightweight, fast to install, and works across pretty much any distro of Linux you are running.
- Alerting, reporting, auditd replacement: There’s a lot more you can do with Cmd, including setting up alerts for anomalous activity such as MITRE ATT&CK triggers. Many customers use Cmd to replace their jerry-rigged auditd installations with something more robust and far easier to navigate.
Move Fast – Request a Demo
Want to see more? We’re happy to walk you through the product and discuss how we can help you through these difficult times and beyond. Sign up for a personalized demo with one of our security experts today.