Ceding control to attackers — without knowing it

IT security strategies are not complete unless they protect access to administrator credentials and improve domain controller security.

The majority of advanced cyber attacks against organisations tend to follow a regular pattern. Take Bangladesh Bank by way of example. Attackers gained entry through the network perimeter, compromised a privileged credential and then used that as a jumping-off point to escalate privileges until being able to complete their primary objective.

The endgame is achieving domain administrator privileges because of the unrestricted access and control they provide. This level of privilege allows attackers to manipulate the most sensitive assets in the network — domain controllers (and Active Directory) — while remaining hidden from view. This means access to the most sensitive data in the organisation, and the ability to execute a complete network takeover.

Preventing attackers from ever reaching these credentials is essential for every enterprise security strategy, not least because, if they get this far, the attacker can manipulate whatever security solutions have been purchased to protect the company.

Stopping these threats requires blocking attackers’ progress at two key phases of the attack lifecycle — during the initial credential theft and then as they move laterally through the network. This requires multiple proactive controls and real-time detection capabilities to quickly identify and stop in-progress attacks.

Mitigating credential theft risk

Every credential with elevated privileges presents an opportunity for attackers to establish a foothold in an IT network. So, a first step in reducing an attacker’s chance of success is to reduce the number of accounts with privileges. Obvious accounts to delete are ‘orphaned’ and unnecessary privileged accounts, which are common in organisations, sometimes the by-product of administrator turnover and careless management.

Organisations should also consider eliminating personal privileged accounts, typically created to enable privileged access while also improving security by providing visibility and accountability for individual account use. All shared account credentials can be securely stored in a digital vault with access tracked for each user.

Once only necessary privileged credentials and accounts remain, the next step is to centrally manage and secure the credentials. Privileged credentials in the hands of authorised users are exposed to potential theft due to careless management practices including storing on local computers, writing down passwords, sharing credentials and lack of full-lifecycle provisioning procedures. All credentials providing privileged access should be inventoried and securely stored centrally.

One effective way to prevent misuse of privileged passwords is to prevent the user from ever seeing or knowing the password. The use of a jump server initiates a session without the password ever existing on the user’s endpoint, rendering credential theft techniques such as keystroke logging and memory scrapers useless for attackers.

Reducing lateral movement

Lateral movement is a technique used by attackers to prowl a network and advance towards their ultimate goal. Compromised passwords, password hashes and Kerberos tickets can all be used in various types of lateral movement techniques.

It has been shown that, in many networks, most machines can serve as a starting point for an attack that can compromise more than 80% of the network using hijacked credentials. This means an attacker may only have to get lucky once to gain access to the majority of the network. Steps to reduce this problem include:

• Assigning unique passwords for local accounts. A common culprit in lateral movement is local administrator accounts. Once a single local administrator account is compromised, the attacker is likely to have access to every system and full reign of the environment.
• Invalidating password hashes. Regular rotation of credentials is strongly recommended for reducing the chance of credential theft; this is a critical aspect of inhibiting lateral movement.
• Establishing credential boundaries. Another method of restricting lateral movement is to establish and enforce credential boundaries, or disallow credentials used in one tier of devices to be used in a different tier. For example, any credential used to access the domain controller cannot also be used to access servers.

Detection in real time

When it comes to attacks, early detection and response is crucial in helping to lessen the impact. Analytics solutions can be used to identify unusual user behaviour and system activity indicative of an attack. Also, machine learning algorithms can examine typical patterns of individual privileged users, privileged accounts and system activities to determine a baseline of ‘normal behaviour’.

Kerberos attacks including Overpass-the-Hash and Golden Ticket attacks can be crippling to an organisation. Early detection of these devastating attacks is critical. With ongoing analytics on network traffic, organisations can detect Kerberos attacks in real time and equip security teams with the critical intelligence needed to quickly respond.

In addition to providing intelligence around each security incident, there must be the ability to promptly respond to detected threats. This means not only detecting suspected stolen privileged credentials, but also immediately rotating compromised credentials to stop an attacker from continuing to use a compromised credential.

Using a combination of proactive protection and threat detection, organisations have the ability to thwart attackers’ attempts to steal credentials and move laterally through the network.

With greater visibility and understanding about the risks of advanced threats, designing and implementing strategies to protect access to domain administrator credentials and improve domain controller security should be critical areas of focus for all organisations.