Cutting the Bad Guys off at the Pass

Cutting the Bad Guys off at the Pass

I spent part of my Father’s Day weekend as a quintessential dad: lying on the couch watching “300”, the fictional portrayal of the Battle of Thermopylae, where – in the movie – a force of 300 elite Spartan warriors held off a massive Persian army by forcing the Persians to pass through a narrow canyon road to affect their invasion of Greece. The pass at Thermopylae was the smart place to fight the Persians since the bad guys – at least as portrayed in movie – had no choice but to pass through it.Hold that Thermopylae thought for a moment; we’ll come back to it. But first, to the InfoSec world, and the growing evidence that hackers prefer attack techniques based on stolen credentials. Take, for example, this from the 2012 Verizon Data Breach Investigations Report:

“Authentication-based attacks were the most popular hacking threat action. ‘The easiest and least detectable way to gain unauthorized access is to leverage someone’s (or something’s) authorized access. Why reinvent the wheel? So, it really comes as no surprise that authentication-based attacks factored into about four of every five breaches involving hacking in our 2012 dataset. Nor is it all that surprising that we see this year after year.”

And, since 95% of enterprises use Active Directory, just about all authentication-based attackers have one thing in common: they must interact with Active Directory to enable a successful attack.

Awkward segue/analogy alert: Now back to my Father’s Day weekend. Active Directory is like the Thermopylae for InfoSec professionals. More often than not, the bad guys have no choice but to pass through Active Directory to complete their invasion of the enterprise.

Let’s take, for example, a Pass-the-Hash attack. Bad guys gain access to an individual workstation – using a phishing email, for example – where local admin credentials are stored in memory because one of the IT guys recently installed a software upgrade. The bad guys run Mimikatz to extract all credentials in memory, but the compromised machine has only the laptop’s user credentials, and those for a local admin account, so they’re stuck….but not really.

Quick aside: in 2014, a Tech Ed Seminar was led by Mark Simos and Nicholas DiCola (https://tinyurl.com/ozbb5xp), two security architects in Microsoft’s services group. Essentially they engage in customer consulting efforts before and after breaches to design the most effective network architectures to combat attackers. During that presentation, they asked the security professionals in the audience how many use the same password for all workstation local admin accounts. The result was “about half.”

Now back to our attackers “stuck” at thAttackers Authenticatione single workstation they’ve compromised. Remember that they have local admin credentials on the compromised machine, so they can now try those credentials on other workstations. Consequently, if the company they’ve penetrated happens to be one of those that raised their hand when asked if they use a common local admin account password across the organization, they now have local admin credentials for all workstations on the network. The attackers log into them one-by-one and eventually find a laptop where a domain admin account was used recently to install software. Those domain admin credentials are stored in the workstation’s memory, and now the attacker has domain admin credentials and effectively has access to everything.

But, as noted above, the attackers have to “try” those local admin credentials on multiple workstations to expand their attack from the single-machine beachhead that buys them very little. However, another, more accurate, way to phrase “trying” is that the attackers must attempt to authenticate via Active Directory. There’s no way for the bad guys to expand their attack without going through Active Directory…just like the Persians had no choice but to pass through Thermopylae to invade Greece.

How pervasive is this attack technique? In a word (or two), a lot. During the Microsoft seminar referenced previously, the presenters offered the following:

“Pretty much in every incident response we’ve seen, there’s been some use of credential theft. Almost every time. Maybe one or two cases where we didn’t actually see that…once they’re in, Pass-the-Hash. That’s the way they go.”

But how successful are PTH attacks? Again, according to the Microsoft security architects, very: the average time for Pass-the-Hash attackers to obtain DomaiFirewall Compromisedn Admin credentials is…48 hours.

Bottom line: the key is Active Directory. Understanding authentication activities across the organization make it very difficult for attackers to move laterally without detection. Still, gaining that “understanding” and insight into AD activities is non-trivial, and requires analyzing hundreds of what may be completely
normal events when collected individually. A legitimate local admin account authenticating to a workstation happens all the time; knowing that a series of local admin logins deviates from normal patterns requires intelligence and context…none of which can be obtained from the analysis of native logs.

Bottom bottom line: we can help. Our StealthINTERCEPT product includes built-in, out-of-the-box analytics to detect and alert on horizontal account movement, and operates completely independent of native logs. We call it an “Active Directory Firewall.” You can call it your “300” for your network’s Thermopylae pass.

Author’s Note: Graphics used in this blog post were taken from the previously-referenced 2014 Tech Ed webinar: https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213#fbid=?hashlink=fbid, an exceptionally-informative seminar I encourage all readers to take the time to watch.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.