In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton Key, changing passwords, DCSYNC and SSP-based attacks. Of course, Mimikatz has come up here before. It is an integral part of many different attacks, malware, and ransomware so it’s hard to avoid talking about it. As a security pro, having a deep understanding of what Mimikatz can do will make you a better defender.
Some of the Active Directory attacks we discussed can expose a lot more than just logins and unstructured data—they can expose, change, or circumvent basic password protections on AD accounts. That means anything that uses Active Directory for logging in could be at risk! When I was a hands-on engineer, I helped many folks integrate SAP systems into AD to provide single sign-on. The notion was that one very secure password was better than many weak ones. Today, you see federation and cloud gateways that also rely on Active Directory as the authentication for the whole set of organizational applications. Imagining the risk of something like Mimikatz being used to render all those passwords moot to allow an attacker broad access is nerve-racking to say the least.
On a positive note, Jeff and I agreed that you can avoid a lot of the damage with the simplest of mitigations. Keeping local admin rights under control, ensuring folks with privileged access follow basic precautions (e.g., the still underutilized RDP restricted admin mode), and making sure you’re patched to the latest levels are the basics you need to have in place. Of course, every organization should also be thinking about proactive monitoring, preventive measures (including making sure there isn’t configuration drift away from those precautions), and migrating away from applications and processes that force bad security practices (e.g., things that rely on out-of-date platforms or systems that need passwords in the clear for their configuration to work). If those more advanced things don’t sound that advanced to you, then you should give yourself a pat on the back. You are doing better than most.
Click here to listen to the podcast.
To be notified of Insider Threat Podcast episodes, sign up here