A common view in the cyber security industry is that criminal and nation-state cyber attacks have advanced to the point where it’s almost impossible for most organizations to stop the threat. Attacks on enterprise networks occur on a near-continuous basis. And attackers can often accomplish a takeover in less than ten minutes.
- Automated hacker tools can test a vast array of vulnerabilities to exploit even a single mistake.
- Pass-the-Ticket attacks can bypass multi-factor authentication.
- Exploits such as stolen Kerberos tickets are immune to password changes.
However, despite such dire conditions, it is possible to counter these cyber attacks by implementing proper technical and behavioral controls. Here’s how:
Stage 1: Attacker Establishes a Foothold After an Initial Compromise
Start with the assumption that attackers have already compromised end-user machines on your network. This could have occurred through malicious email attachments, social engineering or other means. Regardless of how they got in, you can block attackers’ lateral movements beyond the compromised systems, making it more difficult to gain a foothold in your network.
To minimize the value of an exploit on your network, it is essential to remove users from the local Administrators group on individual systems. Our mass management tools can find and remove unsecured local user accounts on thousands of machines at a time. Without local credentials it’s difficult for attackers to run Mimikatz, WCE, variants of Metasploit, and other tools that allow password, hash and ticket exfiltration. And, by denying an easy means to extract the credentials that allow lateral movement on your network, it could become necessary for attackers to use more expensive methods—such as a Zero Day exploit—to gain a foothold.
While mass management tools can help you remediate unsafe configurations of services, tasks, and other processes, an equally important step is to discover and secure other privileged credentials on your network. These include not only administrator and root logins—but also SSH Keys, certificates and the rest.
Keep in mind that privileged credentials could be embedded in applications, configured for programmatic process and service access, and present in almost limitless places. And, if improperly secured, any one of these credentials could grant an attacker the access needed to take over your network. Privileged Identity Management solutions can discover each credential, replace it with a unique value, and randomize it on a regular basis or in response to anomalous behavior.
Download the white paper Using Automated Privileged Identity Management to Limit Intrusion Losses and Reduce Costs.
Stage 2: Attacker Escalates Privileges and Attains Lateral Movement
In this phase, the attacker seeks to extract more credentials to expand control of the network. As with the previous phase, common hacker tools—including Metsaploit, Mimikatz, WCE, “pass the hash” and others—are used to obtain plain-text passwords, hashes, certificates or other secrets from compromised machines.
You can deploy the following safeguards to limit an attacker’s ability to extract credentials and move throughout your network:
- With Privileged Identity Management software you can enforce temporary escalation of privilege so that users are granted administrative access only to individual machines for a limited time.
- You can eliminate shared SSH Keys and other file-based secrets that could grant attackers access throughout your network. A privileged identity management solution can find these sensitive files, change SSH Keys where necessary, and move them to a secure repository where only audited access through a bastion host is permitted.
- You can mitigate one of the most difficult threats to control by securing the passwords used by Windows services, tasks and other automated processes. Privileged identity management software can provide a thorough discovery of interdependent accounts. It can also update interdependent processes and services, in the proper order—helping you secure these credentials without risking disruption to your critical business services.
- You can eliminate human knowledge of application logins—and the presence of easily exploited passwords, hashes or keys on compromised user machines. This can be done by enforcing proxied, delegated access to corporate applications through a bastion server.
- Lastly, you can remove human interaction from the process of rotating privileged account passwords through a combined use of time-based and event-based remediation. A privileged identity management solution that’s designed for scalability can support credential rotation as frequently as needed.
Stage 3: Attacker Exposes, Extracts and Conceals
In this phase, the attacker creates persistent access to the compromised network through use of backdoors, password loggers and other means. Common in this phase is the use of Mimikatz to steal Ticket Granting Tickets or Service Tickets from servers that are delegated to perform authorization.
The goal of these attacks is to steal the password hash of the krbtgt account on a domain controller, used by Kerberos to encrypt Ticket Granting Tickets. With this password hash, an attacker could create unlimited tickets with any level of access and almost unlimited lifetimes. This Golden Ticket exploit can’t be blocked through conventional password changes or multifactor authentication.
To combat this phase of the attack, it’s critical to establish a process to remove attackers’ access to compromised systems – including exploits that are difficult to remove through conventional means. Our privileged identity management software is particularly beneficial for this in the following ways:
- By providing a means to remove Golden Ticket, Silver Ticket and other exploits through an exclusive Security Double-Tap™ feature that changes passwords twice on compromised machines. This action forces immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets.
- By establishing a process to configure automatic, chained reboots of managed systems after user escalation, and after changes to systems have been made using escalated credentials. This clears the system memory of hashes and passwords on potentially compromised machines to curtail further access.
Contrary to what you may hear, it is possible to take common-sense steps to defend against the new generation of cyber attacks. With appropriate controls, you can limit attackers’ ability to extract and exploit credentials, reduce your cost of security and compliance, and devote more of your IT resources to profitable endeavors.
Want to learn more about how to curtail lateral movement when hackers gain a foothold inside your network?
Download our white paper Using Automated Privileged Identity Management to Limit Intrusion Losses and Reduce Costs.