Detecting Pass-The-Hash Vulnerabilities with CyberArk DNA v4


Free Trials Available for IT and Security Experts

Last year, CyberArk introduced CyberArk Discovery & Audit (DNA™), the industry’s first stand alone solution that rapidly locates all privileged, shared and generic accounts without having to install anything on target machines.  A detailed report includes the credential status for each account, enabling improved management and control over all accounts.

We’re excited to unveil the latest version of CyberArk DNA (v4) and to announce that the latest version is the first to be able to detect pass-the-hash vulnerabilities by identifying and mapping all exposed privileged password hashes on vulnerable machines on a network.  We’re so excited about this, we’re currently offering organizations free trial licenses for a limited time.

This is an important step forward in helping our customers secure the enterprise. Pass-the-Hash attacks are simple, yet incredibly effective attack techniques that have become a popular tactic of advanced attackers.

If you’re not familiar with this attack vector, password hashes can be used as an authenticator across a network. Pass-the-Hash attacks capture this account logon credential from one machine, and use it to authenticate access to other machines on the network. This gives attackers a foothold and allows them to harvest and steal access to privileged systems. Once the attacker gets privileged access, they can traverse the network at will, simulating normal privileged behavior until they reach intellectual property or customer data.

In testing, we found that a significant percentage of machines on an organization’s network are often vulnerable to pass-the-hash attacks. This is an incredible risk exposure and one reason why pass-the-hash is a frequently-used attack vector in major breaches.   Attackers gain an entry point and can immediately use credentials that give them broad and deep access to the entire network.

The first step in preventing pass-the-hash attacks is understanding the risk landscape of your company, which is why we developed this capability into CyberArk DNA v4.  Some other best practices to help prevent pass-the-hash attacks at your company include:

  • Securing administrative access to machines with password masking and aging credentials;
  • Frequently changing privileged account passwords (we recommend automating password changes and restricting them to one-time use to ensure tight security standards);
  • Implementing and enforcing least privileges for all administrators.

This release of CyberArk DNA v4, combined with our full portfolio of privileged account security solutions, provides our customers with the most complete solution for protecting against pass-the-hash attacks.

If this is a threat that your business is struggling to mitigate, start your free trial of DNA v4 today.  For additional information, you can read about how our customers are using CyberArk to implement a proactive defense strategy against pass-the-hash attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

You must be logged in to post a comment.