Preventing Attacks Launched Deep within the Network
December 7, 2017 | Security and Risk | Corey O'Connor
Attacks that exploit Kerberos, a Windows authentication protocol, have been behind some of the biggest breaches in recent history. These attacks are troublesome for many different reasons, including a complete and total loss of control over the domain controller. Threat actors have uncovered a number of different vulnerabilities that exist within the Kerberos protocol, and when successful, they’re able to elevate unprivileged domain accounts to those of the domain administrator account. The intent of the attacker is to leverage Kerberos tickets to appear to be a legitimate, fully authorized user when authenticating to various systems within the network.
These attacks are extremely difficult to detect, and even more difficult to prevent. Other solutions in the market have the ability to detect Kerberos attacks but come with limited functionality, agent-based performance issues, and well documented by-passing techniques calling into question the value and effectiveness of these solutions. CyberArk Privileged Threat Analytics is the only solution able to detect, alert, prevent and remediate a variety of different flavors of Kerberos-style attacks (Golden Ticket, Overpass-the-Hash, DCSync and PAC [MS14-068] attacks).
Attackers will get inside. It’s what they do. Far too many organizations continue to focus on defending solely against perimeter attacks without considering the impact and devastation of an attack launched from deep within the network. Moreover, while vaulting credentials is certainly a best practice, privileged credentials are often not required for the attacker to be successful in this type of an attack so organizations will undoubtedly benefit from the analytics capabilities CyberArk can provide. This type of attack needs to be prioritized and top of mind for every security operations teams.
In this demo, we walk through an example of how CyberArk Privileged Threat Analytics is able to not only detect, but also automatically stop an attack, preventing further damage to a domain controller. This scenario presents a situation where an attacker gains access to a compromised machine and utilizes a post-exploitation tool to move laterally to a domain controller. The attacker then uses a hash stolen from a logged-in user on the compromised machine, performs an Overpass-the-Hash attack, and gains access to the domain controller. Watch the video below to see how CyberArk detects this activity and breaks the attack chain before irreparable damage is done.