The recent case of Hongjin Tan underscores the continuing risk of data- and intellectual property theft by rogue employees. But organizations that hope to crack down on such incidents need to address the endemic problem of lax privilege management.
The recent sentencing of Hongjin Tan, a 35 year-old Chinese national on charges he illegally downloaded trade secrets from his employer, a U.S. petroleum company, after accepting a job with a competitor in China underscores the need for more organizations to examine existing network controls over privileges.
Despite a steady drum beat of news stories documenting substantial security breaches and data leaks, too many corporate environments still lack the compartmentalization necessary to be resilient to such incidents.
Even today, credentialed network insiders are implicitly trusted. Users with malicious intent use those privileges as an initial foothold from which to attempt to access additional systems and resources. Often, these are resources that do not fit their role or comport with their expected behavior in that environment. These insiders may work much in the way an external attacker would establish a presence on a network and work with exploits and malware to escalate their privileges in order to reach their targeted resource.
The case of Mr. Tan is part of a rising swell of insider-related incidents. It should send a signal to CISOs and network managers about the need to audit and gain better control over their privilege space. But where to start? For many enterprises, that examination should begin with Active Directory, the security of domain controllers and authentication protocols such as Kerberos.
Attackers: Already Inside, and Armed
Six years ago, Benjamin Delpy’s and Alva Duckwall’s Black Hat presentation describing Golden Ticket attacks changed the game with regard to attacks on authentication infrastructure. Coming three short years after Delpy’s introduction of Mimikatz, the ability to use that tool to create Kerberos “Golden Tickets” reduced the knowledge gap inherent in threat actors to that point. Attackers now had a tool that allowed them to generate forged Kerberos authentication tickets that elevate domain privileges over any networked system.
Mimikatz and similar tools that followed enabled attackers to quickly audit networks in order to understand the quickest paths to full domain access. Previously challenging tasks like privilege escalation and lateral movement within compromised environments became far easier to carry out and far more difficult to detect. Armed with Golden Tickets, malicious activity is invisible to security monitoring and detection tools, as it appears to come from authenticated and legitimate network users or services.
Many Sources of Insecurity
As recent incidents like the Ryuk ransomware attack on fintech startup Finastra illustrate: many organizations are vulnerable to attacks that target critical identity infrastructure like Active Directory. At the same time, there is little in the way of help to detect many of the most common attacks like Kerberos Golden and Silver Tickets.
Defending against exploits of underlying weaknesses rests on the ability to map and audit an Active Directory environment in order to understand the risks created by dependencies between core systems. Organizations also need to identify poor authentication configurations that open the door to account compromises and rogue behaviors that characterize compromised accounts. Unnecessary or out-of-band user account- and group creation is one telltale indicator of an identity compromised. So too is the addition of unauthorized computers within a domain. Domain admin accounts with poorly configured passwords or passwords that don’t expire are a major and under-appreciated risk for organizations of all sizes.
Identifying these red flags should be the rule rather than the exception. That's why enterprises are increasingly turning to machine learning and automation technology to examine protocols such as Kerberos in order to verify that authentication is valid and traced to legitimate user interactions with the issuing domain controller.
Building Insider Threat Resilience
Studies and post mortem analysis of cyber incidents have consistently shown that rapid detection of security incidents that lessen an attacker’s dwell time in compromised environments matters more than metrics like the number of software vulnerabilities addressed or updates deployed.
Accenture’s recently published third annual State of Cyber Resilience report backs up this contention. The report examined where successful organizations are investing in order to contain and remediate incidents quickly in order to ensure business continuity. Successful companies identify four keys to resilience:
- Detect and defend against targeted attacks
- Improve detection speed
- Improve time to remediation
- Reduce the impact of breaches
There are some other commonalities in the approaches of leading organizations toward blunting the impact of insider threats and external attacks, especially when it comes to the type of investments they’re making in security and how they measure success. Most successful organizations prioritize speed of response, and invest heavily in detection. Deployed and used properly, tools driven by machine learning can automate detection and other critical security tasks, helping security teams quickly detect a breach, mobilize a response, and recover quickly.
Technology such as QOMPLX’s helps do just that with attacks on identity infrastructure like Active Directory. QOMPLX’s technology can verify, in near real-time, that a given Kerberos authentication event was correctly generated and that it is linked to legitimate user interactions and the issuing domain controller. This type of deterministic verification makes it difficult for attackers to abuse authentication protocols and processes.
Conclusion
The growth of sophisticated attacks on enterprises, including attacks aimed at Active Directory and other identity infrastructure are challenging the resilience of companies and forcing a closer look at the base assumptions of modern IT security. A focus on system inter-dependencies and the lack of proper compartmentalization of users and privileges is long overdue.
For IT leaders who have mastered the security basics but are keen to go to the next level, AI and machine learning driven tools like QOMPLX’s can provide critical visibility into even the most stealthy insider activity like Kerberos Golden- and Silver Ticket attacks. By improving detection and response, technologies like QOMPLX’s can shorten recovery times and lessen the damage of even sophisticated cyber attacks.
If you want to learn more, download QOMPLX’s latest white paper: “ManyKatz: How Active Directory Hacks Went Mainstream”