• Active Directory Attacks
  • May 11, 2020
  • By QOMPLX

Enterprise Security's Soft Underbelly: Authentication

Enterprise Security's Soft Underbelly: Authentication

In his latest article over at Raconteur.net, QOMPLX CEO Jason Crabtree takes on the enterprise's soft underbelly: threats to authentication systems including Active Directory and Kerberos. Organizations that hope to fend off such attacks need both awareness of the problem and new tools designed to spot identity infrastructure attacks and lateral movement.


The COVID 19 virus has atomized enterprises: sending employees to work from home by the tens of millions and making remote work the rule rather than the exception.

With privileges the new network perimeter, addressing authentication is a challenge that every business should make priority #1. After all, a company that can't be sure its users are who they say they are is going to have a hard time knowing if the right people are doing the right things on its computing network.

That's the warning issued by Jason Crabtree, QOMPLX's CEO and co-founder in an interview with Raconteur about the growing menace of authentication attacks. The piece, "The Thorny Underbelly of Enterprise Authentication" is part of the Future of Authentication report, which ran in this week's The Sunday Times in London.

The consequences of not taking appropriate measures to detect and stop attacks against authentication infrastructure can be severe, Crabtree notes. Furthermore, "fixes" such as strong passwords and multi-factor authentication are of little use against these attacks.

Every single system in the enterprise...assumes you are who you say you are. At this point, that’s a really dumb assumption.

Jason Crabtree, 

QOMPLX


At issue is the reliability of enterprise identity. “The thorny underbelly of authentication is that every single system in the enterprise, from a security perspective and from a business perspective, assumes you are who you say you are,” says Jason Crabtree, co-founder and chief executive of QOMPLX. “At this point, that’s a really dumb assumption because protocols like NTLM, Kerberos and SAML can all be manipulated to allow hackers to not be who they say they are.

A series of recent attacks has highlighted this threat. For example, targeted and "human directed" ransomware campaigns against healthcare firms and key suppliers in financial services and banking feature tactics including automated credential extraction using any among a host of purpose-built open-source tools (e.g. Mimikatz).

As Crabtree notes, organizations that hope to fend off such attacks need both awareness of the problem, and new tools designed to spot identity infrastructure attacks and lateral movement.

“The only way to catch this is to diligently work to disable legacy protocols like NTLM and buy either Microsoft ATA/ATP or a more comprehensive and effective tool set from QOMPLX for monitoring and validating Kerberos. Only QOMPLX takes the details of every Kerberos interaction and keeps a stateful ledger to track that every presented credential is duly issued and presented in near real time, massively improving detection accuracy.”

To read Jason's thoughts on how to manage threats to authentication and identity infrastructure, read the article over at Raconteur.net.

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
Active Directory is Your #1 Cyber Risk. Start Treating It That Way.

Active Directory is Your #1 Cyber Risk. Start Treating It That Way.

If Active Directory is so critical, why do so many firms take a hands off approach to AD security? In our latest report, we explore that issue and offer some steps organizations can take to secure it.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.