Article reprint from
What do Marriott, Merck, FedEx, Sony, Maersk and the Office of Personnel Management (OPM) all have in common? Yes, all of these organizations suffered well-publicized, catastrophic cybersecurity breaches, but they also fell victim to the same core issue: abuse of privilege and authentication.
Active Directory abuse and Kerberos attacks are some of the most common types of cybersecurity incidents, but they remain sparsely covered in the media and largely ignored by major auditors, compliance frameworks and maturity models. The contrast between the awareness of the risks by these mainstream nontechnical communities and security practitioners is striking. As speakers at technical information security conferences — such as Black Hat, WeAreTroopers and DerbyCon — have demonstrated, exploiting privileges/authentication is the defining feature of virtually every major data breach or ransomware attack.
But first, a little background. Kerberos is the most commonly used authentication protocol that's embedded into the operating systems that an overwhelming percentage of enterprises employ. Companies cannot practically avoid the use of Kerberos in enterprise authentication. Nearly all directory services use it as their foundational authentication mechanism. Trillions of Kerberos-based authentication exchanges happen behind the scenes in businesses around the world each day. No viable successor protocol has been developed, let alone accepted by the security community.
Unfortunately, Kerberos attacks have become commonplace. A Kerberos attack exploits authentication systems by reusing stolen user credentials or forging them outright. A common goal is leveraging vulnerabilities in Active Directory and this protocol to forge false Kerberos tickets capable of granting an attacker domain administrator privileges. “Golden” tickets allow for an unintended intruder or insider to become a top administrator across the company (a.k.a. achieving “domain admin”) and “silver” tickets allow for the control (or decryption of data) from a specific service (e.g., a customer database, file share or email server). Detection of these forgeries afterward, in post-attack forensic analyses, is often impossible.
Kerberos attacks are increasingly common because they are increasingly easy to carry out. What was once limited to advanced nation-states and artisans is now accessible to anyone with a web browser and YouTube. Unsophisticated attackers can access well-known open-source tools to automate these attacks by using a few simple terminal commands or exploit kit tools.
Intruders were abusing credentials inside Marriott’s Starwood business unit, without the company’s knowledge, for four years. Sony had millions of dollars worth of IP erased, and stolen customer data was leaked publicly as a result of an attack against a Kerberos-based authentication system. These incidents cost both firms millions of dollars in business disruption and reputational damage. The consequences of not taking appropriate measures to detect and stop attacks against authentication infrastructure can be catastrophic.
Would you let someone gain physical access to your office with a fake ID, and then let them camp out for months or years? Of course not. Digital credentials are no different. Your intended model for managing privileged access doesn’t matter if authentication is compromised. You can’t control your network if anyone can pretend to be anybody or modify credentials with impunity. Authentication assurance must be a core element of every modern security program to avoid falling victim to these kinds of attacks.
CIOs and CTOs must educate executive leaders about the risks their most important assets face, along with how these risks are reduced by well-functioning cybersecurity and business controls. Authentication is a control that senior leaders understand in an abstract way, but they lack the insight about how this control may be vulnerable.
To protect data and reputations, the C-suite must appreciate that authentication systems are not impregnable and can be compromised easily despite enterprises spending millions on their broader security programs. Such compromises are catastrophic to businesses, so careful and deliberate consideration is necessary to ensure that key authentication controls are functioning with integrity as intended.
In 2020, it is irresponsible to not ensure the security of the most foundational control: authentication. You should evaluate your current cybersecurity capabilities and build a secure and productive network on top of trustworthy authentication. Not only will this help keep your company out of the breach headlines, but it will improve the business overall, demonstrating to customers and key stakeholders that the organization prioritizes customers and security. Otherwise, your firm is gambling with its future.