In his latest article over at Raconteur.net, QOMPLX CEO Jason Crabtree takes on the enterprise's soft underbelly: threats to authentication systems including Active Directory and Kerberos. Organizations that hope to fend off such attacks need both awareness of the problem and new tools designed to spot identity infrastructure attacks and lateral movement.
The COVID 19 virus has atomized enterprises: sending employees to work from home by the tens of millions and making remote work the rule rather than the exception.
With privileges the new network perimeter, addressing authentication is a challenge that every business should make priority #1. After all, a company that can't be sure its users are who they say they are is going to have a hard time knowing if the right people are doing the right things on its computing network.
That's the warning issued by Jason Crabtree, QOMPLX's CEO and co-founder in an interview with Raconteur about the growing menace of authentication attacks. The piece, "The Thorny Underbelly of Enterprise Authentication" is part of the Future of Authentication report, which ran in this week's The Sunday Times in London.
The consequences of not taking appropriate measures to detect and stop attacks against authentication infrastructure can be severe, Crabtree notes. Furthermore, "fixes" such as strong passwords and multi-factor authentication are of little use against these attacks.
"Every single system in the enterprise...assumes you are who you say you are. At this point, that’s a really dumb assumption.” -- Jason Crabtree, QOMPLX.
At issue is the reliability of enterprise identity. “The thorny underbelly of authentication is that every single system in the enterprise, from a security perspective and from a business perspective, assumes you are who you say you are,” says Jason Crabtree, co-founder and chief executive of QOMPLX. “At this point, that’s a really dumb assumption because protocols like NTLM, Kerberos and SAML can all be manipulated to allow hackers to not be who they say they are.
A series of recent attacks has highlighted this threat. For example, targeted and "human directed" ransomware campaigns against healthcare firms and key suppliers in financial services and banking feature tactics including automated credential extraction using any among a host of purpose-built open-source tools (e.g. Mimikatz).
As Crabtree notes, organizations that hope to fend off such attacks need both awareness of the problem, and new tools designed to spot identity infrastructure attacks and lateral movement.
“The only way to catch this is to diligently work to disable legacy protocols like NTLM and buy either Microsoft ATA/ATP or a more comprehensive and effective tool set from QOMPLX for monitoring and validating Kerberos. Only QOMPLX takes the details of every Kerberos interaction and keeps a stateful ledger to track that every presented credential is duly issued and presented in near real time, massively improving detection accuracy.”
To read Jason's thoughts on how to manage threats to authentication and identity infrastructure, read the article over at Raconteur.net.