The threat landscape continues to shift in the ever-evolving realm of cybersecurity, presenting new challenges and complexities for organizations worldwide. Identity-based attacks are among the most insidious of these threats, where threat actors leverage various means to access privileged accounts within an environment. Drawing from the insights provided by the Crowdstrike Global Threat Report 2024, let's delve into the anatomy of these attacks, their implications, and strategies for defense.
The Rise of Interactive Intrusions
Unlike traditional malware attacks, interactive intrusions involve adversaries actively engaging with systems, mimicking legitimate user behavior to evade detection. According to CrowdStrike, interactive intrusion campaigns had a significant uptick, with a 60% year-over-year increase observed in 2023 alone. This trend underscores the agility and adaptability of threat actors in circumventing traditional security measures.
From Initial Access to Domain Dominance
A key modus operandi employed by threat actors involves gaining initial access through various means, including utilizing initial access brokers. These brokers serve as conduits for purchasing credentials, providing threat actors with a foothold within an organization. Once inside, adversaries utilize techniques like kerberoasting to escalate privileges, moving laterally within the network at an alarming speed.
The concept of "breakout time" becomes paramount in this scenario, referring to the window of opportunity adversaries have to move from initial access to domain dominance. CrowdStrike's findings reveal a concerning decrease in breakout time, emphasizing the need for organizations to bolster their defenses and respond swiftly to intrusions. "This year, the average breakout time for interactive eCrime intrusion activity decreased from 84 minutes in 2022 to 62 minutes in 2023. The fastest observed breakout time was only 2 minutes and 7 seconds."
Akira and Initial Access Brokers
Among the notable threat actors, Akira stands out for using initial access brokers to procure credentials, facilitating rapid infiltration into target environments. By brute-forcing credentials obtained through these brokers, Akira, and similar threat actors expedite the process of gaining privileged access, underscoring the effectiveness of this tactic in achieving their objectives.
Understanding Kerberos-Based Attacks
Central to identity-based attacks is exploiting authentication protocols like Kerberos, which form the backbone of many enterprise environments. Kerberos facilitates secure authentication between clients and servers through tickets and session key exchanges. However, adversaries have devised various methods to abuse Kerberos authentication, compromising the integrity of authentication mechanisms and gaining unauthorized access to systems and data.
Kerberos Authentication (SpecterOps)
Some common Kerberos-based attacks and abuses include:
Kerberos Authentication (SpecterOps)
Pass-the-Hash (PtH): Adversaries obtain hashed credentials and use them directly to authenticate as the user without knowing the plaintext password.
Pass the Hash (PTH) Attack
Pass-the-Key: Similar to PtH, adversaries obtain Kerberos session keys to impersonate users without passwords.
AS-REQ and Password Spraying: Adversaries perform password spraying attacks by attempting to authenticate to the KDC using a small set of common passwords against multiple accounts.
AS-REP Roasting: Adversaries request AS-REP messages for user accounts without pre-authentication enabled and crack them offline to reveal plaintext passwords.
Golden Ticket Attacks: Adversaries compromise the krbtgt account's password hash to forge TGTs with arbitrary privileges, granting unrestricted access to the entire domain. A golden ticket can be used to impersonate any user, to any service, on any machine in the domain, and to add insult to injury - the underlying credentials are never changed automatically. For that reason, the krbtgt NTLM/AES hash is probably the single most powerful secret you can obtain (and is why you see it used in dcsync examples so frequently).
Golden Ticket Attack DCSync
Pass-the-Ticket and Silver Ticket Attacks: Adversaries obtain valid Kerberos tickets and reuse them to authenticate to other services or systems within the environment.
Skeleton Key Attacks: Adversaries implant a backdoor into the Kerberos authentication process, allowing them to authenticate as any user using a predefined password or key.
Identity-Based Attacks
Defending Against Kerberos-Based Attacks
Monitoring Kerberos-Related Events: Implement robust logging and monitoring of Kerberos authentication events to detect anomalous activities indicative of potential attacks.
Abnormal Kerberos Clients Detection: Utilize anomaly detection techniques to identify abnormal Kerberos client behaviors, such as unusual authentication timings or multiple failed login attempts.
Implement Least Privilege: Limit user privileges and access rights to only what is necessary for their roles and responsibilities to mitigate the impact of successful attacks.
Enforce Strong Authentication Mechanisms: Implement multifactor authentication (MFA) wherever possible to augment traditional password-based authentication and mitigate the risk of credential theft or misuse.
Regular Security Assessments and Patch Management: Conduct regular security assessments, penetration testing, and vulnerability scans to identify and remediate weaknesses in Kerberos authentication mechanisms.
Defense Strategies
In light of these threats, organizations must adopt a proactive approach to defend against identity-based attacks. Implementing multifactor authentication (MFA) measures, regular credential rotations, and robust access controls can mitigate the risk of unauthorized access. Additionally, staying informed about emerging threats and leveraging threat intelligence platforms can enhance situational awareness and enable proactive threat hunting.
The prevalence of identity-based attacks underscores the imperative for organizations to fortify their defenses and remain vigilant in the face of evolving threats. Organizations can safeguard their assets and preserve business continuity in an increasingly hostile digital landscape by understanding the tactics employed by threat actors, implementing robust security measures, and fostering a culture of cybersecurity awareness.
Comments