25 October 2016

During the ‘Move Laterally’ phase of a cyber-attack the Pass-the-Hash (PtH) method is often used to jump from one system to another in Windows networks. The best way to deal with PtH attacks is to use only locally defined privileged accounts with individual passwords because the related hashes are not valid on other systems. For more details please see the NSA IAD guideline ‘Reducing the effectiveness of Pass-the-Hash‘.

Using individual passwords on thousands of Windows systems is a really big challenge. In addition, since network login with local users has to be deactivated, the effort for the administrators is significantly increased. With this, the NSA suggestions will, if at all, only be implemented in very few organization.

Today, I participated in a great presentation of BeyondTrust’s Enterprise Password Management solution. Although primarily designed for privileged account management, the solution provides all the capabilities for the efficient management of local privileged accounts, and even with one-time passwords and automated creation of rdp sessions to the target systems. With this, PtH attacks can be mitigated nearly without any extra effort for the administrators.

Have a good day.