25 October 2016
During the ‘Move Laterally’ phase of a cyber-attack the Pass-the-Hash (PtH) method is often used to jump from one system to another in Windows networks. The best way to deal with PtH attacks is to use only locally defined privileged accounts with individual passwords because the related hashes are not valid on other systems. For more details please see the NSA IAD guideline ‘Reducing the effectiveness of Pass-the-Hash‘.
Using individual passwords on thousands of Windows systems is a really big challenge. In addition, since network login with local users has to be deactivated, the effort for the administrators is significantly increased. With this, the NSA suggestions will, if at all, only be implemented in very few organization.
Today, I participated in a great presentation of BeyondTrust’s Enterprise Password Management solution. Although primarily designed for privileged account management, the solution provides all the capabilities for the efficient management of local privileged accounts, and even with one-time passwords and automated creation of rdp sessions to the target systems. With this, PtH attacks can be mitigated nearly without any extra effort for the administrators.
Have a good day.
18 August 2015
On Sunday morning at the breakfast table I always read the latest issue of invincea’s The Cyber Intelligencer. In this week’s issue Michael Applebaum writes about just-in-time malware that is not recognized by any traditional or next generation endpoint protection tools. I fully agree with Michael, that an attacker has to hijack only one endpoint to compromise an entire company network.
But it’s not necessary to exploit unpatched vulnerabilities or zero days. Just use a built-in weakness of a Windows OS, e.g. UAC not set to “Always notify me” as default, to get privileged access and start exploring the victim’s computer and network.
But the worst is yet to come: If the attacker is not too greedy and impatient, it is very hard to detect his activities because only standard windows means are used.
Prevent, detect and contain are the keys to successful protection against such threats. In report Defensive Best Practices for Destructive Malware the NSA’s Information Assurance Directorate shows the direction. It’s worth to note that most of the technical measures described in this report are just built-in functions of operating systems. No rocket science! But the measures on the people and process level make the difference. For details see e.g. bullet point “Protect and restrict administrative privileges”.
Enjoy reading and have a good day!