Tag Archives: Pass-the-Hash attack

Cross-Domain Innovation: Using a PAM solution for efficient mitigation of Pass-the-Hash attacks

25 October 2016

During the ‘Move Laterally’ phase of a cyber-attack the Pass-the-Hash (PtH) method is often used to jump from one system to another in Windows networks. The best way to deal with PtH attacks is to use only locally defined privileged accounts with individual passwords because the related hashes are not valid on other systems. For more details please see the NSA IAD guideline ‘Reducing the effectiveness of Pass-the-Hash‘.

Using individual passwords on thousands of Windows systems is a really big challenge. In addition, since network login with local users has to be deactivated, the effort for the administrators is significantly increased. With this, the NSA suggestions will, if at all, only be implemented in very few organization.

Today, I participated in a great presentation of BeyondTrust’s Enterprise Password Management solution. Although primarily designed for privileged account management, the solution provides all the capabilities for the efficient management of local privileged accounts, and even with one-time passwords and automated creation of rdp sessions to the target systems. With this, PtH attacks can be mitigated nearly without any extra effort for the administrators.

Have a good day.

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

22 October 2016

On Tuesday, I watched the IBM webinar ‘Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching’.

On slide 3 one could read the really interesting statement ‘NSA: no zero days were used in any high profile breaches over last 24 months’.

Slide 3 - Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Slide 3 – Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Curtis Dukes, deputy national manager of security systems within the NSA, said that NSA has been involved in incident response or mitigation efforts for all ‘high profile incidents’ one has read about in the Washington Post or the New York times.

In all this incidents hacker used somewhat simple technology like spear phishing, water holing and USB-drive delivery to get onto the victim’s networks.

In the last 24 months, not one zero day has been used in these high profile intrusions.

That is a very interesting insight. Moreover, Curtis Dukes said that

The fundamental problem we faced in every one of those incidents was poor cyber hygiene.

The central idea of the webinar is to harden all systems by applying at least all existing patches to the known vulnerabilities, and in a timely manner. For most of the organizations this is a great challenge: Applying an endless stream of operating system and application patches to thousands of servers and endpoints is a never-ending nightmare. But essential to hinder an attacker, who managed to get on the network, in his lateral movement across the network.

If an attacker cannot exploit existing vulnerabilities, he is forced to install hacking tools from his C&C server. But this will increase the likelihood of detection because the attacker creates anomalies which can be detected e.g. by a current anti-malware solution or a well-tuned SIEM system.

It is important to recognize that cyber hygiene shall not be restricted to patching and password rules. Operating systems offer lots of powerful inbuilt tools, e.g. PowerShell, which can be used by an attacker to move laterally across the network. Such movements a much harder to detect, because they are very similar to standard user behavior. Pass-the-hash attacks are another example where patching is of limited value only.

It is very important to understand what threats a security solution mitigates. But it is of crucial importance to know the gaps and to have some ideas on how to deal with them effectively.

Have a good weekend.

Reducing the Effectiveness of Pass-the-Hash – A NSA/CSS Report

15 January 2015

Reducing the Effectiveness of Pass-the-Hash [5], a report compiled by the Network Components and Application Division of the NSA/CSS, is very recommendable for all Windows network administrators and designers.

The design guidelines given in chapter 3 give the foundations for secure operations of Windows networks. Strictly implemented they hamper the propagation of attacks through the network.

I am in no doubt, that the impact of the Sony Attack would have been far smaller, if this guidelines would have been implemented.

Enjoy reading, and, have a good day.

Still looking for a good New Year’s Resolution?

8 January 2015

In the past weeks I read a lot about Pass-the-Hash (PtH) attacks, the Zeus botnet and other frightening attack vectors.

For example in PtH attacks, access to specially protected files and registry settings is required. Standard users have very limited or no access to this system objects. If an attacker hijacks your computer he will take all your privileges, in the best case administrative privileges for your computer only, but, in the worst case, administrative privileges for a network.

I think a good New Year’s resolution would be to do everyday work with standard user accounts, and to use accounts with administrative privileges only when required.

If you are managing a company network please avoid login to member servers and workstations with a domain administrator account. Windows stores your password in the computer’s SAM (Security Accounts Manager). Thus it could be attacked by a malicious user …

You will not gain 100% safety, but you will become a lot safer than if you don’t take basic security precautions.

That’s it for today. The only thing left for me to say is …

Happy New Year!