Disrupting an Attacker from Exploiting Domain Credentials

Security professionals often feel they don’t have enough time to keep up with modern threats. In fact, Crowdstrike researchers have found that top threat actors can go in and out of networks in a matter of minutes. Despite other similar security research reports listing all the ways threat actors can breach a network, they rarely offer a viable solution to combat these risks and often just resign us all to a “we can only do our best” mentality.

I disagree. While I feel that “doing our best” is sufficient for an elementary school project, it’s not the right mentality for an enterprise security team. We as security professionals should strive to be excellent. In order to get there, let’s review some common attack patterns and discuss the best ways to disrupt an attacker’s plan.

Sponsorships Available

The Anatomy of An Attacker

First, let’s understand how can an attacker move around an organization’s network from one machine to another. Many people think that attackers leverage zero-day exploits but that is not the case. Attackers may not want to or be able to do so.  

How do Attackers Use Zero Day Attacks?

In my experience, zero-day attacks are tough to find. Good zero-day vulnerabilities that can work on a variety of different versions of operating systems, can effectively execute code, steal privileged credentials, and gain access to critical systems and applications take considerable skill and time. They require a lot of work to implement and execute effectively.

Assuming that an attacker did leverage a zero-day exploit, what would that person do with it? Every single time the attacker uses the exploit, there is the risk of the zero-day being discovered and then patched. Knowing that exposure is eventually inevitable, the logical move would be to use the zero-day on select occasions that would garner the least amount of attention, such as an initial breach of the network or removing traces of their presence. An example of a stealthy usage would be the initial infiltration of a network during which they plant a backdoor. Once the backdoor is installed, the code for the zero-day exploit would then be erased. If the backdoor does not contain any traces of the exploit’s code, it would be impossible for the security team to discover that they have a zero day exploit on their hands. However, once the attacker starts moving around the network, the stakes are higher and it will be increasingly difficult to conceal the usage of a zero-day for long.

What Happens During the Reconnaissance Phase?

An attacker that is well organized and carefully considers how a network can be infiltrated will take the time to understand all the potential weaknesses that can be exploited. An experienced attacker will take the time to gather intelligence from a single machine before waging a campaign to exploit the entire network. During this time, the attacker will be patiently learning how to laterally move around the network to find access to critical systems and applications. Patience is key during the reconnaissance phase; the average attacker stays on the network for 256 days before being discovered.

Before discovery, attackers hope to quietly achieve access to critical machines and accounts, and one way is to monitor the logins to those they wish to control.  

When you login to a machine, you will be authenticated with your network’s domain controller (DC), and it will grant you a ticket that allows you access to services in the network (file servers, sharepoint, other machines). On Windows machines, these credentials are bound together with a token that is created every time an authentication process occurs. That token is, therefore, an abstraction of the credentials used to authenticate the user requesting a particular action (you can read more about these tokens here).

For an attacker, controlling a critical machine means controlling all of the privileges to perform certain actions on the network – changing access rights, accessing sensitive data, etc. If the attacker has system-level privileges, they can easily extract the authentication token every time there is an action performed by that machine. Once they have access to the token, they can themselves request the machine perform actions posing as a legitimate user. These new requests will seem to be originating from legitimate user credentials that have the correct administrative rights within their active directory, making it difficult for security teams to spot the malicious insider.

How Do Attackers Find Privileged Credentials?

Patient attackers know that it is likely that a privileged user will sign in sometime during the reconnaissance phase as they are often the power users in a network. The token from a privileged user can then be extracted during that login process and used to access anything within their permissions. Privileged user credentials are the most effective way to laterally move around the network. For example, if the privileged user happens to be a domain admin, the attacker now has access to all the machines in the domain and all the servers and endpoints in the domain as well!

How frequently is a privileged user to sign in to a machine? It varies from company to company. Depending on the deployment and the IT needs, the attacker may be lurking in the shadows for quite some time. In the interim, an attacker might take control of multiple machines in the network so that he or she can increase the odds of finding a login from a privileged user. However, they still want to be wary of not exposing too much footprint as the more they move around the network, the higher the chance of them being discovered. In most networks, it is difficult to understand who the privileged users are in that environment, let alone how frequently they will log into a particular machine.

Disrupting the Attacker

How can we address this sort of threat and stop a potential attacker from gaining access to critical systems and applications? The first line of defense is to beef up the perimeter: attempt to prevent the attacker from ever getting a foothold in the network. Different defense mechanisms are updating the OS, setting up firewalls and proxies, using endpoint protection software, and more. However, this battle might be futile if a careful attacker is using a zero-day exploit.

Another option would be to keep track of user activity across the entire network. Unusual activity such as an IT professional installing a new Sharepoint server from a machine that is currently being used by the finance department should trigger alerts. While this approach is good for stopping lateral movement, it can be quite complex to set up and keep dynamic. An administrator would need to narrow down the machines an attacker can use and then go through a painful amount of effort to understand user operations, associated machines, corporate policy, privileged users, and more.

The better approach would be to verify that an out-of-ordinary operation performed by a user is actually being performed by a human and not a machine. Verifying that an actual human initiated an operation makes it near impossible to automatically re-use credentials. Here’s why: Attackers will leverage machines to scan the network for privileged user credentials. When they have gotten access to a token from a privileged user, they will use the machine that they control to re-use the credentials on other critical machines or applications. When they find they can access more network resources, they will expand their foothold and complete their mission. By identifying whether an access attempt is coming from a human account versus a machine will help limit an attacker’s attempt to re-use legitimate user credentials.

Being able to distinguish between human interactive connections versus impersonators (automated, scripted, or programmatic) logins is a simple yet effective way to disrupt an attacker.

When dealing with attackers attempting to exploit network credentials, patching weaknesses can often be a poor strategy for mitigating risk. Trying to keep up and patch network weaknesses will not stop attackers, as they will just patiently wait to discover the next point of exploit.

We should disrupt attackers by truly understanding how they operate and using their attack techniques against them. One way is to distinguish between a human or a machine that is performing authentication requests. But that’s just the tip of the iceberg. We need to understand more of the anatomy of the attacker and put together deterministic policies that will protect us from breach.

Organizations need to adopt a conditional access approach that can respond to risky authentication based on patterns methods used by attackers.