With 95% of Fortune 1000 companies deploying Active Directory, the potential for this particular vulnerability to cause harm and theft is high.
Once the attacker leverages this Active Directory flaw, using the new password, the attacker can impersonate the victim to access various enterprises services and content, which require the explicit use of victim's credentials, such as Remote Desktop Protocol (RDP) Logon and Outlook Web Access (OWA).
Unfortunately, despite current security protocols, logged events miss the vital indication of an identity theft attack. The attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data Security Analytics useless against these kinds of advanced attacks.
High-level anatomy of an attack
The attacker uses a publicly-available free penetration testing tool (such as WCE or Mimikatz) that steals an authentication component, named NTLM hash, from the employee’s device. The NTLM hash resides by default on all devices that connect to enterprise resources.
Since this authentication component is known to be a security hazard which leads to identity theft attacks, through the notorious Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse. For example, many enterprises try to limit the use Active Directory’s older – yet still enabled by default –authentication protocol (i.e. NTLM). In other scenarios, enterprises log and audit NTLM activity.
The attacker forces the client to authenticate to Active Directory using a weaker encryption protocol. At this stage, the attacker uses the Active Directory flaw where the encryption protocol relies on the NTLM hash.
This activity is not logged in system and 3rd party logs- even those that specifically log NTLM activity. As a result, no alerts, or forensic data, ever indicate that an attack takes place.
The attacker proves its so-called legitimate identity to Active Directory using the weaker authentication protocol. Consequently, the attacker is able to authenticate themselves to restricted services and change the password of the victim.
The attacker uses the changed password to fully steal the identity of the victim and access all of the victim’s enterprise resources.
"Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure. The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data," said Tal Be'ery, VP Research at Aorato. "Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected."
With no inherent solution to mitigate this flaw, Aorato recommends enterprises:
- Detect authentication protocol anomalies
- Identify the attack by correlating the abnormal use of encryption methods with the context in which the victim's identity is used
- Apply measures to reduce the attack surface. Note that these measures only reduce the attack surface and do not eliminate it altogether or solve the root cause.