A Kerberoasting attack is a way for attackers to obtain credentials for Active Directory accounts, 然后利用这些凭证窃取数据. 术语Kerberoasting是一个文字游戏,因为它利用了 Kerberos, a network authentication protocol meant to ensure secure authentication requests between clients and services across an untrusted network like the internet.
During a Kerberoasting attack, a threat actor leverages stolen credentials to harvest encrypted messages and subsequently decrypt them offline. 使威胁行为者更难以获得访问权限.e. escalating privileges, 是一种抵御kerberos攻击的方法吗, but it only takes compromising one user’s account for an attacker to gain access to credentials.
Kerberoasting attacks are prevalent because of the access granted to a user who is seen by the system as legitimate. 由于发现受损或被盗凭据的滞后时间, 威胁行为者伪装成网络合法用户的时间就越长, 这个人或组织就有更多的时间四处闲逛,随心所欲地访问/窃取数据.
Indeed, the 网络安全基础设施和安全局(CISA) of the United States Government has said that Kerberoasting is one of the most time-efficient ways to elevate privileges and move laterally and unchecked throughout a network.
Kerberos攻击通过利用Kerberos身份验证协议来实现:
kerberos攻击不需要管理员帐户,甚至不需要更高的特权. In fact, one of the things that makes this type of attack particularly attractive is that any domain user account can be used because all accounts can request service tickets from the ticket granting server (TGS).
一旦攻击者访问了用户的帐户, 他们通常可以登录到该域中的任何工作站, 运行需要启用kerberos的服务帐户的服务的工作站.
Subsequent actions such as lateral movement and exfiltration can happen right “under the noses” of the entire security organization and business at large if an attacker is impersonating someone with elevated privileges; indeed, 仿冒的高级性质可能使企业承担极大的责任, 即使攻击者在相对较短的时间内被抓住.
不受限制的横向变动对任何组织来说都是可怕的, which is why security tools to detect this subtly malicious and risky behavior sooner are becoming more consequential than ever.
Kerberoasting攻击有许多不同的执行方式, 那么让我们来放大一下一个执行的内部工作原理:
According to CISA, Kerberoasting is a preferred attack method of Russian state-sponsored Advanced Persistent Threat (APT) actors, with the perpetrators having performed the Kerberoasting attack methodology discussed above.
一旦攻击者在经过适当认证的配置文件下获得对网络的访问权限, 从理论上讲,它们可以轻松地在网络中横向移动. In this way, it can be no small task detecting malicious activity – particularly with false-positive alerts constantly popping up – if the data theft is perpetrated with skill.
这种高水平的误报是唯一的原因 MITRE 推荐可能会带来挑战. In order to overcome this and filter out all of the excess noise, extra steps should be taken. Rapid7的insighttidr可以通过以下方式实现这一目标:
防止Kerberoasting攻击的方法有很多, but the main one on which to focus would be ensuring good password hygiene organization-wide. It’s critical to use credentials generated at random as well as to lock up as tight as possible those accounts with escalated privileges.
Now, let’s turn our attention to proper response in the event an in-progress Kerberoasting attack is detected. Of course, it’s easy to imagine a worst-case scenario where the threat actor has impersonated a properly credentialed individual and has had access for far too long and potentially stolen far too much data.
Once a few deep breaths have been taken, the following steps can help launch a proper response:
MFA是避免Kerberoasting攻击的一种相对简单的方法. Requiring multiple forms of authentication among multiple devices can help to fend off the bulk of attempted attacks. From an enterprise standpoint, the challenge will be pushing MFA software out to an entire employee base and hoping they adopt this critical practice of safeguarding the business.
尽管实现这些相当简单的安全检查似乎是常识, there are still many businesses around the world that are lacking in proper password or credentialing hygiene practices like MFA.
It's disappointing and frightening when threat actors are able to turn a security protocol like Kerberos into a tool for stealing data. It doesn’t mean the tooling should be cast aside; indeed, Kerberos是在不安全的环境中保证用户安全的关键工具.
As mentioned above, implementing a detection tool to thwart threat actors early is an effective countermeasure that can keep this important authentication protocol safe. For instance, InsightIDR from Rapid7 can continuously baseline user activity so that suspicious activity is detected easier and faster.
It can also leverage external threat intelligence critical to detections beyond the network perimeter. 这考虑了最近的网络端点的深度 Dark Web. Regardless of the product or solution a security organization chooses to employ in service of thwarting Kerberoasting and APT actors, it’s important to consider it’s easier than ever to infiltrate a network when masquerading as an employee.
How is this typically executed? Through stolen credentials, of course. 这就是为什么持续分析是如此重要 用户和实体行为分析 通过网络将活动连接到特定用户. 如果用户的行为不寻常,分析师会很快发现并进行调查. It could also be a real employee who – knowingly or unknowingly – presents some kind of risk.