A Kerberoasting attack is a way for attackers to obtain credentials for Active 导演y accounts, 然后利用这些凭证窃取数据. 术语Kerberoasting是一个文字游戏,因为它利用了 Kerberos, a network authentication protocol meant to ensure secure authentication requests between clients 和 services across an untrusted network like the internet.
在Kerberoasting攻击中, a threat actor leverages stolen credentials to harvest encrypted messages 和 subsequently decrypt them offline. 使威胁行为者更难以获得访问权限.e. 不断升级的特权, 是一种抵御kerberos攻击的方法吗, but it only takes compromising one user’s account for an attacker to gain access to credentials.
Kerberoasting attacks are prevalent because of the access granted to a user who is seen by the system as legitimate. 由于发现受损或被盗凭据的滞后时间, 威胁行为者伪装成网络合法用户的时间就越长, 这个人或组织就有更多的时间四处闲逛,随心所欲地访问/窃取数据.
事实上, 网络安全基础设施和安全局(CISA) of the United 状态s Government has said that Kerberoasting is one of the most time-efficient ways to elevate privileges 和 move laterally 和 unchecked throughout a network.
Kerberos攻击通过利用Kerberos身份验证协议来实现:
kerberos攻击不需要管理员帐户,甚至不需要更高的特权. 事实上, one of the things that makes this type of attack particularly attractive is that any domain user account can be used because all accounts can request service tickets from the ticket granting server (TGS).
一旦攻击者访问了用户的帐户, 他们通常可以登录到该域中的任何工作站, 运行需要启用kerberos的服务帐户的服务的工作站.
Subsequent actions such as lateral movement 和 exfiltration can happen right “under the noses” of the entire security organization 和 business at large if an attacker is impersonating someone with elevated privileges; indeed, 仿冒的高级性质可能使企业承担极大的责任, 即使攻击者在相对较短的时间内被抓住.
不受限制的横向变动对任何组织来说都是可怕的, which is why security tools to detect this subtly malicious 和 risky behavior sooner are becoming more consequential than ever.
Kerberoasting攻击有许多不同的执行方式, 那么让我们来放大一下一个执行的内部工作原理:
根据CISA, Kerberoasting is a preferred attack method of Russian state-sponsored Advanced Persistent Threat (APT) actors, 攻击者已经执行了上面讨论的kerberos攻击方法.
一旦攻击者在经过适当认证的配置文件下获得对网络的访问权限, 从理论上讲,它们可以轻松地在网络中横向移动. 以这种方式, it can be no small task detecting malicious activity – particularly with false-positive alerts constantly popping up – if the data theft is perpetrated with skill.
这种高水平的误报是唯一的原因 主教法冠 推荐可能会带来挑战. In order to overcome this 和 filter out all of the excess noise, extra steps should be taken. Rapid7的insighttidr可以通过以下方式实现这一目标:
防止Kerberoasting攻击的方法有很多, but the main one on which to focus would be ensuring good password hygiene organization-wide. It’s critical to use credentials generated at r和om as well as to lock up as tight as possible those accounts with escalated privileges.
现在, let’s turn our attention to proper response in the event an in-progress Kerberoasting attack is detected. 当然, it’s easy to imagine a worst-case scenario where the threat actor has impersonated a properly credentialed individual 和 has had access for far too long 和 potentially stolen far too much data.
Once a few deep breaths have been taken, the following steps can help launch a proper response:
MFA是避免Kerberoasting攻击的一种相对简单的方法. Requiring multiple forms of authentication among multiple devices can help to fend off the bulk of attempted attacks. 从企业的角度来看, the challenge will be pushing MFA software out to an entire employee base 和 hoping they adopt this critical practice of safeguarding the business.
Even though it seems like common knowledge to implement these rather simple security checks, there are still many businesses around the world that are lacking in proper password or credentialing hygiene practices like MFA.
It's disappointing 和 frightening when threat actors are able to turn a security protocol like Kerberos into a tool for stealing data. It doesn’t mean the tooling should be cast aside; indeed, Kerberos是在不安全的环境中保证用户安全的关键工具.
如上所述, implementing a detection tool to thwart threat actors early is an effective countermeasure that can keep this important authentication protocol safe. 例如, InsightIDR from Rapid7 can continuously baseline user activity so that suspicious activity is detected easier 和 faster.
It can also leverage external threat intelligence critical to detections beyond the network perimeter. 这考虑了最近的网络端点的深度 黑暗的网络. Regardless of the product or solution a security organization chooses to employ in service of thwarting Kerberoasting 和 APT actors, it’s important to consider it’s easier than ever to infiltrate a network when masquerading as an employee.
这通常是如何执行的? 当然是通过偷来的证件. 这就是为什么持续分析是如此重要 用户和实体行为分析 通过网络将活动连接到特定用户. 如果用户的行为不寻常,分析师会很快发现并进行调查. It could also be a real employee who – knowingly or unknowingly – presents some kind of risk.