Page 74 - Cyber Defense eMagazine September 2022
P. 74

The name says it all

            The golden ticket concept arises from the Kerberos authorization technology used by Microsoft. Kerberos
            runs on a Key Distribution Center (KDC) that uses tickets to authenticate all parties, verifying their identity
            through nodes. The authentication process uses conventional shared secret cryptography that prevents
            attackers from reading or altering packets moving laterally across the network.

            Every time the KDC authenticates a user, it issues a ticket granting ticket (TGT) with a unique session
            key and timestamp for how long the session is valid. Once authenticated, the TGT serves as proof that
            the user is legitimate, allowing them to access other resources within the environment. Each TGT is
            encrypted with a KRBTGT password hash, which is the so-called golden ticket.

            If an attacker gains access to that hash, they can create a TGT and impersonate any user for any amount
            of time, giving them unfettered access across the domain. From there, they only need four pieces of
            information:

               •  The Fully Qualified Domain Name (FQDN) of the domain
               •  The Security Identifier (SID) of the domain
               •  The username of the account they plan to impersonate
               •  The KRBTGT password hash



            And, depending on how an organization manages privileged access, attackers can either be successful
            – or be stopped in the middle of the attack. If they are successful in obtaining each one, attackers have
            a golden ticket to carry out data breaches, ransomware attacks, and more.
            What makes this attack so powerful and concerning is how attackers can continue abusing an identity
            and moving laterally across systems with Kerberos tickets, even after the account has been flagged as
            compromised and its credentials have been reset.



            Strategies to defend against golden ticket attacks

            Golden ticket attacks are one of the most egregious examples of these trends. With a golden ticket in
            hand, hackers can appear as any user or be granted the permissions of any role in Active Directory,
            giving them free rein over your environment.

            While there is no way to completely prevent golden ticket attacks, there are precautions you can take to
            close off this entry point from attackers. This includes:



               1.  Reduce  the  number  of  privileged  administrators.  The  fewer  there  are,  the  less  privileged
                   account exposure you risk. You can also implement “Just Enough Admin” and “Just in Time”
                   access for administrators to further limit privilege for those accounts and contain any attacker who
                   gains access to them.




            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         74
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   69   70   71   72   73   74   75   76   77   78   79