Securing the Business Network from Successful Kerberoasting Attacks

Kerberoasting is one of the most effective attacks that cybercriminals use as a vector against Microsoft Active Directory (AD).

Threat actors leverage this vector to steal credentials for user and service accounts to infiltrate the IT infrastructure and extract data without a secure service desk. CISOs should consider setting stringent password practices and protocols to protect the organization from various threats. Cybercriminals leverage this attack approach to steal and crack service account password hashes and use them in lateral attacks.

Here are a few ways how the Keber-roasting attacks work and how to protect the IT infrastructure from a full-blown attack:

Service account extraction

As service accounts are not assigned to any resource, it is just utilized to execute applications and services; they are privileged user accounts. Many organizations rarely change their credentials to all service accounts. Moreover, the SecOps teams also rarely track these accounts.

Hence, attackers have been looking out for a compromised service account for a long time to infiltrate the business network. All the service incidents have a unique identifier known as a Service Principal Name (SPN), which has data about the account’s usability and its location.

Validated users can log in to an AD domain and raise a request for a ticket-granting service (TGS) ticket to accessing any service account by defining the SPN value. Cybercriminals can steal a service account’s password hash and execute brute force attacks to get a plaintext password with minimum risk of being identified or locked out of the account.

Also Read: How SOC Automation Solutions Can Address Complexity and Boost Performance

Securing active directories from service account extraction

CISO should consider determining all the existing service accounts and their usability. SecOps teams can create an inventory of such accounts and the data they store in them. Moreover, it is crucial to map which all users have access to the service accounts and what all services or applications they can access.

SecOps teams need to set a documentation process that states when the service accounts need to be reviewed, deactivated, or deleted. It is crucial to grant the least privilege access to the service accounts to execute their task and ensure the default service account passwords are changed.

Leveraging an automated password management solution will enable enterprises to ensure the credentials are changed periodically. Enterprises’ security posture needs to have tools that automatically identify and manages inactive service accounts. Additionally, integrates robust real-time auditing tools that track suspicious activities in the active directory.

Golden ticket attack approach

Malicious actors leverage the golden ticket attack to compromise an Active Directory Key Distribution Service Account (KRBTGT) and exploit it to create Kerberos Ticket Granting Ticket (TGT). They use this vector to access any resource on the AD domain without notifying the defenders.

All Kerberroastng attacks first gain access to a legitimate user account with privileges that have access to the Domain Controller (DC). Attackers infiltrate a privileged user account with malware to steal credentials through phishing attacks or exploit other vulnerabilities.

Also Read: Four Roadblocks to Employing Password Less Authentication

Securing IT infrastructure from Golden ticket attack

As the golden ticket attack can only be full-blown if the threat actor is successful in gaining access to a user account with privileges. CISOs should consider implementing an initial line of defense throughout the organization to secure themselves from various phishing threats and other infiltration attacks.

Training the entire workforce, stakeholders, and customers to detect suspicious phishing emails will help to minimize the risk. Golden ticket attacks depend on Mimikatz to dump credentials hash for the KRBTGT account.

CISOs should consider ensuring all the operating systems are updated, and the storage of plain text passwords in the active directory is disabled to secure the business network from successful Kerberoasting attacks.