Targeted attacks by determined adversaries (also known as Advanced Persistent Threats or APTs) have been a hot topic recently. Although targeted attacks continue to make up a small fraction of the attacks we see today, reports of attacks targeting organisations and governments have attracted a lot of attention. We know that one of the first things determined adversaries do if they are able to successfully compromise their target organisation's network is to try to compromise the organisation's directory services.
The reason is clear: a directory service contains the credentials that users, administrators and systems use to authenticate to the network and get access to the organisation's resources. If attackers are able to obtain administrative access to Active Directory, the organisation becomes completely compromised.
In a large number of the targeted attacks we have seen, attackers have attempted to use a "Pass-the-Hash" (PtH) technique to get access to credentials.
PtH is an attack that uses a technique in which an attacker captures account logon credentials on one computer, and then uses those captured credentials to authenticate to other computers on the network. It is important to recognise that this is the second stage of an attack - first the attacker must penetrate and compromise a computer to obtain credentials stored on that computer. A PtH attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plaintext password. The password hash value, which is a one-way mathematical representation of a password, can be used directly as an authenticator to access services as that user through Single Sign-On (SSO) authentication.
The whitepaper released today details practical and effective mitigations to help prevent PtH attacks. It rates their effectiveness, effort required and details whether it blocks privilege escalation and/or lateral movement. Based on our analysis, there are three primary mitigation strategies we recommend to help defend against PtH attacks using currently available security mechanisms on our Windows operating system.
Mitigation #1- Restrict and protect high privileged domain accounts - Restricts the ability of administrators to inadvertently expose privileged credentials to higher risk computers.
Mitigation #2- Restrict and protect local accounts with administrative privileges - Restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks.
Mitigation #3- Restrict inbound traffic using the Windows Firewall - Restricts attackers from initiating lateral movement from a compromised workstation by blocking inbound connections on all workstations with the local Windows Firewall.
This paper is designed to provide IT Professionals with clear, concise and actionable guidance that can be implemented within their organisation today to help protect against PtH attacks. The PtH mitigations in this paper were developed by a number of security teams across Microsoft including Microsoft Server and Tools Business, Microsoft Consulting Services (MCS), Microsoft IT Information Security and Risk Management, Microsoft Office 365 Security, Microsoft Windows Security and Identity Team, Interactive Entertainment Business and Microsoft Trustworthy Computing.
Matt Thomlinson is general manager, Trustworthy Computing, Microsoft.
Sign up for Computerworld eNewsletters.