Kerberoasting攻击是攻击者获取Active 导演y帐户凭证的一种方法, 和 then leverage those credentials to steal data. The term Kerberoasting is a play on words, as it takes advantage of Kerberos, 一种网络身份验证协议,用于确保客户端和服务之间的身份验证请求在Internet等不受信任的网络中是安全的.
在Kerberoasting攻击中,a 威胁的演员 利用窃取的凭证来获取加密消息,然后脱机解密它们. Making it more difficult for 威胁的演员s to gain access, i.e. 不断升级的特权, is a way to fend off a Kerberoasting attack, 但是攻击者只需要破坏一个用户的帐户就可以获得访问凭据的权限.
Kerberoasting攻击之所以流行,是因为将访问权限授予系统认为合法的用户. Due to the lag time of the discovery of compromised or stolen credentials, the more time a 威胁的演员 can pose as a legitimate user of the network, the more time that person or group has to poke around 和 access/steal data as they please.
事实上, Cybersecurity Infrastructure 和 Security Agency (CISA) 美国政府的首席执行官表示,使用kerberos是提升特权、在网络中横向移动和不受限制的最省时的方法之一.
Kerberoasting attacks work by leveraging the Kerberos authentication protocol to:
Kerberoasting attacks don’t require an administrator account or even elevated privileges. 事实上, 这类攻击特别吸引人的一点是任何域用户帐户都可以被使用因为所有帐户都可以向票据授予服务器(TGS)请求服务票据.
Once an attacker has access to a user’s account, they typically can log in to any workstation in that domain – specifically, workstations running services that require Kerberos-enabled service accounts.
Subsequent actions such as lateral movement 和 exfiltration can happen right “under the noses” of the entire security organization 和 business at large if an attacker is impersonating someone with elevated privileges; indeed, the elevated nature of an impersonation could leave the business extremely liable, even if the attacker is caught in a relatively short amount of time.
Unchecked lateral movement can be terrifying for any organization, 这就是为什么更快检测到这种微妙的恶意和危险行为的安全工具变得比以往任何时候都重要的原因.
There are many different executions of Kerberoasting attacks, so let's zoom in on the inner-workings of one execution in particular:
根据CISA, Kerberoasting是俄罗斯国家资助的高级持续性威胁(APT)攻击者首选的攻击方法, with the perpetrators having performed the Kerberoasting attack methodology discussed above.
Once an attacker has gained access to a network under a properly credentialed profile, they theoretically can move laterally around a network with ease. 以这种方式, 如果数据盗窃是有技巧的,那么检测恶意活动(特别是不断弹出误报警报)可能不是一项小任务.
This high level of false positives is where solely aligning to 主教法冠 recommendations can provide a challenge. 为了克服这一点并滤除所有多余的噪声,应该采取额外的步骤. Rapid7’s InsightIDR can help to achieve this by:
Preventing Kerberoasting attacks can be achieved in many ways, 但最主要的是要确保整个组织的良好密码卫生. 关键是要使用随机生成的凭据,并尽可能严格地锁定那些具有升级权限的帐户.
现在, 让我们将注意力转向在检测到正在进行的kerberos攻击时的正确响应. 当然, 很容易想象最坏的情况,威胁行为者冒充了一个有适当凭证的个人,访问了很长时间,可能窃取了太多的数据.
深呼吸几次后,以下步骤可以帮助你做出适当的反应:
MFA is one relatively easy way to avoid a Kerberoasting attack. 在多个设备之间要求多种形式的身份验证可以帮助抵御大量的攻击企图. 从企业的角度来看, 挑战将是将MFA软件推向整个员工基础,并希望他们采用这种保护业务的关键实践.
Even though it seems like common knowledge to implement these rather simple security checks, 世界上仍有许多企业缺乏适当的密码或像MFA这样的认证卫生措施.
当威胁参与者能够将Kerberos等安全协议变成窃取数据的工具时,这是令人失望和恐惧的. It doesn’t mean the tooling should be cast aside; indeed, Kerberos is a critical tool for keeping users safe 和 secure in a non-secure environment.
如上所述, 实现检测工具以尽早阻止威胁参与者是一种有效的对策,可以保证这一重要身份验证协议的安全. 例如, Rapid7的insighttidr可以持续地为用户活动设定基线,以便更容易、更快地检测到可疑活动.
它还可以利用外部威胁情报,对网络边界以外的检测至关重要. This takes into account the nearest network endpoint to the depths of the 黑暗的网络. 无论安全组织选择使用哪种产品或解决方案来阻止使用kerberos和APT的行为者, 重要的是要考虑到,伪装成员工进入网络比以往任何时候都要容易.
这通常是如何执行的? 当然是通过偷来的证件. That’s why it’s so important to continuously analyze user 和 entity behavior analytics (UEBA) to connect activity across a network to specific users. If a user behaves in a way that’s unusual, analysts see it fast 和 investigate. 也可能是一名真正的员工——有意或无意地——带来了某种风险.
Rapid7 Takes 下一个 Step in AI Innovation with New AI-Powered Threat Detections
Learn more on how to Identify an Attack with Rapid7's Solution