Going for Gold – Why Hackers Are Looking For Active Directory Golden Tickets

By Matt Lock, Director of Sales Engineers, Varonis

Any business that has more than a handful of employees is likely to have a reasonable amount of physical property that needs locking up – safes, individual offices, equipment, garages and, not least, of all the outside doors and windows to the premises. In order to make sure that everyone in the organization can access what they need to, particularly in the event of a keyholder being on holiday or off ill, a copy of all the keys is likely to be held in a central place. This will ideally be a lockbox, to which only a couple of trusted employees have a key.

To burglars, these lockbox keys offer unfettered access to an organization’s entire estate. If they can get hold of one key, no matter how hard this might be, they are able to get hold of every key.

In the digital world, the equivalent of the lockbox key is the credentials of the data administrator on an organization’s Active Directory, known as a ‘Golden Ticket’. This provides threat actors with permission to access anything and everything on an organization’s network – files, logins, system settings and so on. As in the real world, gaining such a level of access is rare, but potentially catastrophic for an organization.

However, even if they gain lower-level access to Active Directory, threat actors can start working their way through a system and escalating their privileges until they hit the motherlode. In fact, Active Directory is critical to every step of the cyber kill chain from reconnaissance, to denial of service, to exfiltration.

Knowing your weaknesses

Active Directory employs Kerberos as its primary authentication security mechanism. Kerberos uses tickets, also known as Ticket Granting Tickets (TGTs), to authenticate users. While Kerberos offers incredibly powerful protection through strong cryptography and third-party ticket authorization, there are still a number of vulnerabilities threat actors can exploit to access Active Directory.

Aside from the Golden Ticket attack mentioned above, popular Active Directory attack methods are Pass the Hash; Pass the Ticket; and the Silver Ticket. Many of Active Directory’s vulnerabilities are down to the almost archaic NTLM encryption, which is very weak by today’s standards. For instance, in Pass the Hash, threat actors can use brute force to uncover the password of an NTLM hash to authenticate to Active Directory. In fact, to perpetrate a Golden Ticket attack, cybercriminals need the NTLM hash of the hidden KRBTGT account that encrypts the authentication tokens to the domain controllers.

Aside from the technical weak points, threat actors will try to exploit the human element to break into an organization’s systems. When looking to extract login credentials from staff, cybercriminals will use deceptive emails that either contains malicious links and attachments or purport to be from someone official demanding a username and password.

Proactive security

There are a number of steps an organization can take to prevent cybercriminals from accessing their Active Directory and stealing the keys to the kingdom. The first is to know everything there is to know about your own Active Directory. What are the naming conventions? Security policies? Who are the users? And so on. Knowledge is power and by having this information to hand means that you have the power to better protect Active Directory.

This knowledge must be kept up to date with the use of regular monitoring so that any unusual logins or changes can be spotted and acted upon. To monitor everything on Active Directory in a thorough and timely way would be almost impossible to manage manually. Fortunately, automation can serve as a watchdog and alert the security team to any suspicious behavior or activity.

Also worth considering is placing those valuable domain controllers on a server that is not directly connected to the internet. This will make life harder for attackers as their lateral movement and potential to escalate privileges will be curtailed.

On the subject of privilege, organizations should implement a policy of ‘least privilege’. This states that staff only have access to those files and folders necessary to do their jobs. ‘Least privilege’ restricts the ability of cybercriminals to move through a network as each account is limited in what it can access.

A multi-layered approach

Even with the best cybersecurity tech in the world, threat actors will still try to break into a system by preying on human weakness. To mitigate this, staff need to be trained to become cybersecurity aware, including how to create strong passwords and to recognize the traits of a phishing attack.

As a further layer of defense, system administrators should have an account for day-to-day use and one specifically for performing system changes. Such admin accounts should be restricted to assigned systems to limit the potential of cybercriminals accessing an entire network by breaking into just one account.

By proactively implementing this multi-layered approach to cybersecurity, businesses can ensure cybercriminals don’t strike gold in their efforts to access Active Directory.

About the Author

Matt Lock, Director of Sales Engineers, Varonis.Matt has more than 17 years’ experience in the field of Network Security, which includes extensive contracts with many global businesses, including BP and JPMorgan. Specialising in risk assessment, risk management, policy compliance, security reviews and managing network behaviour anomaly systems, Matthew now leads Varonis’ sales engineering team in the UK, Ireland and Middle East, ensuring the team is helping customers and partners from a range of sectors in data governance projects, and organizing, securing and managing their unstructured data.Matt can be reached at @Varonis and at our company website https://www.varonis.com/