The Powerful ‘Golden Ticket’ Attacks are Surging in Popularity – What You Need to Know
By David Levine, Director of Solution Architects, Remediant
Golden ticket attacks aren’t anything new to the cybersecurity industry, but the latest surge in successful attacks from the Chinese-speaking APT group, TA428, and other cyber espionage gangs, have served as a hard reminder for all on just how powerful these attacks can be. The incidents have also highlighted what aspects of an organization’s cyber health and readiness need to be prioritized.
It’s never a convenient time to experience a breach, but reducing the time it takes to detect the breach and the privilege sprawls an organization has can make a huge difference in how effective one is. As recorded in Verizon’s 2022 Data Breach Investigation Report (DBIR), the use of stolen credentials was one of the top ways attackers succeeded, and key among the culprits is privilege misuse, of which 80% is caused by privilege abuse, which is what lies core to the sophisticated golden ticket attack techniques.
The name says it all
The golden ticket concept arises from the Kerberos authorization technology used by Microsoft. Kerberos runs on a Key Distribution Center (KDC) that uses tickets to authenticate all parties, verifying their identity through nodes. The authentication process uses conventional shared secret cryptography that prevents attackers from reading or altering packets moving laterally across the network.
Every time the KDC authenticates a user, it issues a ticket granting ticket (TGT) with a unique session key and timestamp for how long the session is valid. Once authenticated, the TGT serves as proof that the user is legitimate, allowing them to access other resources within the environment. Each TGT is encrypted with a KRBTGT password hash, which is the so-called golden ticket.
If an attacker gains access to that hash, they can create a TGT and impersonate any user for any amount of time, giving them unfettered access across the domain. From there, they only need four pieces of information:
- The Fully Qualified Domain Name (FQDN) of the domain
- The Security Identifier (SID) of the domain
- The username of the account they plan to impersonate
- The KRBTGT password hash
And, depending on how an organization manages privileged access, attackers can either be successful – or be stopped in the middle of the attack. If they are successful in obtaining each one, attackers have a golden ticket to carry out data breaches, ransomware attacks, and more.
What makes this attack so powerful and concerning is how attackers can continue abusing an identity and moving laterally across systems with Kerberos tickets, even after the account has been flagged as compromised and its credentials have been reset.
Strategies to defend against golden ticket attacks
Golden ticket attacks are one of the most egregious examples of these trends. With a golden ticket in hand, hackers can appear as any user or be granted the permissions of any role in Active Directory, giving them free rein over your environment.
While there is no way to completely prevent golden ticket attacks, there are precautions you can take to close off this entry point from attackers. This includes:
- Reduce the number of privileged administrators. The fewer there are, the less privileged account exposure you risk. You can also implement “Just Enough Admin” and “Just in Time” access for administrators to further limit privilege for those accounts and contain any attacker who gains access to them.
- Control endpoint privileges. No regular user should ever have standing administrative rights on their device. At the same time, administrators shouldn’t be allowed to log on to end-user devices. That way, even if an attacker gains access to an endpoint, they won’t have the privileged credentials they need to expand the scope of their attack.
- Minimize standing privilege. Built on the principle of least privilege, Zero Standing Privilege (ZSP) is a new approach coined by Gartner that aims to eliminate all standing privilege and deliver only the minimum privilege required for the minimum amount of time. Adopting a Zero Trust Privileged Access model that includes ZSP and JITA can mitigate the risks of golden ticket attacks.
With geopolitical tensions at its height, critical infrastructure and supply chain organizations in particular need to be vigilant in containing the risk of stolen credentials and privilege abuse. In fact, the 2022 IBM Cost of a Data Breach Report found that almost 80% of critical infrastructure organizations studied don’t adopt zero trust strategies, even as “concerns over critical infrastructure targeting appear to be increasing globally over the past year.” Of the breaches against critical infrastructure organizations, 28% were ransomware and destructive attacks aimed at disrupting global supply chains. From standing privilege granted to internal users to access given to partners and other third parties, you can open yourself up to not only compromised credentials, but lateral attacks once attackers gain access to your environment.
Looking ahead, organizations need to take the proper steps to eliminate standing privilege and cut off attackers’ ability to move about their environment, as it may be our best move for tamping down increasingly bold attacks.
About the Author
David Levine CISSP, has over 20 years of experience in technology and cybersecurity and has published articles and blogs in these fields. David has held information security leadership roles at public traded companies, SMB’s, and startups.
David is currently the Director of Solution Architects at Remediant, in this role he leads Remediant’s Sales Engineering team and works closely with both the sales and engineering teams. He is responsible for the adoption and implementation efforts that secure and protect lateral movement and privileged access which is of utmost importance to both corporations and its customers. David has held many networking and ethical hacking certifications (sadly due to time constraints, some have expired).