Preempt Blog

Preempt is happy to release version 3.1, available today! Included in the release are a brand new security assessment dashboard, exciting features offering more visibility and better password and network security, new technology partners and product integrations, and a free lightweight tool. Let’s delve into what you can expect with this release.

Logs. At best: They’re a vital part of your information security strategy to “find the bad." At worst: They’re a nightmare to manage — especially when they take up so much storage space! Of course, we all have numerous regulations to thank for the privilege of storing our logs for what seems like eternity. Perhaps you’re bound to regulations or frameworks such as PCI (one year minimum), HIPAA (open to interpretation, but many suggest 6 YEARS to be safe), NIST, COBIT, and so many others.

Whatever your reasons are, logs have become increasingly problematic as more and more data sources require a higher volume of storage.

Organizations often have incomplete views of who is accessing what, when, where and how across multiple applications and systems. Understanding a user and their behavior is critical to understanding corporate security risk. In an interview in Security Weekly's Business Security Weekly July 22 podcast, Preempt CEO Ajit Sancheti explains why organizations need to secure identity with conditional access, which allows security teams to take the appropriate remediation steps based on the level of risk.

You’re a good administrator, and you don’t take shortcuts. You adhere to information security best practices whenever possible, and you take that responsibility seriously.

With that said, a hidden setting in a Windows 10 implementation scenario might result in a precarious setup – one in which every computer in your network can be accessed with the same password. In other words, a hacker would only need to steal a single credential in order to obtain the keys to your entire kingdom. Due to an upcoming change in the Windows platform, there’s a good chance that this could happen to you – here’s how to avoid it.

On July 2019 Patch Tuesday, Microsoft released a patch for CVE-2019-1126, an important vulnerability discovered by Preempt Research Labs. The vulnerability discovered leads to security issues that create a wide scale denial-of-service against exposed organizations, and potentially, identity compromise.

While Microsoft only released one patch, we believe there are two vulnerabilities that allow attackers to remotely launch brute-force attacks on AD FS servers from the outside of the network. Attackers can bypass the Extranet Lockout Protection security feature and also bypass the Microsoft AD lockout policy(!) in certain scenarios. The implications vary between account compromise (due to weak passwords) or a massive denial-of-service to all domain accounts. All AD FS versions are vulnerable.

Read the press release

In the hustle and bustle of our modern world, we can all get easily lost in the noise. One kind of noise is most frustrating for security teams: the noise of security incidents. With more and more data feeds into your security analytics products, it seems like we are creating more problems for ourselves with the all of the alerts and not enough manpower. 

Enterprises struggle to understand what is truly going on in their organization: what their users are doing and how to stop risky activity. Add in the complexity of a hybrid cloud environment, multiple legacy systems, unmanaged endpoints, and unsanctioned applications, and it's no wonder organizations struggle to get the insight needed to make real-time decisions and stop risky and potentially malicious activity. 

Preempt has always prioritized the need for contextual insight about threats and risk, using that information to enforce conditional MFA to every access attempt so that organizations can get a better grasp on security. In doing so, Preempt has partnered with Ping to give security teams the ability to extend conditional MFA to any network resource as well as any Ping-federated application on-premises or in the cloud.

As our research team continues to find vulnerabilities in Microsoft that bypass all major NTLM protection mechanisms, we start to wonder about the successor protocol that replaced NTLM in Windows versions above Windows 2000.

Enter Kerberos. Every child who grew up playing Dungeons and Dragons learned about the mythical creature of Kerberos (also known as Cerberus in Ancient Greek mythology)  - a three headed dog who guards the gates of Hell and prevents dead souls from returning to the world of the living.  

While that memory is nostalgic, most security professionals know Kerberos as a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

As announced in our recent security advisory, Preempt researchers discovered how to bypass the Enhanced Protection for Authentication (EPA) mechanism to successfully launch NTLM relay attacks on any server that supports WIA (Windows Integrated Authentication) over TLS.

As announced in our recent security advisory, Preempt researchers discovered how to bypass the MIC (Message Integrity Code) protection on NTLM authentication and modify any field in the NTLM message flow, including the signing requirement. This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable.