Preventing lateral movement and unauthorized domain access due to the misuse of network credentials - especially due to reconnaissance tools looking for weak spots - is a challenge plaguing many enterprises. In fact, it’s a decades-old security problem. A major issue for enterprises has been how to detect and contain the use of reconnaissance tools like BloodHound, authentication protocols such as NTLM, DCE/RPC, Kerberos and Lightweight Directory Access Protocol (LDAP), as well as other IT tools like PsExec and Powershell that are being misused or exploited by attackers.
Misuse or exploitation of these tools can be hard to differentiate due to malicious actions often resembling usual network activity - often exacerbated by SOCs being overwhelmed by false alerts and other drains on their productivity. In this blog, we’ll discuss how these tools are being used, how to understand the phases of an attack and how enterprises can now detect and contain these threats.
Let’s look at the cyber kill chain
You can see the Anatomy of an APT (Advanced Persistent Threat) Attack below. In the reconnaissance phase, attackers are looking for weak spots to move laterally or escalate their privileges within the network. (Note: initial recon can also include social media searches, social engineering, and basic online research.) When the attacker gets an entry point to the network, it is critical for an enterprise to take action as soon as this activity is detected. It’s similarly important to disrupt the attacker at the earliest point possible of the cyber kill chain to avoid damages, from exfiltration of data to financial and brand reputation loss.
To disrupt the cyber kill chain, we need to be able to detect the use of reconnaissance tools like Bloodhound. In a nutshell, Bloodhound is a tool to analyze and understand Active Directory Trust Relationships, which can in turn be used to escalate privileges and widen the scope of the breach. If you detect someone running Bloodhound, it’s almost certainly an indication of someone doing malicious things on your network (or pentesting): the tool is commonly used at the recon phase of a breach, finding exposed or less secure privileged accounts. Having visibility into vulnerable parts of the network and the ability to detect Bloodhound can make it a lot less efficient.
Lateral Movement, Privilege Escalation and Exploitation
Once attackers compromise an endpoint, they don’t immediately need an administrative or privileged account to do considerable damage. Instead, in the lateral movement and privilege escalation phase, attackers are able to move within the environment to determine and exploit where weak points exist. Given that Active Directory is usually the container for all accounts within the system and that, by default, all users have read permissions to all accounts in the directory , attackers can use read operations to explore the system and ascertain where the users with greater permissions are based. They can then use tools for privilege escalation purposes like PsExec and PowerShell to further exploit accounts with greater credentials than their entry point.
One common strategy to exploit accounts is Pass The Hash: Once an attacker takes control over a system, they will harvest all the credentials from that system. In many situations, user accounts are over-privileged and spread throughout the network, allowing an attacker that infected a single machine to move laterally and infect many other systems. Another technique is exploiting authentication protocol vulnerabilities. NTLM, for instance, is a common target for attack methods such as NTLM relay and password cracking (see our previous writing on the topic). And while Kerberos is the default protocol since Windows 2000, NTLM is still widely used and many enterprises are unable to completely jump ship from NTLM . Even the newer Kerberos protocol is vulnerable to techniques such as Kerberoasting, a way to crack passwords by issuing special Kerberos service tickets. An attacker with network access can brute-force passwords for accounts with weak passwords either directly or using the weak points in Kerberos and NTLM described above.
PsExec and PowerShell are common tools for both lateral movement and exploitation. While PsExec is very commonly used by IT teams, it also allows malicious actors to execute programs remotely as part of the critical phases of an attack. Similar to PsExec, PowerShell is a legitimate IT tool – including task automation that can make IT teams highly efficient – but in the hands of an attacker it can wreak significant damage to a network environment. Monitoring how these tools are used, authenticated and deployed across an IT environment is critical to maintaining its security.
Preempt’s Role in Disrupting the Cyber Kill Chain
At Preempt, we have a lot of “day one” anecdotes about our platform discovering and addressing potentially-fatal vulnerabilities or determining sources of breaches within hours. For one financial institution, the first day that Preempt was installed, it alerted the enterprise about one domain admin credential that was actually installed in 40% of endpoints in the network. Any attacker, even a novice, could have compromised the entire system in one day (we fixed that). In many cases, these instances can be avoided by designing a security posture that factors into account each phase of a potential attack.
Preempt covers the entire spectrum, from prevention to detection to response. As an example, to tackle Bloodhound, our platform alerts stealthy admins before they are detected by attackers. We also detect anomalous LDAP activity to alert on Bloodhound. On the response front, we allow you to implement policies that stop the lateral movement of an attacker.
Our prevention, detection and response capabilities apply to Kerberoasting attacks as well: we provide alerts to users and admins with SPNs as they could be Kerberoasted, and we detect anomalous LDAP activity to alert on impacket and other tools.
By having the ability to detect and contain malicious use of tools and protocols (see our recent announcement here), Preempt covers the full spectrum of the cyber kill chain and protects enterprises from lateral movement and exploitation of the most common and devastating attack paths. The Preempt Platform makes the use of Bloodhound and other tools a lot less efficient - even before they’re deployed - by addressing the very vulnerabilities these reconnaissance tools are looking for. For example: once you’ve installed Preempt, you automatically receive insights into vulnerable areas within your network, from weak and exposed passwords to stealthy admins and unpatched or legacy operating systems. Preempt also provides insights and alerts around SPNs, impacket and other Kerberoasting software. Additionally, Preempt can block password cracking altogether with policies, while detecting Bloodhound and other recon software.
Preempt is now the only company handling decryption of the protocol in real-time for threat detection and real-time prevention. Our Identity and Access Threat Prevention platform empowers organizations to preempt security incidents and threats in real-time, gain unified visibility of accounts across all platforms and increase the efficiency of their security operations.(For more: see our case study on how we helped a Fortune 500 enterprise respond to a malicious attacker.)Learn more by signing up for our on-demand webinar: Taking the Hacker’s Toys Away – Analyzing the Top Attacker Tools and How You Can Stop Them.