10 Things You Need to Know About Kerberos

Posted by Eran Cohen on Jun 24, 2019 9:36:00 AM

As our research team continues to find vulnerabilities in Microsoft that bypass all major NTLM protection mechanisms, we start to wonder about the successor protocol that replaced NTLM in Windows versions above Windows 2000.

Enter Kerberos. Every child who grew up playing Dungeons and Dragons learned about the mythical creature of Kerberos (also known as Cerberus in Ancient Greek mythology)  - a three headed dog who guards the gates of Hell and prevents dead souls from returning to the world of the living.  

While that memory is nostalgic, most security professionals know Kerberos as a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

Read More

Topics: Security Skills, NTLM, kerberos, Microsoft

How to Easily Bypass EPA to Compromise any Web Server that Supports Windows Integrated Authentication

Posted by Yaron Zinar on Jun 11, 2019 9:52:37 AM

As announced in our recent security advisory, Preempt researchers discovered how to bypass the Enhanced Protection for Authentication (EPA) mechanism to successfully launch NTLM relay attacks on any server that supports WIA (Windows Integrated Authentication) over TLS.

Read More

Topics: NTLM, Security Advisory, Microsoft

Drop the MIC - CVE-2019-1040

Posted by Marina Simakov on Jun 11, 2019 9:52:17 AM

As announced in our recent security advisory, Preempt researchers discovered how to bypass the MIC (Message Integrity Code) protection on NTLM authentication and modify any field in the NTLM message flow, including the signing requirement. This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable.

Read More

Topics: NTLM, Security Advisory, Microsoft

Your Session Key is My Session Key: How to Retrieve the Session Key for Any Authentication

Posted by Marina Simakov on Jun 11, 2019 9:51:51 AM

As announced in our recent security advisory, Preempt researchers discovered a critical vulnerability which allows attackers to retrieve the session key for any NTLM authentication and establish a signed session against any server. Any domain environment which does not entirely block NTLM traffic is vulnerable.

Read More

Topics: NTLM, Security Advisory, Microsoft

Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise

Posted by Yaron Zinar on Jun 11, 2019 9:51:20 AM

On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.

Read More

Topics: NTLM, Security Advisory, Microsoft

Disrupting an Attacker from Exploiting Domain Credentials

Posted by Avi Kama on May 28, 2019 8:28:00 AM

Security professionals often feel they don’t have enough time to keep up with modern threats. In fact, Crowdstrike researchers have found that top threat actors can go in and out of networks in a matter of minutes. Despite other similar security research reports listing all the ways threat actors can breach a network, they rarely offer a viable solution to combat these risks and often just resign us all to a “we can only do our best” mentality.

I disagree. While I feel that “doing our best” is sufficient for an elementary school project, it’s not the right mentality for an enterprise security team. We as security professionals should strive to be excellent. In order to get there, let’s review some common attack patterns and discuss the best ways to disrupt an attacker’s plan.

Read More

Topics: User Behavior, APT, Credential Compromise

Taming Network Chaos By Understanding User Behavior

Posted by Eran Cohen on May 20, 2019 3:31:17 PM

Enterprises are badly burned by security tools that don’t work. When they finally see a solution that does what it purports to do, the shock is palpable.

Read More

Topics: User and Entity Behavior Analytics, ueba, Incident Response, Threat Detection, Insider Threat, Identity, Adaptive Threat Prevention, Security Efficiency

Brute Force Attacks: Denying the Attacker, Not the User

Posted by Heather Howland on May 13, 2019 9:39:49 AM

According to haveIbeenpwned.com, close to 8 billion accounts have been compromised. The site  provides a tool to see if any of your passwords have been compromised and are available on the dark-net. Once passwords are compromised, they are easily exposed to bad actors who can use them for brute force attacks and credential stuffing.

Read More

Topics: Privileged Users, password brute force, Credential Compromise, ueba, Incident Response, Threat Detection, Conditional Access

What State-Sponsored Attacks Can Teach Us About Conditional Access

Posted by Nir Yosha on May 3, 2019 11:52:00 AM

People often think that state-sponsored attacks from groups like Lazarus (North Korea), Fancy Bear (Russia) or menuPass (China) only target public federal organizations in Western nations like the U.S. This is simply not the case. In fact, attacks on large financial and retail institutions have increasingly been state-sponsored attacks hoping to create chaos more than just theft. These attacks largely come from U.S.-sanctioned states such as Iran, Russia and North Korea, as these hacking groups have come to realize that attacking private organizations can achieve the same goals as attacking public institutions.

Read More

Topics: Privileged Accounts, Credential Compromise, NTLM, Hacking, Ransomware, Lateral Movement, Attack Tools, Conditional Access

A Simplified Approach to Network Segmentation

Posted by Phil Meneses on Apr 25, 2019 10:59:31 AM

Network segmentation has long been one of the most valuable tools for protecting an enterprise’s assets. Flat, unsegmented networks architectures can allow nosey insiders to easily access sensitive information, while also enabling attackers to move laterally, escalate privileges and spread malware. Segmentation breaks the network into more logical segments and introduces new layers of control and the ability to apply tailored policies for each area.  

Read More

Topics: Conditional Access, Security Efficiency