Q&A with Marina Simakov, security researcher at Preempt
TPG: What can organizations do to best protect their organizations now that the bulk of employees are working remotely?
MS: Many organizations may have covered the fundamentals of user authentication and security by defining privileged accounts, enforcing restricted access to crown jewel assets, and reducing the attack surface with basic vulnerability detection tools or perimeter controls. However, they have to accept the fact that users are the last line of defense, and simply trusting them with cyber hygiene training and rigid access policies simply isn’t enough. Especially considering the reality today when users will be logging in from home and from any location outside the company’s corporate network.
Remote access for everyone has changed everything – leaving the infrastructure more vulnerable to cyberattacks. In organizations where remote access strategies and capabilities are not well defined, or even in organizations that have deployed remote access to a subset of the employees, asking them to go 100% remote within a short span of time is testing their identity and security strategies. CISOs are thinking about business continuity and reducing the attack surface, and most of the organizations have come to terms with the current situation, acknowledging that the move towards remote work is going to be new normal.
If organizations want to have tighter control over who accesses what, from what device, and from which location, they must consider a Conditional Access solution that continuously adapts to the changing risks and the organization’s IT landscape.
TPG: How can organizations better protect their Active Directory environment against attacks?
MS: The first and most important thing organizations can do is strengthen their security posture, making sure that their attack surface is as limited as possible. This includes a variety of requirements – starting from frequent security updates to ensure that known vulnerabilities cannot be exploited, to making sure a secure configuration is in place on all sensitive assets and that a “least amount of privileges” principle is implemented. Let’s not forget: attackers love easy passwords, so a solution which detects/prevents users from setting a weak/leaked password is a must. After ensuring all users have a strong enough password, it is vital to limit the exposure of privileged users’ credentials to reduce the risk of these being compromised in case attackers manage to infiltrate the network (for example by limiting interactive logins by privileged accounts on domain workstations).
After taking care of the security posture, organizations need to make sure they are constantly monitoring their environment to detect potential attacks and anomalies, and in the best case – respond in real-time to any suspicious event. For example, by applying a conditional access policy on anomalous login attempts organizations can both block and detect a malicious actor in the network, while having an analyst examine the data after the fact may be too little too late.
TPG: What’s the craziest attack you’ve discovered?
MS: I think the attack we were most excited about was the ability to bypass the session signing mechanism when executing an NTLM relay attack. Session signing is the strongest mitigation against such attacks, since it ensures an attacker with credential relaying capabilities cannot perform any further actions following the authentication stage. The protocols which support session signing include SMB and LDAP, where LDAP signing is only relevant to domain controllers and SMB signing is relevant to all the machines in the domain network. Being able to bypass this meant that an attacker could relay an NTLM authentication to any desired server in the network (including domain controllers), while retrieving the required session key to establish a signed session and execute any desired attack using the relayed user’s privileges. You can read the technical details on this vulnerability in this blog post.
TPG: What are the latest LDAP/S security changes that organizations need to take action on?
MS: Microsoft planned to change the default group policy configuration to enforce LDAP signing and LDAPS channel binding (for supporting clients) on domain controllers. This change was originally planned for January 2020, then delayed to March 2020, and then it was delayed again to the second half of 2020. Postponing the change made sense and allowed organizations to prepare their environment to handle the new security settings without breaking the functionality of any applications. However, now it is unclear when this change would take effect. Microsoft replaced the planned configuration change in March with a new group policy to configure LDAPS channel binding on supported devices, and additional event logs to help organizations discover devices which do not use LDAP signing and LDAPS channel binding.
Hopefully, by analyzing these event logs, IT admins can slowly detect and update all applications which do not support these security mechanisms, until reaching a point when the group policy can be updated to enforce the strictest security configuration, requiring LDAP signing and LDAPS channel binding on all domain controllers. If possible, it is recommended to enforce the LDAP channel binding requirement on all clients. However, this may be too strict at this stage since many applications do not yet support this security feature. In that case, setting the group policy to enforce LDAPS channel binding on any supporting client would suffice. Until these changes take into effect, the environment would be left open to NTLM relay attacks to LDAP/S on domain controllers, which in some cases can mean an entire domain compromise in a single step. Hence, it is recommended to review the new LDAP/S audit events and harden the security configuration ASAP.
TPG: Tell us about Preempt and your latest focus.
MS: Preempt secures the identity layer for hybrid enterprises. The ability to evaluate every access request and detect legitimate activities vs. malicious ones is foundational in having a good security posture, not limited to remote access situations. By setting up policies and enforcing intelligent Conditional Access, Preempt helps organizations to respond to threats in real-time based on identity, behavior, and risk.
Preempt provides a unified and comprehensive view of all accounts – regular, privileged, and service accounts, and insights about each of them. It is easier for IAM teams to change individual or group policies and ensure that remote users have the appropriate level of access to sensitive information. They can also automatically respond to potentially risky behavior from admins and privileged accounts to validate their identity – by triggering Conditional Access based on risk – before letting them access critical business information and crown jewels.
Organizations can also use Preempt to reduce their attack surface and improve the security posture of their Active Directory environment by detecting and addressing various weak spots and potential configuration issues. Such as users with a weak password, users with stealthy privileges, domain controllers which do not enforce SMB & LDAP signing or LDAPS channel binding, and many more.
In addition, Preempt helps organizations detect sophisticated attacks, such as Pass-The-Hash, Golden Ticket, NTLM Relay, along with behavioral anomalies which are a common occurrence once a user account is compromised.
Our latest focus is to introduce more features that benefit hybrid environments. Specifically, we are focusing on cloud directories such as Azure AD and Okta, to allow organizations gain better visibility into the permissions and behavior of hybrid identities, and achieve a better security posture, both on-premise and in the cloud.
TPG: Where is authentication headed?
MS: Authentication, as we know today, is certainly headed towards making it much more seamless and easier for the end users. Authentication is heading towards becoming frictionless, with the aim of improving the user experience – which means, user acceptance will increase (for example, they will accept MFA solutions without pushback), support tickets will decrease, and the overall cyber hygiene and security posture will only benefit when authentication becomes “frictionless.” Becoming frictionless is even more relevant when authentication moves to the cloud, as most of the organizations will be hybrid, with the users having to access applications/resources both in the cloud and on-premise. As remote work becomes the mainstay for organizations, users will authenticate using their own devices (BYOD) that are unmanaged by the company, requiring strong enough authentication methods. With sophisticated AI/ML and advanced technologies, Preempt strengthens the authentication process while significantly controlling the level of friction experienced by the end-user, with customizable policies, taking it close to being frictionless.
TPG: Tell us about your background and what made you interested in security.
MS: I actually did not come from a long background in security but made it into the field pretty much by accident. I was doing my M.Sc. in Computer Science, which was very theoretical, in the subject of graph theory, while working at Microsoft. At the time, the operations of the group I was part of had been moved to Redmond, Washington, and since I wasn’t interested in relocating at the time, I tried to look for a more research-oriented position while staying at Microsoft. I remember spotting an open security research position, and after hearing more about it and doing a quick interview, it was very clear to both sides that it’s a great fit.
TPG: What are some of the most recent vulnerabilities you’ve uncovered?
MS: The most recent vulnerabilities our team has found are related to Microsoft’s proprietary authentication protocol – NTLM, used in Active Directory environments. Although it is known as the less secure option (compared to Kerberos), there are various reasons that prevent organizations from being able to disable NTLM entirely. Its security flaws also make it a popular target for attackers, with one of the oldest and most popular attack techniques – NTLM relay, which in the worst case, by a simple click on a link can lead to an entire domain compromise. For these reasons, Microsoft developed various security mechanisms over the years to better secure this authentication protocol, including – Session Signing, the MIC (Message Integrity Code) and EPA (Enhanced Protection for Authentication). One of our achievements in the past year has been the ability to bypass all of these mitigations, granting us the ability to attack any target, even with the strictest security configuration. Many people who met us referred to us as “the guys who broke NTLM”, which is a bit funny, I prefer to think of us as “the guys who found what was broken all along” :). If you are interested in the technical details of these vulnerabilities, you can read more here.
TPG: In 2020, what are the logical next steps in cybersecurity from an identity perspective?
MS: The Verizon DBIR 2020 report states that “As time goes on, it appears that attackers become increasingly efficient and lean more towards attacks such as phishing and credential theft.” While malware usage during cyber-attacks decreases, the use of credentials keeps gaining popularity as the favorable method for attackers to infiltrate an organization or to laterally move inside it. It is time to realize that securing any asset, especially a critical one, by requiring a password authentication is simply not enough. A strong enough multi-factor authentication method is required. While MFA involving mobile devices has gained increased popularity, it is important to be aware of the risks introduced by this method, such as SIM cloning and social engineering on mobile carriers to gain access to all data sent to the device.
Organizations should consider more reliable methods of multi-factor authentication, such as hardware tokens, preferably ones which support the U2F protocol and can provide anti-phishing protection. A more advanced approach might involve more sophisticated two-factor authentication such as biometric methods or eradicate the use of passwords altogether by going passwordless. Applying these protections, along with a Zero-Trust model can ensure maximum protection for any resource access, which should be one of the key goals for any organization.