Protect from Pass the Hash Attacks
How to protect your network against Pass-The-Hash Attacks with Thycotic Secret Server
WHAT’s the challenge
The only true way to prevent pass the hash attacks is to not use passwords. Since that’s not an option for IT teams, the next best solution is to change privileged account passwords after every use — an impossible task for IT teams to do manually.
WHY it’s important
45% of Hackers say privileged accounts are their most coveted target. While bruteforcing a privileged account password takes time, pulling a password hash is simple and gives attackers the same access as the privileged account itself.
HOW we solve it
With comprehensive Privileged Account Management that automatically changes privileged passwords after each use. And, IT admins and security teams will always have access to the credentials they need through a centralized vault.
Video: Pass the Hash – 15 minute crash course from Thycotic
Why do people fear Pass the Hash so much?
Pass the Hash is a very popular attack that takes just minutes to escalate. When successful, an attacker can capture a password hash for a domain admin account instantly. Once the hash is compromised, it can be used to move horizontally across the network, giving the attacker access to whatever that credential unlocks.
Why Pass the Hash Attacks are so successful
An attacker doesn’t need to trick your IT team into giving out their privileged credentials. They simply need to convince an employee to disclose credentials through a phishing attack, or infect a low-level employee’s computer with malware. Once inside the network, all an attacker needs to do is wait until that employee has a problem with their computer, calls IT, and someone from IT stops by with their administrative credentials to fix the problem.
When your IT admin enters privileged account credentials onto the malfunctioning box, even when connected remotely, the password is stored in memory in a hash. If an attacker can capture the hash, they can use it anywhere on the network, without ever needing to know the original password. This kind of attack is one of the most common and fastest attacks known to the cyber security community.
Many of my fortune 500 customers fear Pass the Hash more than all other types of attack.
– Roger Grimes, Principal Security Architect, Microsoft
Simple and easy for attackers to capture a password hash
Capturing a password hash is simple and there are many Pass the Hash tools, such as Window’s credential editor (WCE). In the video ‘Pass the Hash: 15-minute Crash Course’ (shown on the left), we demonstrate how attackers can capture a password hash in less than a minute. Capturing the hash does require local admin access on the machine, but that can be easily achieved by taking advantage of poor defense in depth practices (not separating privileged accounts from non-privileged) or through a local exploit to elevate from a local user to local administrator.
Best practices to mitigate Pass the Hash attacks
Password hashes can only be stolen if an attacker gets on your network. Attackers can gain access to your network in many ways, often including simple phishing scams, which makes protecting privileged accounts the most important way to protect sensitive data. Protecting network privileged access is substantially more important than focusing only on perimeter security and end-user cyber security training. In the video ‘Pass the Hash: 15-minute Crash Course‘, you’ll learn how to follow the following best practices to protect against Pass the Hash attacks by securing privileged accounts used by the IT department:
- Create separate Domain Admin accounts, so IT admins have a standard account without privileged network access for day to day work, such as checking email. This way they only use the Domain Admin account when privilege is truly needed.
- Make password policies on Domain Admin accounts stricter than other accounts.
- Increase complexity requirements for Domain Admin passwords so that it cannot be easily memorized.
- Change Domain Admin passwords more frequently than end-user passwords (ideally after each time they are used).
Once privileged accounts are secured, the next step is to remove privileged access entirely by implementing endpoint application controls. Pass the hash attacks cannot be successful if privileged accounts are not used, and endpoint application control allows you to enforce least privilege by eliminating the need for privileged passwords from your end user Windows workstations.
Why doesn’t Microsoft just fix Pass the Hash?
Microsoft has issued updates to protect against Pass the Hash attacks. Specifically, Windows Server 2012 R2 and Windows 8.1 came with much better protections, but Pass the Hash is a never-ending problem because computers need to store something that represents being authenticated in order to enable single sign-on. If an attacker can capture that authentication token (or password hash), then they will have achieved that level of network access. The only real way around this is to get rid of single sign-on entirely. Even as companies like Microsoft add protections to make authentication more secure, attackers will also improve their methods, so following best practices to protect privileged accounts will always be important.
UNIX and Linux systems suffer from the same problem
Many UNIX and Linux deployments use Kerberos and SSH to provide a single sign-on environment. These environments still suffer from the same problem as there are Pass the Ticket attacks, or an adversary could obtain the SSH private key and then easily connect across the network to other machines.
How Thycotic Privileged Access Management helps mitigate Pass the Hash
Thycotic’s Secret Server Privileged Account Management (PAM) software, helps you manage passwords, keeps them securely encrypted, audits that uses them, and automatically changes the passwords after a credential is used. With Secret Server automating your privileged password management, you can be confident passwords are changed after use and ensure password hashes are no longer valid, even if they were to be captured by an attacker.
Automating privileged account management works for Windows accounts by controlling the lifecycle of a domain admin password and ensuring that the window for abuse is dramatically reduced. Privileged account management with Secret Server also helps in Linux/UNIX environments because SSH private keys can be vaulted within the tool, and the privileged account manager can then proxy the connection to target servers. This means private keys do not have to reside on the vulnerable workstation, making for a stronger security posture and enforcing tighter controls.
Thycotic’s Application Control Solution gives you a policy-driven solution to manage and secure software privileges and control application rights, allowing you to remove privileged access from all workstations without impacting their productivity or your help desk. And you get real time threat analysis with automated notifications to reduce the risk posed by zero-day attacks and other malware.
- Enforce least privilege access, thus reducing the potential for pass the hash attacks on workstations.
- Analyze applications to determine which require admin privileges, and grant privileges when needed to trusted applications.
- Get flexible whitelisting that allows only trusted applications to run and in specific context.
- Take advantage of greylisting with real-time application threat analysis.