Pass-the-Hash. Solution Brief



Similar documents
Securing Remote Vendor Access with Privileged Account Security

CyberArk Privileged Threat Analytics. Solution Brief

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Next Generation Jump Servers for Industrial Control Systems

Privileged Session Management Suite: Solution Overview

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

The CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect, alert and respond to privileged accounts

Secret Server Qualys Integration Guide

The CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect and respond to privileged accounts

The 10 Pains of UNIX Security. Learn How Privileged Account Security Solutions are the Right Painkiller

Learn From the Experts: CyberArk Privileged Account Security. Łukasz Kajdan, Sales Manager Baltic Region Veracomp SA

How To Manage A Privileged Account Management

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Valery Milman CYBERARK PRIVILEGED ACCOUNT SECURITY

IBM Security Privileged Identity Manager helps prevent insider threats

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques. Mitigating the risk of lateral movement and privilege escalation

The Cloud App Visibility Blindspot

Penetration Test Report

Active Directory was compromised, now what?

privileged identities management best practices

AD Management Survey: Reveals Security as Key Challenge

Franchise Data Compromise Trends and Cardholder. December, 2010

Technical Testing. Network Testing DATA SHEET

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

How Do Threat Actors Move Deeper Into Your Network?

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Securing Corporate on Personal Mobile Devices

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Does your Citrix or Terminal Server environment have an Achilles heel?

Information Security Services

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Penetration Testing Report Client: Business Solutions June 15 th 2015

Complementing Vaulting Technologies in the Data Center

SANS Top 20 Critical Controls for Effective Cyber Defense

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Thick Client Application Security

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Incident Response Plan for PCI-DSS Compliance

Stay ahead of insiderthreats with predictive,intelligent security

With Great Power comes Great Responsibility: Managing Privileged Users

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

Information Technology Security Review April 16, 2012

SANS Institute First Five Quick Wins

Information Security for Modern Enterprises

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Management (CSM) Capability

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

INTRODUCTION TO PENETRATION TESTING

Secure Your Cloud and Outsourced Business with Privileged Identity Management

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Teradata and Protegrity High-Value Protection for High-Value Data

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

New PCI Standards Enhance Security of Cardholder Data

Mitigating Risks and Monitoring Activity for Database Security

Assuring Application Security: Deploying Code that Keeps Data Safe

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

SecurityMetrics Vision whitepaper

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Privilege Gone Wild: The State of Privileged Account Management in 2015

Additional Security Considerations and Controls for Virtual Private Networks

PCI Solution for Retail: Addressing Compliance and Security Best Practices

ITAR Compliance Best Practices Guide

PowerBroker for Windows Desktop and Server Use Cases February 2014

Tenable for CyberArk

Security Architecture Whitepaper

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Where every interaction matters.

Penetration Testing Services. Demonstrate Real-World Risk

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Best Practices for Managing Bank Transaction Risk Using a Continuous Data Analytics Approach

N-Dimension Solutions Cyber Security for Utilities

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

PCI Compliance. Top 10 Questions & Answers

Privilege Gone Wild: The State of Privileged Account Management in 2015

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Solving the Security Puzzle

Transcription:

Solution Brief

What is Pass-the-Hash? The tools and techniques that hackers use to infiltrate an organization are constantly evolving. Credential theft is a consistent concern as compromised credentials make it easier to gain access to an organization s most critical assets without being noticed. Pass-the-Hash, an attack leveraging stolen credentials, is often used in advanced threats and represents a significant risk to organizations. This technique involves an attacker stealing account credentials from one computer, and using them to authenticate to other access points in a network. Instead of requiring plaintext passwords, Pass-the-Hash attacks allow the attacker to authenticate with password hashes. A password hash is the value that is created when a password is stored. The original password goes through a one-way mathematical function to create the password hash and protect the plaintext credentials. Because a Pass-the-Hash attack leverages passwords in the protected hash form, it allows an attacker to impersonate an authenticated user without ever knowing the password in plaintext. Attackers can also reuse (pass) the stolen, hashed credentials to other systems and services to gain broader and deeper access. For example, if an attacker gains access to a machine that a domain administrator has logged into, the attacker can steal the domain account credentials and have access to all the resources, rights, and privileges of that account throughout the domain. This way, attackers can inch their way to the heart of the organization one step at a time. Therefore, any machine with stored hashes could constitute the first step in the pathway for a Pass-the-Hash attack to reach an organization s most critical and sensitive data. Stored hashes create vulnerabilities on multiple machines throughout a network. The diagram below shows how a Pass-the-Hash attack can initiate on one machine and easily gain access to the domain controller. From Machine 1, User 1 has access to Machine 2, Machine 3, Machine 4, and Machine 5. Therefore, an attacker on Machine 1 can pass User 1 s hashed credentials and authenticate to any of these connected machines. The attacker will look for other hashes that will enable them to jump from machine to machine and eventually authenticate to Machine 9, which is the only computer in the diagram that has access to the domain controller. Using a systematic attack, once an attacker has access to one privileged password hash, the entire network can be at risk. Machine 5 Machine 1 user3 user3 userx Machine 4 usery Machine 3 user7 user7 Machine 2 Machine 8 user6 user8 Machine 6 user4 Machine 7 Machine 9 domain_admin Domain Controller Cyber-Ark Software Ltd. cyberark.com 2

Pass-the-Hash represents a significant threat to organizations because it enables access to the heart of the organization. These attacks are able to bypass perimeter security and enable attackers to navigate a network without being noticed, making them difficult to detect. Determining Pass-the-Hash Vulnerabilities The first step in mitigating the threat of Pass-the-Hash attacks is to identify accounts and machines that are vulnerable to these attacks. To gain an accurate picture, CyberArk s Discovery & Audit (CyberArk DNA ) is a standalone, easy to use tool that uses patent-pending technology to scan the entire network and identify machines that are currently and potentially vulnerable to Pass-the-Hash attacks. The tool answers the following questions: Which machines are vulnerable to Pass-the-Hash? How can an attack be carried out in an organization? Which accounts can initiate a Pass-the-Hash attack and put the organization at risk? Which machines are most at risk and should be mitigated first? What is causing machines to be vulnerable and how can risk be reduced? In addition to Pass-the-Hash vulnerabilities, CyberArk DNA also exposes the magnitude of the privileged account security risk, often the root-cause of audit failures and advanced targeted attacks. It is an innovative discovery and audit tool that automatically scans an organization s network for the following: Privileged account focused data Potential credential theft vulnerabilities Once the scan is complete, auditors and security managers receive a detailed report into the status of privileged accounts, highlighting the relevant compliance and vulnerability information of each privileged account. The DNA Report The DNA report provides comprehensive and detailed machine and account information and the organization s vulnerability status to Pass-the-Hash attacks. For Pass-the-Hash, the report includes a simple Executive Summary Dashboard that provides a comprehensive view of current credential theft vulnerabilities. (Example Pass-the-Hash Vulnerability Report) Cyber-Ark Software Ltd. cyberark.com 3

Mitigating Pass-the-Hash Attacks Pass-the-Hash attacks exploit an inherent weakness in Microsoft Windows that password hashes are not salted, and therefore remain static until the password is manually changed. Microsoft has recognized this weakness and issued a report that emphasizes the dangers of Pass-the-Hash and elaborates on Why can t Microsoft release an update to address this issue? 1 In the report, Microsoft s primary recommendations for mitigating Pass-the-Hash attacks are to restrict and protect high privileged domain accounts and restrict and protect local accounts with administrative privileges. In direct alignment with these recommendations, CyberArk delivers a comprehensive suite of privileged account security solutions to protect against Pass-the-Hash attacks. Best practices for mitigating the risk of Pass-the-Hash include: Control and manage the keys to the kingdom. CyberArk Enterprise Password Vault can reduce risk by creating unique passwords for every privilege user and service account, limiting access to authorized users. This reduces the chance of unauthorized users or attackers gaining access to privileged account hashes and user passwords. Change passwords frequently. Privileged passwords should be rotated as frequently as possible to shorten the window of opportunity in which hashes can be exploited. For example, by using the CyberArk Enterprise Password Vault, passwords automatically change on a regular schedule, based on the enterprise policy. The CyberArk privileged account security solution can also use one-time passwords for mission-critical privileged accounts. Implement and enforce a least-privilege security strategy. CyberArk On-Demand Privileges Manager enforces the reduction of administrative rights from the end user by enabling on-demand rights elevation. This makes it difficult for an attacker to steal a hash because it prevents users from having excessive admin rights on their local systems. Isolate privileged sessions. CyberArk Privileged Session Manager acts as a proxy between the administrator and target machines, which protects privileged account credentials and assures that they will never be leaked to potential vulnerable endpoints. Privileged Session Manager prevents privileged credentials from being exposed on endpoints, thus reducing the risk of them being used in a credential theft attack. Pass-the-Hash is a cyber attack technique that is becoming more common and thus a growing concern for organizations. Understanding and identifying the threat is the first step toward mitigating the risk of Pass-the-Hash attacks. CyberArk s range of solutions can help identify machines that are vulnerable to Pass-the-Hash attacks and can proactively secure against such threats before attacks can escalate and do irreparable damage. 1 Mitigating Pass-the-Hash (PtH) and Other Credential Theft Techniques, http://www.microsoft.com/en-us/download/details.aspx?id=36036 Cyber-Ark Software Ltd. cyberark.com 4

All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd. 2000-2014 by Cyber-Ark Software Ltd. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information