Golden ticket attacks first became popular in 2014 when the vulnerability was discovered and publicized within the Kerberos system. And though those with the Kerberos system were known to be vulnerable, the type of exploit could be seen on other platforms as well.
It’s important to take measures to protect your business from these types of attacks; if someone were to hijack the credentials of your data system, they could have full control over your network, cause damage, or steal information.
Below are a few things to know about golden ticket attacks and how to protect your company from them:
What Is a Golden Ticket Attack?
A Golden Ticket attack is an attack whereby an unauthorized user is able to forge their ticket and hash signature, performing actions just as an administrator or other user might. Because this user has forged their authentication and identification credentials, a golden ticket attack is particularly insidious — until damage occurs to the system, it’s possible that no one may notice that the forged credentials are being used. Once inside of the system, a malicious attacker can choose to cause damage to the system or steal information. If they steal information silently, the company could find themselves with vulnerable data without knowing it.
What Is the Real Danger of a Golden Ticket Attack?
A golden ticket attack is particularly dangerous because it means the individual has access to the actual permissions within your system; in other words, they are able to give authentication and permissions to any user. Once your authentication system has been breached, you can consider the entirety of your system breached. If a hacker takes control of local admin privileges, they can move laterally across the network and seize access to your digital assets or elevate privileges. Even when credentials have been changed, it is possible for invaders to maintain persistence with the tickets, funneling information out little by little over time.
How Can You Protect Yourself?
The Kerberos system has long been patched to protect from golden ticket attacks, but in theory, golden ticket vulnerabilities could occur through a variety of platforms. A golden ticket attack is best avoided through the behavioral analysis of traffic throughout your network. Heuristic analysis has to be performed to determine whether unusual amounts of data are being transferred or an unusual volume of data is being accessed. This is the only reliable method of protection because it doesn’t depend on a known vulnerability. There could be golden ticket exploits presently of any number of systems; the Kerberos golden ticket exploit was only fixed because it was widely discovered and publicized.
Using only the best in authentication and identification systems is the first step in avoiding golden ticket exploit — but it isn’t the only one. Real-time user behavior analytics and threat detection systems, such as those offered by Stealthbits, can alert administrators to changes in permissions and to unusual activity throughout the network. Without this vital second step, it’s easy for malicious intruders to gain complete access to your system.