The real way to get that water bottle into the airport isn’t hiding it in your kid’s backpack. It’s pretending to be the TSA agent.
That’s how Adam Meyers, senior VP of counter adversary operation at the cybersecurity company CrowdStrike, thinks of an authentication takeover known as “Kerberoasting,” which leaves the Dasani out of the boarding line, so to speak, and just focuses on getting that TSA uniform right.
And the Kerber-attack is on the rise, according to recent cybersecurity industry reports, likely for one reason: Impersonation doesn’t require any malware in the carryon.
“What we’re seeing the threat actors are doing is they’re really looking to steal identities,” Meyers told IT Brew.
Kerb-er-what?
- Named after Hades’s three-headed guard dog Cerberus, the “K” protocol authenticates service-account requests in the underworld of a corporate network.
- Kerberos, incorporated into Windows Server, connects with Active Directory, Microsoft’s service for managing permissions to network resources.
- With the protocol, a client requests access to a service, such as the IT-supporting database manager SQL Server, and receives an encrypted ticket potentially allowing entry.
Ya burnt. Kerberoasting torches that ticket: The attacker steals the ticket and goes offline to crack the service-account password hash encrypting it. Once completed, the roaster can take over the targeted service account—say, an SQL Server.
Why encrypt a ticket with its own password hash and not something completely random that has nothing to do with passwords? The short answer: to prove it’s a valid ticket.
An attacker could use command-line tools to execute a process remotely on that SQL Server, “but you will be providing the valid credentials for an administrator of that server,” Sean Deuby, principal technologist of North America at the Active Directory protection company Semperis, said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
What to do: Deuby recommends strengthening service-account credentials.“You can create a really, really long, hard password and set that password for the service account. And if it inevitably gets attacked, and the threat actor carries that thing offline…it takes forever to crack,” Deuby told IT Brew.
Roasting on the rise. A CrowdStrike report studying intrusion activity between July 2022 and June 2023 revealed a 538% year over year increase in Kerberoasting attacks. IBM’s incident response engagements showed a 100% YoY climb in Kerberoasting from 2022 to 2023, according to its X-force team’s recent report. “This indicates a technique shift in how attackers are acquiring identities to carry out their operations,” the X-Force Threat Intelligence Index read.
Meyers sees a similar increase in identity-focused attacks that use social engineering and other tools that steal credentials. Such tactics avoid malicious code that antimalware and EDR tools are adept at finding.
With Kerberoasting, an attacker decrypts the credentials offline—outside of the airport, metaphorically speaking.
“That gives you the ability to do some of that privilege escalation without bringing a foreign object into the enterprise,” Meyers said. The CrowdStrike pro recommends practices like “impossible-travel” detection that allow admins to verify anomalous logins.
“IT pros need to make sure that they have a control in place that lets them verify and validate and enforce that policy at the identity—not just at the endpoint, not at the computer or the server, but at the actual identities,” Meyers told IT Brew.