A newly published survey reveals that some 68 percent of IT security stakeholders don't know if they've experienced a Pass the Hash (PtH) attack. That isn't necessarily a cause for too much concern.
To understand why, you first have to know what a PtH attack is, and what it isn't. The One Identity '2019 State of Identity and Access Management' report describes the typical attack methodology as where "an attacker obtains privileged credentials by compromising an end user’s machine and simulates an IT problem so that a privileged account holder will log into an administrative system." These login credentials, stored as a hash, are extracted by the threat actor in order to use for access to further resources across the organisation. What PtH isn't, is anything new. In fact, the technique has been exploited for more than twenty years now by those who would compromise your networks.
One Identity surveyed more than a thousand IT security professionals from mid size to large enterprises, and the results regarding PtH attacks were somewhat surprising to say the least. The headline statistics being that 68 percent of IT security stakeholders didn't know whether they had experienced a PtH attack, while four percent didn't actually know what the attack methodology was at all. Drill a bit deeper, however, and you'll find that 40 percent said that a PtH incident would have a direct financial impact on the organisation, and 87 percent were already taking steps to protect against PtH attacks.
Protection strategies included privileged password management (55 percent), strengthened AD/Azure administrator access controls (50 percent) and the implementation of advanced privileged access management (PAM) practices including session auditing and analytics (32 percent). However, some will see cause for concern in the finding that, of those that had taken no steps to prevent PtH attacks, some 85 percent have absolutely no plans to do so. After all, if you acknowledge the damage that an attack methodology can cause yet do nothing to mitigate that risk then surely that's a bad thing? It ain't necessarily so, says Roger Grimes, data-driven defence evangelist at KnowBe4.
While admitting that it's rare that any organisational compromise these days doesn't involve a PtH attack at some stage, as capturing password hashes and replaying them is standard fare for threat actors, Grimes isn't overly concerned about the report findings. "There is no doubt that every organisation should be aware of PtH attacks," Grimes says, adding that "PtH attacks are post-exploitation techniques." So the attacker has already successfully compromised a machine or even the network, gaining a foothold in that environment. "They already have the keys of the kingdom," Grimes continues, "it takes local administrator or domain administrator to get the hashes in the first place, and with that level of access, the attacker can do anything."
Even if all PtH attacks were blocked completely by the enterprise, the attacker would still have that administrative access and so the threat would not simply vanish into the ether. "The real underlying threat isn’t PtH, it’s how the attacker was able to do PtH in the first place," Grimes warns, "usually it was some sort of everyday social engineering attack or unpatched software. And if you don’t mitigate those two top root cause exploit reasons, you’ve really accomplished nothing."
"Without a holistic and strategic approach to protect privileged accounts and identify privileged access abuse," organisations could very well leave their entire network exposed to cyber-criminals leveraging the PtH technique, with detrimental repercussions to the business," Darrell Long, vice president of product management at One Identity, said.
However, Grimes advises that PtH attacks really shouldn’t be your biggest worry; instead you need to be concerned as to how they "got admin" in the first place. "PtH attacks are a symptom of a bigger underlying problem, " Grimes says, "a problem that if you don’t fix will gain you very little. Worrying primarily about PtH attacks is like worrying about your brakes after your car has been stolen."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout