Until Now, Forged Kerberos Sessions Could Only be Detected Retroactively
Boston and Tel Aviv, July 8, 2021 – Silverfort, the unified identity protection company, today released a new protection capability that enables organizations to proactively prevent lateral movement attacks that utilize the Pass the Ticket (PTT) technique. This Kerberos-based exploit could previously only be detected after an attack was carried out.
PTT is a post-exploitation method in which attackers compromise or create a valid Kerberos ticket and use it to authenticate to other endpoints and servers in the victim’s environment. It is especially difficult to detect and prevent because Active Directory cannot discern between legitimate and malicious Kerberos authentication tickets.
“Pass the Ticket attacks allow hackers to move laterally and undetected within the network because they appear to be performing ‘authorized’ access requests,” said Yaron Kassner, CTO of Silverfort. “Since we have visibility into the full context of each user session, Silverfort is able to distinguish between legitimate and suspicious Kerberos authentication activity.”
Currently, security teams are unable to prevent PTT attacks as they occur and must instead rely on detecting anomalous authentication activity and retracing its origin. Silverfort has developed native integrations with identity directories, including Active Directory, that enables it to monitor, analyze the risk and enforce real time security controls on all access requests.
In the case of PTT attacks, Silverfort’s AI-based risk engine will detect that the provided Kerberos ticket is malicious and not part of a legitimate authentication request. Based on the configured policy, Silverfort will instruct Active Directory to either block access or require multi-factor authentication to terminate the attack.”
Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all IAM solutions, unifies their risk analysis and security controls, and extends their coverage to assets that could not be protected until today, such as homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more.
Marc Gendron PR for Silverfort