Kerberoasting Attacks Surge: CrowdStrike's 2023 Warning

In the realm of cybersecurity, the concept of Kerberos stands as a bastion of network authentication protocols. Developed by MIT, Kerberos is designed to provide strong authentication for client-server applications by using secret-key cryptography. At its core, Kerberos is a ticket-based authentication system. When a user logs in, the Kerberos server validates their credentials and issues a ticket-granting ticket (TGT). This TGT, then, becomes the user's key to accessing various services within the network without repeatedly entering credentials.

Where is Kerberos Used?

Kerberos is not just a theoretical construct; it's deeply embedded in various popular systems and software. For instance, it's a central feature in Microsoft Windows Active Directory environments, providing the backbone for secure user authentication. Besides Windows, it's also implemented in various Unix and Linux distributions, and even Apple's macOS integrates it. This widespread usage makes Kerberos a critical element in the security infrastructure of countless organizations worldwide.

Kerberoasting: A Sneak Peek

Venturing into the more sinister aspects of cybersecurity, we come across the concept of 'Kerberoasting.' This technique represents a form of assault on networks secured by Kerberos. Essentially, Kerberoasting leverages the inherent features of Kerberos, enabling attackers to pilfer service tickets. These stolen tickets are then decrypted in an offline environment, exposing the passwords of service accounts. The gravity of these attacks lies in their usual targets: service accounts with high-level access rights, paving the way for deeper network infiltration.

A notable characteristic of Kerberoasting is its ability to be executed offline. This aspect provides attackers with a virtually endless window for attempt after attempt at cracking the Kerberos code, all while remaining under the radar of detection mechanisms.

The Rise of Kerberoasting: Insights from CrowdStrike's 2023 Report

Key Findings

CrowdStrike's 2023 Incident Response report sheds light on a disturbing trend: a 583% increase in Kerberoasting attacks year over year. This surge is not just a number; it's a glaring red flag for organizations relying on Kerberos for their security needs.

Why the Increase?

Several factors contribute to this uptick. First, the broad adoption of Kerberos in enterprise environments makes it a lucrative target for attackers. While enterprise security teams recognize the identity is the new battleground of the cyberwar, they are still reliant upon older protocols like Kerberos. Secondly, the complexity of Kerberos implementations can lead to misconfigurations, creating vulnerabilities that savvy attackers are quick to exploit. Additionally, the tools and techniques for carrying out Kerberoasting attacks have become more accessible and sophisticated, lowering the barrier for entry into the world of cybercrime.

The Implications

The increase in Kerberoasting attacks underlines a critical need for organizations to reassess their security posture. It's not just about having Kerberos in place; it's about ensuring it's configured and monitored correctly. This includes regular audits, applying principle of least privilege to service accounts, and keeping an eye out for unusual activity that could indicate a Kerberoasting attempt.

What can you do to reduce the risk?

The goal is not to completely eliminate Kerberos based vulnerabilities (admirable, but not feasible), but instead to make your enterprise so expensive to attack that adversaries choose to move on to simpler/cheaper targets of opportunity. This approach won’t prevent nation state adversaries from achieving their goals, very little will. However we know that nation state-level attacks are quite rare and instead the vast majority of adversaries are driven by profit, as they are a part of the giant online-world of cybercrime. Making your enterprise too expensive to profit off from is a sound approach for defense.

Below are some proven effective methods to raise the cost of Kerberos based attacks.

1. Strong, Complex Passwords for Service Accounts: Implementing robust, complex passwords for service accounts is a fundamental defense against Kerberoasting. Since these attacks involve cracking passwords offline, the use of long, complex passwords makes the cracking process significantly more challenging and time-consuming for attackers. This complexity should ideally exceed typical user password requirements, given the sensitivity of service accounts.
2. Regular Monitoring and Auditing of Service Accounts: Consistent monitoring and auditing of service accounts can help detect unusual activities, such as unexpected ticket requests, which might indicate a Kerberoasting attempt. Keeping track of which service accounts are active and routinely checking their authentication logs can highlight anomalies, enabling timely responses to potential breaches.
3. Use of Advanced Threat Detection Tools: Employing advanced threat detection tools that specifically look for signs of Kerberoasting can be a proactive measure. These tools analyze patterns in Kerberos ticket requests and usage, flagging suspicious activities such as high rates of ticket requests or access patterns that deviate from the norm.
4. Implementing Least Privilege Principle: Restricting service accounts to the minimum level of access rights necessary for their function can limit the damage if these accounts are compromised. By ensuring that these accounts do not have more privileges than necessary, you reduce the potential impact of a successful Kerberoasting attack.
5. Regular Password Rotation and Use of Managed Service Accounts: Regularly changing the passwords of service accounts can thwart ongoing or future Kerberoasting attempts. Additionally, using Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) in Windows environments, which automatically handle password management, can significantly reduce the risk of Kerberoasting attacks. These accounts provide automated password management, making them less susceptible to such attacks.

The data from CrowdStrike's 2023 report is a clarion call to action. Kerberoasting is not a new threat, but its escalating prevalence highlights the evolving landscape of cybersecurity threats. Vigilance, continuous learning, and proactive security measures are essential in keeping organizations one step ahead of these evolving threats.

Let's not just be reactive; let's be ready.