Watching the Watchdog: Protecting Kerberos Authentication with Network Monitoring

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

Being the default authentication protocol for Windows-based networks, the Kerberos protocol is a prime target for attackers, especially for APTs attackers, seeking to steal the user's identity and steal secrets from the enterprise's data center. In late 2014 and early 2015, we saw a lot of research on the attacker side, yielding the Golden Ticket, Forged PAC (MS14-068) and the Skeleton Key attacks. Now it is the time to present the defensive side research. We will expose a novel method of detecting and defeating ALL of these attacks (and others) based solely on network monitoring. We continue to show a novel variant of the Golden Ticket attack, the "Diamond PAC" attack, that is able to evade a naïve network monitoring detection and provide a detection solution for it. The talk includes the release of the "Kerberos Leash" tool - a free tool we developed that implements some of the detection techniques for the benefit of the security community.

Presenters:

• Michael Cherny - Microsoft
  Michael Cherny has over 19 years of experience in the software industry. He has 15 plus years of leading positions in building cyber security products. He currently is a Senior Security Researcher at Aorato which was acquired by Microsoft. Before that, he led a Data Security Research team in Imperva's ADC for three and half years.
• Tal Be'ery - Microsoft
  Tal Be'ery is a Senior Security Research Manager at Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), protecting organizations through entity behavior. Previously, Tal managed various security project teams in several companies. Tal holds a B.Sc and an M.Sc degree in Electrical Engineering and Computer Science and is a Certified Information Systems Security Professional (CISSP). Tal is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, Black Hat, and AusCERT and was included by Facebook in their whitehat security researchers list. Mr. Be'ery is a columnist for the securityweek.com magazine.

Links:

• https://www.blackhat.com/eu-15/briefings.html#watching-the-watchdog-protecting-kerberos-authentication-with-network-monitoring
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2015/Videos/Watching The Watchdog - Protecting Kerberos Authentication With Network Monitoring.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2015/Videos/Watching The Watchdog - Protecting Kerberos Authentication With Network Monitoring.srt (subtitles)
• https://www.youtube.com/watch?v=7qbSFYVQJ7A
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Beery-Watching-The-Watchdog-Protecting-Kerberos-Authentication-With-Network-Monitoring.pdf
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Beery-Watching-The-Watchdog-Protecting-Kerberos-Authentication-With-Network-Monitoring-wp.pdf

Similar Presentations:

• DEF CON 23 (2015) / Red vs. Blue: Modern Active Directory Attacks & Defense
• Black Hat USA 2022 / Elevating Kerberos to the Next Level
• Black Hat USA 2015 / Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection