Watching the Watchdog: Protecting Kerberos Authentication with Network Monitoring

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

Being the default authentication protocol for Windows-based networks, the Kerberos protocol is a prime target for attackers, especially for APTs attackers, seeking to steal the user's identity and steal secrets from the enterprise's data center. In late 2014 and early 2015, we saw a lot of research on the attacker side, yielding the Golden Ticket, Forged PAC (MS14-068) and the Skeleton Key attacks. Now it is the time to present the defensive side research. We will expose a novel method of detecting and defeating ALL of these attacks (and others) based solely on network monitoring. We continue to show a novel variant of the Golden Ticket attack, the "Diamond PAC" attack, that is able to evade a naïve network monitoring detection and provide a detection solution for it. The talk includes the release of the "Kerberos Leash" tool - a free tool we developed that implements some of the detection techniques for the benefit of the security community.


  • Michael Cherny - Microsoft
    Michael Cherny has over 19 years of experience in the software industry. He has 15 plus years of leading positions in building cyber security products. He currently is a Senior Security Researcher at Aorato which was acquired by Microsoft. Before that, he led a Data Security Research team in Imperva's ADC for three and half years.
  • Tal Be'ery - Microsoft
    Tal Be'ery is a Senior Security Research Manager at Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), protecting organizations through entity behavior. Previously, Tal managed various security project teams in several companies. Tal holds a B.Sc and an M.Sc degree in Electrical Engineering and Computer Science and is a Certified Information Systems Security Professional (CISSP). Tal is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, Black Hat, and AusCERT and was included by Facebook in their whitehat security researchers list. Mr. Be'ery is a columnist for the magazine.


Similar Presentations: