This week, Dell SecureWorks Counter Threat Unit (CTU) discovered ‘Skeleton Key’ – malware which is able to bypass Microsoft Active Directory (single factor) authentication, e.g. AD authentication based just on a username and password, and allow an attacker to authenticate as any existing user within Active Directory by specifying a password of their choice!
The Counter Threat Unit claimed to have initially discovered Skeleton Key on a client’s network, giving attackers full access to the target organizations webmail and VPN. Once any attacker has VPN access, they can blend in with the day-to-day ‘noise’ of legitimate network activity, move laterally, further escalate their privileges, and undertake their mission.
According to CTU researchers, ‘Skeleton Key is deployed as an in-memory patch on victims’ AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal’. Since Skeleton Key doesn’t use a persistence mechanism, it must be re-deployed (by an attacker) each time a compromised domain controller is restarted – which, in reality (and in large organizations), shouldn’t be very often. Arguably this would give any attacker enough time to obtain, or create further credentials, and be able to simply VPN back in to the victim’s network without detection, and without any further need for malware.
Security when using Active Directory for authentication
This newly discovered threat continues to highlight the need for organizations to seriously consider implementing methods of strong authentication – ideally two-factor, with an adaptive authentication capability, both at the edge (the VPN), and for access to mission-critical applications and data.
With two-factor authentication in place — at the edge; for applications, or even for both – any would-be attacker would be prompted for a second factor during the authentication process. This second factor would need to be provided in addition to the user’s password for the attacker to successfully authenticate and gain access as that user. Since that second factor is based on something that the user possesses (either a device, an account, or token), this would offer a good level of protection against this type of attack where the password is compromised in some way.
There are plenty of flexible two-factor methods for organizations to choose from on the market today according to the needs of their user base. These methods range from sending an SMS, or email-based one-time password (OTP) to a pre-specified phone number, or email address on record for that user; using an OTP application on a user’s smart phone, or even using a dedicated hardware token that displays the OTP.
Risk engine with IP reputation service
Conversely, with adaptive authentication being used in conjunction with two-factor, organizations can automatically perform risk analysis of certain characteristics pre-authentication, e.g. before the user’s credentials are authenticated and the second factor verified.
These adaptive capabilities can range from leveraging IP reputation data and comparing the authenticating IP address against IP reputation data to detect whether it’s associated with a known bad actor, through to analyzing the user’s current physical location against the location of the previous logon (geo-velocity), and looking for improbable travel events such as moving thousands of miles in just an hour or two.
This adaptive approach not only offers organizations a level of protection, but also a level of detection that can be used in conjunction with threat intelligence to provide a level of attribution of an attack.
In summary, organizations shouldn’t just be relying on a single factor to protect their critical network, applications, or data. Skeleton Key is a good example of where attackers are able to circumvent a reliable, trusted authentication system – in this case Active Directory. Organizations should look to deploy strong authentication in conjunction with their existing investments in Active Directory and VPN to ensure that they have both a protection and detection mechanism against these types of attacks.
