What sounds like a great new recipe for a Hollywood blockbuster –– a mix between an iconic children’s book and a suspenseful thriller –– is actually one of the most invasive and dangerous hack attacks threatening our computing systems. The Mimikatz golden ticket has the potential to unlock vast and extensive networks of sensitive information, a feat which is invaluable to attackers and treacherous for consumers, businesses, and even national security.
Exactly how coveted and pervasive is this technology? When Mimikatz was first created, Russian spies attempted to covertly extract the source code from its creator’s computer. When that didn’t work, they took it by force.[1] Years later, Mimikatz has become a mainstay for all manner of security breaches. And just like Willy Wonka’s Golden Ticket, the Mimikatz golden ticket (created using the Mimikatz program) gives hackers full and complete access to information that is normally highly protected and confidential. How exactly do golden tickets compromise your data, and how can you protect yourself?
How do golden tickets work?
Mimikatz was created a decade ago by Benjamin Delpy, a programmer who had detected a flaw in Microsoft’s authentication credential storage system. In an attempt to alert Microsoft to the urgency of his discovery, Delpy created Mimikatz to infiltrate Microsoft’s single sign-on feature and extract encrypted passwords and their decryption keys. Once obtained, these passwords could be used to access accounts and communicate with other computers on the network. This, in turn, resulted in the spread of the malware throughout entire networks and multiple infected computers.
Mimikatz has since evolved, and hackers continue to use it to devise new attacks. Though a golden ticket attack adopts a different approach, the result is severely compromised networks and massive data breaches. And what's most disturbing is that these attacks can easily go undetected for years.
Back to Willy Wonka: golden tickets provide full and uninterrupted access to all system data. Unlike Mimikatz's early implementations, which extracted individual passwords and used them to gain system access, the golden ticket makes it possible to create fake authentication credentials in the form of Kerberos authentication tickets. Where does Mimikatz come in? In layman's terms, it lets the hackers "dump” (basically, steal) the access credentials for the Active Directory (which manages all authentication and authorization protocols), either in password form or as (encrypted) hash. Once inside the Active Directory, attackers can create countless Kerberos authentication tickets (that look and act like the real thing) and use these to access any and all information they want. And since the authentication tickets are indeed real, no one is the wiser.
How can you protect your network from golden ticket attacks?
Since step one of creating a golden ticket requires access to the Active Directory, protecting this access is an ideal and recommended start. Implementing a least-privilege access model is key. The fewer the number of users with access to sensitive administrative accounts, the fewer the number of potential security breach points. This can be easily accomplished with an identity and access management (IAM) system, which lets you set and review the access privileges of everyone within your network. By limiting access to only the information that employees need to do their jobs, you reduce the risk of a golden ticket attack actually being successful. Remember, a golden ticket can’t be used to create an endless stream of (Kerberos) authentication tickets if it can’t access the administrative account that manages ticket creation.
The next best practice is to implement MFA wherever possible. A multi-factor authentication process ensures multiple barriers to unauthorized data access. The absolute necessity of MFA has never been more evident than now, during a global pandemic that has witnessed a massive workplace transformation. As more and more people were forced to work remotely, companies rushed to provide remote access via the Microsoft Remote Desktop Protocol (RDP). However, some failed to perform the necessary security due to diligence checks, exposing their RDP ports to the Internet and making them easy attack targets.
Microsoft itself recommends relying on at least two-factor authentication (2FA) and considering a cloud-based solution, which doesn’t require extra devices. And thanks to innovations in mobile devices that allow for the encrypted storage of biometric indicators, it is easier than ever to use MFA and 2FA solutions that require fingerprints or facial authentication to gain access to networks and software. Ensuring that RDP can only be accessed via a virtual private network (VPN), which is protected with a 2FA or MFA solution, is an essential level of security.
Covid will most likely have a lasting impact on the way we work. As more and more of our professional and daily activities are conducted remotely, investing in robust security measures to protect computer networks and data will be critical going forward. Take these steps now and stay one step ahead of cybercriminals.
[1] Andy Greenberg, He Perfected a Password-Hacking Tool—Then the Russians Came Calling, Wired, 11 Sept. 2017