A new approach to the challenges of 10 years ago

Security experts have been talking about KerberoAsting for over a decade, and this attack continues to circumvent the typical defense method. why? This is because existing detection relies on brittle heuristics and static rules, and is not retained to detect potential attack patterns for highly variable Kerberos traffic. They often generate false positives or miss out on “degraded” attacks entirely.

Is there a better and more accurate way for modern organizations to detect subtle anomalies within irregular Carreberos traffic? The Beyond Trust Research team tried to answer this question by combining security research insights with advanced statistics. This article examines the driving force behind our research and the process of developing and testing new statistical frameworks to improve the accuracy of anomaly detection in Kerberos and reduce false positives.

Introducing the Kerberoasting Attack

The KerberoAsting attack utilizes the Kerberos network authentication protocol within a Windows Active Directory environment. The Kerberos authentication process works as follows:

1. AS-REQ: The user logs in and requests a ticket grant ticket (TGT).

2. AS-REP: The authentication server validates the user’s credentials and issues a TGT.

3. TGS-REQ: If a user requests access to the service, it uses a previously received TGT to request a ticket grant service ticket (TGS). This action is logged as Windows Event 4769[1] On the domain controller.

4. TGS-REP: TGS validates the request and issues a TGS. This is encrypted using the password hash of the service account associated with the requested service.

5. KRB-AP-REQ: Send to the application server for users to authenticate to the service using a TGS ticket. This requires various actions to verify the validity of the user and grant access to the requested service.

Because Kerberos service tickets are encrypted with a hash of the service account’s password, attackers are aiming to take advantage of this process. To leverage Kerberos tickets, an attacker first leverages LightWeight Directory Access Protocol (LDAP) to query the directory of advertising accounts with the service principal name (SPN) associated with them. The attacker will request ticket grant service (TGS) tickets for these accounts. This can be done without control. Once you have requested these service tickets, you can crack the hash offline to reveal your service account credentials. Access to a service account allows an attacker to move sideways, escalate privileges, and exclude data.

The drawbacks of typical heuristic methods

Many organizations have heuristic-based detection methods to flag irregular Kerberos behavior. One common method is volume-based detection. This allows you to flag spikes in TGS request activity from a single account. If an attacker requests a TGS ticket for all service principal names that he can find using LDAP, this detection method could identify this spike as a suspicious activity. Another method, cryptographic analysis, can detect whether an attacker is trying to downgrade the requested TGS ticket encryption from the default AES to a weaker type, such as RC4 or DES, in the hope that it will make his job easier when he starts cracking the hash.

Both these static rule-based methods, although they may work in some cases, produce infamous numbers of false positives. Additionally, it does not take into account user behavior and irregularities specific to the domain configuration of each organization.

A statistical model for detecting KerberoAsting attacks

With these limitations in mind, the Beyond Trust Research team tried to find ways to improve anomaly detection capabilities and reduce false positives. Statistical modeling proved to be the best method. This method creates a model that allows you to estimate probability distributions based on context data patterns. The ability to predict normal user behavior is key to flagging abnormalities.

Our team laid out four constraints of future statistical models based on existing KerberoAsting research.[2, 3]:

Explanationability: Ability to interpret outputs in terms of perceived, normalized, easy to explain measurements and easier to track. Uncertainty: Ability to reflect sample size and reliability on estimates, as opposed to the output being a simple binary indicator. Scalability: Ability to limit the amount of cloud computing and data storage required to update model parameters per run. Unsteadiness: The ability to adapt to trends and other changes in data incorporates these shifts into the way anomaly is defined

The Trust Research team worked to build a model that aligns with the above constraints, and ultimately developed a model that grouped similar ticket request patterns into separate clusters and used histogram bins to track the frequency of specific activity levels over time. Goal: To learn what the “normal” looks like for each cluster. We aimed to reduce false positives by grouping these similar data patterns. This is because events that may appear suspicious on their own are normalized when compared to similar data patterns.

KerberoAsting Statistical Model: Results

The team then tested the model over a 50-day data or an evaluation period of approximately 1,200 hours. The results of the model are as follows:

Processing times of less than 30 seconds were consistently achieved, including histogram updates, clustering operations, score calculations, percentile rankings, and result storage. Six anomalies with prominent time patterns, including uncorrelated spikes in narrow time windows, increased variance, and significant temporary shifts, were identified. Two were identified as penetration tests, one was a team simulated KerberoAsting attack, and three were related to major changes in the Active Directory infrastructure that caused careless spikes in requests for Kerberos service tickets. After observing only spikes twice in a row through dynamic sliding window updates and real-time percentile rankings, we handled the extreme variations in tailed accounts very well and very well, very well, with an abnormal score that was properly decreasing. This level of adaptability is significantly faster than standard anomaly detection methods

After conducting this study, the Trust Research team was able to report early success by combining security expertise with advanced statistical techniques. Because pure anomaly detection methods have inherent limitations, this success required the cooperation of security and data science experts and data science. Statisticians can create adaptive models that take into account a variety of behaviors, but security researchers can provide the context they need to identify prominent features within flagged events.

Conclusion

Overall, this study proves that there are clear pathways to iterate and evolve detection and response abilities, even considering 10-year-old attack patterns like KerberoAsting. In addition to considering the potential for new detection capabilities as described in this study, teams should evaluate proactive identity security measures that reduce the risk of kerberos acid before they occur.

Several solutions with Identity Threat Detection and Response (ITDR) capabilities, such as Identity Trust Identity Security Insights, can help you proactively identify accounts vulnerable to Kerberoasting due to inappropriate use of service principals and weak cryptography.

Accurate and aggressive measurements combined with smarter, smarter, more context-conscious detection models are essential as security teams continue to strive to get through noise and stay ahead of complexity and scale growth.

About the author:

Christopher Calbani, Associate Security Researcher, Beyond Trust

Christopher Calbani is a security researcher with the Beyond research team at Trust, and blends vulnerability research and detection engineering to help customers stay ahead of new threats. A recent graduate of Rochester Institute of Technology with Cybersecurity’s BS, Christopher previously worked as an intern at System Eninter, supporting Fidelity Investments’ large infrastructure and practicing advanced Devsecops practices at Stavvy.

Key Data Scientist Kohl Soddja, BeyondTrust

Cole Sodja has over 20 years of application statistics experience in leading technology companies, including Amazon and Microsoft, and is a leading data scientist at Trust. He specializes in time series analysis and brings deep expertise to the complex business challenges of forecasting, ChangingPoint detection, and behavioral monitoring.