In 2010, SANS reported that knowledge of the Pass the Hash attack first described some thirteen years earlier was still poor. By 2019, knowledge of the threat vector that has now been in the public domain for more than two decades has improved, but is still not complete.
Password management firm One Identity surveyed (PDF) more than 1,000 qualified individuals with a direct responsibility for security and a knowledge of IAM and privileged access in firms with more than 500 employees. Fifty-three percent of the firms had more than 5,000 employees from a wide range of different industry sectors, while 40% of them are in the U.S. or Canada. The purpose of the survey was to determine current understanding of, and mitigations used for, Pass the Hash attacks. Thirteen percent of the respondents said they had no plans to do anything at all.
A Pass the Hash attack involves stealing the password hash rather than the plaintext password. A typical attack might target a local or remote user's desktop with malware that would serve two purposes. The first would introduce a problem, such as slowing performance or breaking a commonly used app; the second would have the ability to scrape memory. The first purpose is to persuade the victim that he has a problem that could be fixed by the help desk staff.
With a call logged, the help team is persuaded to log into the user's computer to fix the problem. This would typically involve using an administrator account. When the administrator logs in, the admin account hash is logged on the computer -- and the second function of the malware to scrape this from memory comes into play. The result is that the attacker now has privileged access to the network.
Since there is no technological defense against legitimate access, Pass the Hash must be prevented rather than detected. The One Identity survey sought to understand how companies are preventing the attacks, and "to explore the impact of Pass the Hash attacks."
Only 26% of respondents believe they have not experienced such an attack; 15% don't know if they have had an attack; and 4% don't know what it is. The larger the company, the greater the likelihood of an attack. In companies with more than 5,000 employees, 8% know they have been attacked with a further 18% thinking it probable. With companies between 2,500 and 5,000 employees, the figures are 5% and 14%; and for those with less than 2,500, it is 2% and 10%.
Among those respondents that had experienced an attack, 70% reported a result in increased operational costs, 68% reported staff costs in addressing the issue, and 40% reported a direct financial impact through lost revenue and fines. "The results of our 2019 survey indicate that despite the fact that Pass the Hash attacks are having significant financial and operational impact on organizations, there is vast room for improvement in the steps organizations are taking to address them," said Darrell Long, VP of product management at One Identity.
The key to mitigating Pass the Hash attacks is the issuance of single-use passwords for privileged accounts. In our described scenario, it won't stop the attackers getting hold of the administrative hash, but the password will have been used and the hash will not work again.
"Another solution," One Identity evangelist Todd Peterson told SecurityWeek, "would be to use advanced Active Directory practices to use a delegated set of permissions without using administrator credentials." Microsoft's recommended solution is to use Red Forest, the common name for its Enhanced Security Administrative Environment (ESAE) offering. This, explained Peterson, "requires an entirely separate Active Directory forest in order to move the desktop that requires work into this forest, where it can remain protected, and then move it back when the fix is complete. It's a pretty expensive, complex and cumbersome way to do it," he added, "but it does solve the problem."
Fifty-five percent of the respondents say they have tackled Pass the Hash by implementing privileged password management (a password vault). Fifty percent say they have implemented advanced Active Directory controls, and 26% say they have implemented Red Forest. Worryingly, perhaps, 13% say they have no plans to combat Pass the Hash. The concern here is that if a firm does nothing to prevent Pass the Hash, there may be no way of knowing whether they are already victims of the attack.
"The key takeaway from this survey," says Peterson, "is that of all the options, barely more than half of the respondents are doing any one of them, while probably none of them are adequate on their own. The best approach," he continued, "would be to combine the Active Directory management and a password vault. Or if you choose to go the Red Forest route, augment it with the others. Eighty-seven percent of the respondents are doing something," he added, "but the financial impact reported shows they are not doing enough."