Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
09:30 AM
Connect Directly

The Long Road to Rebuilding Trust After 'Golden SAML'-Like Attacks

Eradicating 'privileged intruders' from the network in the aftermath of an attack poses major challenges, experts say.

Recent breaches, such as those related to the SolarWinds supply chain attack, have focused attention on the considerable challenges that organizations face re-establishing trust in a network where an adversary may have maintained privileged access on it for some time.

In several of the breaches, attackers stole the victim organization's Active Directory Federation Services (ADFS) token-signing certificate and used it to forge SAML tokens for arbitrary users. The tactic — which some refer to as Golden SAML — allowed the attackers to authenticate to the breached organization's Microsoft 365 environment — and to other federated services — as any user without needing a password or going through a multifactor authentication process.

Related Content:

SolarWinds Campaign Focuses Attention on 'Golden SAML' Attack Vector

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

The attack vector let threat actors maintain persistent, privileged access on breached networks, allowing them to move laterally and carry out other malicious activities without being spotted.

Such attacks pose a big problem both from a detection and a mitigation standpoint.

"Attackers that are able to take over privileged identities can make highly impactful changes to application settings, master data, and other configurations," says Kevin Dunne, president at Pathlock.   

Golden SAML further complicates the problem by giving intruders a way to have evergreen, privileged access on a network that cannot be easily terminated through a password reset or forced multifactor authentication, he says.

Determining the actions an attacker might have taken on the network using their privileged access can be extremely hard to do, especially if they are good at wiping their tracks. In fact, once an attacker gets into the network with a privileged foothold, their options for doing damage are basically limitless, says Shaked Reiner, security researcher at CyberArk, the vendor that first sounded the alarm on Golden SAML back in 2017.

An attacker, for instance, could create backdoors on the network or generate tokens that allow persistent access to a breached network without being on it. The attacker also could add a user to the domain admin group or other highly privileged group, or quietly add specific privileges — like resetting the password of a domain administrator — to a regular user account, Reiner says.

"We can't really know for sure what the attackers did," Reiner says. "There is sometimes a possibility they did something that we don't even know to look for."  

Re-establishing trust in the aftermath of a Golden SAML attack or similar attacks can be potentially disruptive. If an organization suspects that a Golden SAML attack has been used against them, the most important step is to rotate the token signing and token encryption certificates in ADFS twice in rapid succession, says Doug Bienstock, manager at FireEye Mandiant's consulting group.

This action should be done in tandem with traditional eradication measures for blocking any known malware and resetting passwords across the enterprise, he says. Organizations that don't rotate — or change — the keys twice in rapid succession run the risk of a copy of the previous potentially compromised certificates being used to forge SAML tokens.

Potential Disruption
CyberArk's Reiner says key rotation could cause disruption if security teams are not prudent about how it is implemented.

"Rotating means revoking the old key and creating a new one," he says. "That means you have removed the trust between your own network and other cloud services." 

In normal situations, when an organization wants to rotate existing keys, there's a grace period during which the old key will continue to work while the new one is rolled out. With key rotation in the wake of a Golden SAML attack, organizations won't have that luxury, Reiner says.

The same issue is present when it comes to other mitigation measures designed to evict a privileged intruder from the network. In many cases, for instance, organizations can get a measure of security by restoring all potentially affected machines to a golden image, resetting all passwords for all accounts, and re-creating all private keys or secrets, says Oliver Tavakoli, CTO at Vectra. However, in situations where an attacker might have had privileged access, organizations cannot afford to make these changes on a rolling basis, he says.

"A smart attacker can switch to the already cleansed region before you get to the space they inhabit [on the network]," he says. "So the practical reality of having to do the cleanup simultaneously across all vectors is what makes this very difficult and disruptive."

Complete, guaranteed eradication is very difficult and sometimes might require every piece of hardware to be scrapped and replaced with new gear, Tavakoli says.

Mandiant's Bienstock says organizations can rebuild trust with minimal disruption by maintaining an up-to-date inventory of cloud applications they are federating with ADFS. They also need a practiced playbook for resetting ADFS certificates. The playbook should include refreshing the connection between the ADFS and cloud applications so the latter will trust the new ADFS certificates, he says.

"Organizations that are well-versed in this procedure should be able to perform it relatively quickly and keep downtime minimized," he says.

Mandiant recommends that organizations also take proactive steps to harden their on-premises ADFS environment to make it harder for attackers to pull off Golden SAML-style attacks. The steps it recommends include configuring a dedicated on-premises ADFS service account with restricted access rights, reviewing ADFS logging and auditing settings, and tightly restricting access to ADFS servers.

"On-premises ADFS servers should be considered Tier 0 assets," the security vendor says. "Mandiant recommends restricting access to the ADFS servers to an even smaller subset of unique accounts than the typical 'Domain Administrators' group."

Tim Wade, technical director at Vectra, says that when it comes to the broader issue of keeping an eye on privileged accounts, organizations should audit both the privileges that have been granted to specific accounts and to how those privileges are actually being used. Organizations should identify the set of critical roles and entitlements to be audited and deploy technologies for monitoring use of those privileges. Such monitoring can help organizations detect and respond in real time to the leading indicators that privilege is being abused, he says.

"Understanding privilege and its associated risks and periodic audits are necessary but insufficient due to the combined complexity and velocity of today's enterprise," Wade says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file