Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/12/2021
09:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Long Road to Rebuilding Trust After 'Golden SAML'-Like Attacks

Eradicating 'privileged intruders' from the network in the aftermath of an attack poses major challenges, experts say.

Recent breaches, such as those related to the SolarWinds supply chain attack, have focused attention on the considerable challenges that organizations face re-establishing trust in a network where an adversary may have maintained privileged access on it for some time.

In several of the breaches, attackers stole the victim organization's Active Directory Federation Services (ADFS) token-signing certificate and used it to forge SAML tokens for arbitrary users. The tactic — which some refer to as Golden SAML — allowed the attackers to authenticate to the breached organization's Microsoft 365 environment — and to other federated services — as any user without needing a password or going through a multifactor authentication process.

Related Content:

SolarWinds Campaign Focuses Attention on 'Golden SAML' Attack Vector

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

The attack vector let threat actors maintain persistent, privileged access on breached networks, allowing them to move laterally and carry out other malicious activities without being spotted.

Such attacks pose a big problem both from a detection and a mitigation standpoint.

"Attackers that are able to take over privileged identities can make highly impactful changes to application settings, master data, and other configurations," says Kevin Dunne, president at Pathlock.   

Golden SAML further complicates the problem by giving intruders a way to have evergreen, privileged access on a network that cannot be easily terminated through a password reset or forced multifactor authentication, he says.

Determining the actions an attacker might have taken on the network using their privileged access can be extremely hard to do, especially if they are good at wiping their tracks. In fact, once an attacker gets into the network with a privileged foothold, their options for doing damage are basically limitless, says Shaked Reiner, security researcher at CyberArk, the vendor that first sounded the alarm on Golden SAML back in 2017.

An attacker, for instance, could create backdoors on the network or generate tokens that allow persistent access to a breached network without being on it. The attacker also could add a user to the domain admin group or other highly privileged group, or quietly add specific privileges — like resetting the password of a domain administrator — to a regular user account, Reiner says.

"We can't really know for sure what the attackers did," Reiner says. "There is sometimes a possibility they did something that we don't even know to look for."  

Re-establishing trust in the aftermath of a Golden SAML attack or similar attacks can be potentially disruptive. If an organization suspects that a Golden SAML attack has been used against them, the most important step is to rotate the token signing and token encryption certificates in ADFS twice in rapid succession, says Doug Bienstock, manager at FireEye Mandiant's consulting group.

This action should be done in tandem with traditional eradication measures for blocking any known malware and resetting passwords across the enterprise, he says. Organizations that don't rotate — or change — the keys twice in rapid succession run the risk of a copy of the previous potentially compromised certificates being used to forge SAML tokens.

Potential Disruption
CyberArk's Reiner says key rotation could cause disruption if security teams are not prudent about how it is implemented.

"Rotating means revoking the old key and creating a new one," he says. "That means you have removed the trust between your own network and other cloud services." 

In normal situations, when an organization wants to rotate existing keys, there's a grace period during which the old key will continue to work while the new one is rolled out. With key rotation in the wake of a Golden SAML attack, organizations won't have that luxury, Reiner says.

The same issue is present when it comes to other mitigation measures designed to evict a privileged intruder from the network. In many cases, for instance, organizations can get a measure of security by restoring all potentially affected machines to a golden image, resetting all passwords for all accounts, and re-creating all private keys or secrets, says Oliver Tavakoli, CTO at Vectra. However, in situations where an attacker might have had privileged access, organizations cannot afford to make these changes on a rolling basis, he says.

"A smart attacker can switch to the already cleansed region before you get to the space they inhabit [on the network]," he says. "So the practical reality of having to do the cleanup simultaneously across all vectors is what makes this very difficult and disruptive."

Complete, guaranteed eradication is very difficult and sometimes might require every piece of hardware to be scrapped and replaced with new gear, Tavakoli says.

Mandiant's Bienstock says organizations can rebuild trust with minimal disruption by maintaining an up-to-date inventory of cloud applications they are federating with ADFS. They also need a practiced playbook for resetting ADFS certificates. The playbook should include refreshing the connection between the ADFS and cloud applications so the latter will trust the new ADFS certificates, he says.

"Organizations that are well-versed in this procedure should be able to perform it relatively quickly and keep downtime minimized," he says.

Mandiant recommends that organizations also take proactive steps to harden their on-premises ADFS environment to make it harder for attackers to pull off Golden SAML-style attacks. The steps it recommends include configuring a dedicated on-premises ADFS service account with restricted access rights, reviewing ADFS logging and auditing settings, and tightly restricting access to ADFS servers.

"On-premises ADFS servers should be considered Tier 0 assets," the security vendor says. "Mandiant recommends restricting access to the ADFS servers to an even smaller subset of unique accounts than the typical 'Domain Administrators' group."

Tim Wade, technical director at Vectra, says that when it comes to the broader issue of keeping an eye on privileged accounts, organizations should audit both the privileges that have been granted to specific accounts and to how those privileges are actually being used. Organizations should identify the set of critical roles and entitlements to be audited and deploy technologies for monitoring use of those privileges. Such monitoring can help organizations detect and respond in real time to the leading indicators that privilege is being abused, he says.

"Understanding privilege and its associated risks and periodic audits are necessary but insufficient due to the combined complexity and velocity of today's enterprise," Wade says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...