Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly

The Long Road to Rebuilding Trust After 'Golden SAML'-Like Attacks

Eradicating 'privileged intruders' from the network in the aftermath of an attack poses major challenges, experts say.

Recent breaches, such as those related to the SolarWinds supply chain attack, have focused attention on the considerable challenges that organizations face re-establishing trust in a network where an adversary may have maintained privileged access on it for some time.

In several of the breaches, attackers stole the victim organization's Active Directory Federation Services (ADFS) token-signing certificate and used it to forge SAML tokens for arbitrary users. The tactic — which some refer to as Golden SAML — allowed the attackers to authenticate to the breached organization's Microsoft 365 environment — and to other federated services — as any user without needing a password or going through a multifactor authentication process.

Related Content:

SolarWinds Campaign Focuses Attention on 'Golden SAML' Attack Vector

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

The attack vector let threat actors maintain persistent, privileged access on breached networks, allowing them to move laterally and carry out other malicious activities without being spotted.

Such attacks pose a big problem both from a detection and a mitigation standpoint.

"Attackers that are able to take over privileged identities can make highly impactful changes to application settings, master data, and other configurations," says Kevin Dunne, president at Pathlock.   

Golden SAML further complicates the problem by giving intruders a way to have evergreen, privileged access on a network that cannot be easily terminated through a password reset or forced multifactor authentication, he says.

Determining the actions an attacker might have taken on the network using their privileged access can be extremely hard to do, especially if they are good at wiping their tracks. In fact, once an attacker gets into the network with a privileged foothold, their options for doing damage are basically limitless, says Shaked Reiner, security researcher at CyberArk, the vendor that first sounded the alarm on Golden SAML back in 2017.

An attacker, for instance, could create backdoors on the network or generate tokens that allow persistent access to a breached network without being on it. The attacker also could add a user to the domain admin group or other highly privileged group, or quietly add specific privileges — like resetting the password of a domain administrator — to a regular user account, Reiner says.

"We can't really know for sure what the attackers did," Reiner says. "There is sometimes a possibility they did something that we don't even know to look for."  

Re-establishing trust in the aftermath of a Golden SAML attack or similar attacks can be potentially disruptive. If an organization suspects that a Golden SAML attack has been used against them, the most important step is to rotate the token signing and token encryption certificates in ADFS twice in rapid succession, says Doug Bienstock, manager at FireEye Mandiant's consulting group.

This action should be done in tandem with traditional eradication measures for blocking any known malware and resetting passwords across the enterprise, he says. Organizations that don't rotate — or change — the keys twice in rapid succession run the risk of a copy of the previous potentially compromised certificates being used to forge SAML tokens.

Potential Disruption
CyberArk's Reiner says key rotation could cause disruption if security teams are not prudent about how it is implemented.

"Rotating means revoking the old key and creating a new one," he says. "That means you have removed the trust between your own network and other cloud services." 

In normal situations, when an organization wants to rotate existing keys, there's a grace period during which the old key will continue to work while the new one is rolled out. With key rotation in the wake of a Golden SAML attack, organizations won't have that luxury, Reiner says.

The same issue is present when it comes to other mitigation measures designed to evict a privileged intruder from the network. In many cases, for instance, organizations can get a measure of security by restoring all potentially affected machines to a golden image, resetting all passwords for all accounts, and re-creating all private keys or secrets, says Oliver Tavakoli, CTO at Vectra. However, in situations where an attacker might have had privileged access, organizations cannot afford to make these changes on a rolling basis, he says.

"A smart attacker can switch to the already cleansed region before you get to the space they inhabit [on the network]," he says. "So the practical reality of having to do the cleanup simultaneously across all vectors is what makes this very difficult and disruptive."

Complete, guaranteed eradication is very difficult and sometimes might require every piece of hardware to be scrapped and replaced with new gear, Tavakoli says.

Mandiant's Bienstock says organizations can rebuild trust with minimal disruption by maintaining an up-to-date inventory of cloud applications they are federating with ADFS. They also need a practiced playbook for resetting ADFS certificates. The playbook should include refreshing the connection between the ADFS and cloud applications so the latter will trust the new ADFS certificates, he says.

"Organizations that are well-versed in this procedure should be able to perform it relatively quickly and keep downtime minimized," he says.

Mandiant recommends that organizations also take proactive steps to harden their on-premises ADFS environment to make it harder for attackers to pull off Golden SAML-style attacks. The steps it recommends include configuring a dedicated on-premises ADFS service account with restricted access rights, reviewing ADFS logging and auditing settings, and tightly restricting access to ADFS servers.

"On-premises ADFS servers should be considered Tier 0 assets," the security vendor says. "Mandiant recommends restricting access to the ADFS servers to an even smaller subset of unique accounts than the typical 'Domain Administrators' group."

Tim Wade, technical director at Vectra, says that when it comes to the broader issue of keeping an eye on privileged accounts, organizations should audit both the privileges that have been granted to specific accounts and to how those privileges are actually being used. Organizations should identify the set of critical roles and entitlements to be audited and deploy technologies for monitoring use of those privileges. Such monitoring can help organizations detect and respond in real time to the leading indicators that privilege is being abused, he says.

"Understanding privilege and its associated risks and periodic audits are necessary but insufficient due to the combined complexity and velocity of today's enterprise," Wade says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-22
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
PUBLISHED: 2021-10-22
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.
PUBLISHED: 2021-10-22
A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media ...
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.