Security

What Is Kerberoasting? How Can Agencies Boost Cyber Resilience?

The identity-based cyberattack rose 583 percent in 2023, and agencies must be prepared.

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

The government is an attractive target for cybercriminals and nation-state actors employing Kerberoasting attacks due to agencies’ reliance on Microsoft’s Active Directory for user authentication and authorization.

Those agencies also manage vast amounts of sensitive data while faced with challenges related to legacy systems, bureaucratic processes and budget constraints, so it can be difficult for them to maintain adequate cybersecurity defenses against identity-based attacks such as Kerberoasting.

Cyberattacks involving Kerberoasting rose 583 percent last year, with threat actor Vice Spider responsible for more than a quarter of those incidents, according to CrowdStrike’s 2023 Threat Hunting Report.

Combating Kerberoasting became a top priority for the Cybersecurity and Infrastructure Security Agency in the aftermath of the 2020 SolarWinds hack, which saw several agencies breached. CISA’s emergency directive on mitigating the Orion code compromise mandated specific fixes and shared documentation from Microsoft on how to implement them in Windows environments.

As of 2023, CISA offers online training to cyber professionals on how to detect and mitigate Kerberoasting.

Click the banner below to begin developing a comprehensive cyber resilience strategy.

x-cyberresillience2-static-2024-na-desktop

x-cyberresillience2-static-2024-na-mobile

What Is Kerberoasting?

Kerberoasting is a specific attack targeting Microsoft AD’s Kerberos user/host authenticator, commonly used in Windows networks to securely authenticate users and devices. It targets service principal names, the unique identifiers for authenticating service sign-ins.

Attackers use specialized tools to exfiltrate encrypted Kerberos tickets from a network, then attempt to break the encryption using brute-force or dictionary-based attacks. Threat actors using Kerberoasting will take an SPN and force their way through its encryption to expose and exploit the password.

When passwords are weak, cracking machines can decipher the encrypted hash to reveal the plain-text password. This allows the attacker to abuse the service account, which is often a privileged account.

“Since any user in an AD environment can see the Kerberos service, it’s more vulnerable to exploitation than other parts of AD,” says Bryan Patton, principal solutions consultant at Quest Software.

If the attacker succeeds, it usually means access to sensitive information or network resources and facilitates quicker lateral movement within the network.

Many agencies and private and public organizations have implemented much stricter password governance.”

Jason Porter CTO, Optiv and ClearShark

Why Is Kerberoasting on the Rise?

Kerberoasting is well known to the government because it’s been popular with many threat actors for some time.

“It’s difficult to detect, and most organizations don’t have the right security posture to detect those kinds of attacks in Active Directory,” Patton says.

The effectiveness of Kerberoasting depends directly on the strength of account passwords and authentication governance, says Jason Porter, CTO of Optiv and ClearShark.

“Many agencies and private and public organizations have implemented much stricter password governance,” Porter says. “However, they do allow exceptions to the rules, and this creates exploits open to Kerberoasting.”

Meanwhile, larger and more complex network implementations have become increasingly difficult to monitor and secure service accounts on, leaving vulnerabilities open to exploitation.

Take a deeper dive into cyber resilience.

Discover how NTSB is improving its security posture with microsegmentation.

Detect and remove threatening web shells.

Take CISA's steps for securing systems after a breach.

Implement Backup as a Service more efficiently.

“With the evolution of cloud computing over the past 15 years, people continue to use Active Directory in a virtualized environment, increasing the number of accounts needing to be monitored, patched and serviced,” Porter says.

The attack can be carried out remotely, without the attacker interacting directly with the authentication server or the targeted network resources.

“This makes it difficult for defenders to identify and stop the attack before it is successful,” says Morgan Wright, chief security adviser at SentinelOne.

Techniques and information have become more available not only through the dark web but also through industry publications and forums.

How Does Kerberoasting Affect Agencies?

Agencies handle sensitive and classified information that, if compromised, can disrupt government operations and potentially compromise national security.

LEARN MORE: Encrypted attacks on agencies are on the rise.

If federal agencies rely on Microsoft AD, they must be proactive in defending against Kerberoasting to protect this highly confidential, and potentially detrimental, information.

Agencies tend to work with multiple providers to manage their networks, meaning that they are especially vulnerable to any Kerberoasting that exploits third parties in their software supply chain.

“It’s not enough for agencies to update their best practices for creating and reconfiguring service principal names for authentication,” Patton says. “They need to make sure their vendors are also taking precautions.”

This requires taking extra care as the end user of a managed service, including reviewing contract language in how Microsoft AD objects are created and maintained.

The impact of Kerberoasting on agencies falls into three main categories: unauthorized access and data breaches, elevation of privileges, and operational disruption, Porter says.

EXPLORE: CISA’s breach response is a model for other agencies.

“Successful attacks have led to unauthorized access to sensitive systems and data, while compromised service accounts provide elevated privileges, heightening the impact of a significant system compromise and free rein within the network,” Porter says. “Attacks will, and have, disrupted critical operations and services provided by public sector agencies.”

How to Detect and Defend Against Kerberoasting

Prevention of Kerberoasting should be the top priority for agencies, rather than detection after the fact, Patton says.

For example, through tactics such as regularly deprecating RC4 encryption instances, changing service account passwords, and requiring longer and more complicated passwords, agencies can render offline brute-force attacks useless.

“That said, strategies for detection are still crucial,” he says. “I recommend ensuring that a strong monitoring and alerts process is in place.”

Organizations can generate alerts for when new objects in Microsoft AD are created that might be susceptible to Kerberoasting. In response, security teams can take the time to verify that those objects have been created securely and remediate them if needed.

Agencies must strengthen their defenses against a Microsoft AD attack, and it is vital to identify identity settings within AD that leave it vulnerable to attack, Wright says.

“Another step is to use strong and unique passwords for all service accounts. Service account passwords are the same length and do not expire,” he says. “Make sure the passwords are greater than 25 characters.”

A growing tactic is the use of deception technology, which means that an organization can create fake accounts that are used to request service tickets from the Kerberos authentication service.

“Monitoring the fake accounts and the activity associated with them can provide insight into tactics and alert defenders to any attempts to exploit the vulnerability,” Wright says.

Threat hunting is another path to detecting unusual activity, allowing security operations center analysts to focus on unusual Kerberos activity.

“If it has not already been activated, use multifactor authentication,” Wright says. “The goal is to make each step harder and more time-consuming.”

da-kuk/Getty Images