Keeping The Skeleton Keys Out Of The Closet

Skeleton Key

Recently, Dell SecureWorks Counter Threat Unit (CTU) discovered ‘Skeleton Key’ – a piece of malware which is able to bypass Active Directory (single factor) authentication, e.g. AD authentication based just on a username and password that allows an attacker to authenticate as any existing user within Active Directory by specifying a password of their choice.

The Counter Threat Unit claimed to have initially discovered Skeleton Key on a client’s network, giving attackers full access to the target organisations’ webmail and VPN. Once any attacker has VPN access, they can blend in with the day-to-day ‘noise’ of legitimate activity, moving laterally through the network and further escalating their privileges.

According to CTU researchers, “Skeleton Key is deployed as an in-memory patch on victims’ AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal”.

Since Skeleton Key doesn’t use a persistence mechanism, it must be re-deployed (by an attacker) each time a compromised domain controller is restarted – which, in reality (and in large organisations), shouldn’t be very often. Arguably this would give any attacker enough time to obtain, or create further credentials, and be able to simply VPN back in to the victims’ network without detection, and without any further need for malware.

So what does this mean for any organisation using Active Directory for authentication? This newly discovered threat continues to highlight the need for organisations to seriously consider implementing methods of strong authentication – ideally two-factor, with an adaptive authentication capability, both at the edge (the VPN), and for access to mission-critical applications and data.

With two-factor authentication in place – at the edge, for applications, or even for both – any would-be attacker is prompted for a second factor during the authentication process. This second factor needs to be provided in addition to the users’ password for the attacker to successfully authenticate and gain access as that user. Since that second factor is based on something that the user possesses (either a device, an account, or token), this would offer a good level of protection against this type of attack where the password is compromised in some way.

There are plenty of flexible two-factor methods for organisations to choose from on the market today, according to the needs of their user base. These methods range from sending an SMS or e-email based one-time password (OTP) to a pre-specified phone number or email address on record for that user; using an OTP application on a user’s smart phone; or even using a dedicated hardware token that displays the OTP.

With adaptive authentication being used in conjunction with two-factor, organisations can automatically perform risk analysis of certain characteristics pre-authentication, e.g. before the users’ credentials are authenticated and the second factor verified.

These adaptive capabilities can leverage IP reputation data and compare the authenticating IP address against IP reputation data to detect whether it’s associated with a known bad actor. It can also analyse the user’s current physical location against the location of the previous logon (geo-velocity), and look for improbable travel events such as moving thousands of miles in just an hour or two. This adaptive approach not only offers organisations a level of protection, but also a level of detection that can be used in conjunction with threat intelligence to provide attribution of an attack.

In summary, organisations shouldn’t just be relying on a single factor to protect their critical network, applications, or data. Skelton Key is a good example of where attackers are able to circumvent a reliable, trusted authentication system – in this case Active Directory. Organisations should look to deploy strong authentication in conjunction with their existing investments in Active Directory and VPN to ensure that they have both a protection and detection mechanism against these types of attacks.

Keith Graham is Chief Technology Officer at SecureAuth. His expertise comes from 15 years in security, product management, product development, and consulting. As CTO, Graham leads product development and plays a major role in the creation and development of innovative features and upgrades for all of SecureAuth’s enterprise security solutions. Graham holds a bachelor’s of science degree in computing from the University of Greenwich, UK, and a master’s of science degree in information security and biometrics from the University of Kent, UK. Graham also holds chartered IT professional status from the British Computer Society.