They might sound like unlikely candidates to join the Four Horsemen of the Apocalypse, but at a 2014 TechEd event in Huston, Microsoft’s Nathan Ide and Mark Russinovich delivered a joint presentation, ‘Pass-the-Hash: How Attacks Spread and How to Stop Them’, that made a number of attendees a little bit… nervous.
Ide and Russinovich were relaying the results of an in-house brainstorming session intended to get a handle on the growing frequency and severity of pass-the-hash attacks.
They began by itemizing three alarming and notorious examples from what was then very-recent history.
The first was the 2012 cyber attack on oil giant Saudi Aramco, an amateurish hack that still affected 30,000 workstations. The next was the recent Chinese attack on various US media outlets. The third was the immense infiltration of Target, America’s second largest retailer, which impacted 110 million customers.
All of these attacks, they stressed, were instigated through pass-the-hash. But, what is a pass-the-hash attack and how does it work? Check out the video below.
In the case of the Target breach, it was even thought that the initial point of an attack wasn’t even a Target machine – it had been a vendor’s – and, furthermore, one without administrator credentials.
“Pass-the-hash transforms the breach of one machine into total compromise of infrastructure,” Russinovich told the TechEd audience. “This is a huge, huge problem. Some small companies, large companies, military organisations, giant EU organisations… have had their whole domain taken over using this technique.”
The pair proceeded to share the fruits of that Microsoft brainstorm. The trouble was that, for many of the audience (sufficiently alarmed by the convincing scope and power of pass-the-hash attacks), these fruits were not particularly convincing – everything sounded far too complex and convoluted, an indication of just how stubborn and virulent pass-the-hash attacks were becoming.
1E’s Windows 10 Solution Architect (and Microsoft MVP) Keith Garner was in the audience that day.
“The best way they could think of was you had to do some funky things with setting up your domain administrators, locking them down, making sure they have a separate account doing a domain administrator task versus their email account,” recalls Garner. “It was crazy. I remember sitting in the audience going – if I were a domain administrator I don’t know how I would solve this problem, or how I could communicate this effectively to other people. I was wondering if they were ever going to solve this.”
Well, Microsoft did eventually solve it, namely through the security features in Windows 10, particularly Credential Guard, which uses virtualization technology to limit access and ensure that a situation such as Target’s can’t happen.
Garner agrees that the pass-the-hash threat was a key reason behind Windows 10’s development, as well as a reason to migrate sooner rather than later. “If you look at all the security breaches of the past few years, at The Targets, the Home Depots, the banks, and you worry about losing your job and you’re concerned about locking your environment down, then yes I would seriously consider Windows 10, and enabling those security features.”
The obvious question here, though, is, how long can Microsoft hope to stay a step ahead of the hackers? Is it just a matter of time before businesses are implored to escape to the ‘truly secure’ new OS of a Windows 11?
“Microsoft is not really going to have these huge changes anymore. They’re going to have incremental changes and essentially each of these represents a completely new operating system, even while marketing and branding wise they remain ‘Windows 10.’ That was the other big sea change with Windows 10: it has a better servicing stack, so it can be serviced and upgraded and changed more easily.”
For those looking to explore how to take advantage of Credential Guard and protect their enterprise against the pass-the-hash attack, be sure to watch the third and final webinar in our Windows 10 Security Webinar Series on-demand now.
