Single Sign On: Feature or Threat?

A conflicting issue between usability and security is at the core of single sign on capabilities. The use of single sign on (SSO) is from the perspective of usability, a must have. SSO is required to maintain efficency within a workplace. Modern enterprise users are constantly using multiple applications, accessing, sharing, storing data across multiple file shares, sending, downloading emails, authenticating through VPNs, mobile devices, etc. Without single sign on, each step would inhibit productivity levels.  It would be impossible, from the functional view of user interactions and tasks, to require them to authenticate every time they access a resource, read, write or modify a file. It is very clear that SSO is a fundamental need for enterprises.

However SSO represents a single point of failure and a driving factor for credential reuse/extraction attacks. This means attackers can gain access to a variety of resources by simply obtaining and reusing credentials. If organization defense posture is weak, this creates a risk that can come from  simply snooping over someone’s shoulder, reading a sticky note, or all the way to a sophisticated targeted phishing, malware execution, social engineering or post exploitation attack, where attackers can obtain user credentials and then proceed to gain access and move laterally across an organization.

There have been significant numbers of breaches and known compromises that started by simply obtaining credentials from users, and even administrators as malicious actors tend to pretext and target them. Weak passwords and policies clearly augment the damage that an attack of this type can cause. In some cases the reuse of passwords, for example, has exposed not only targeted organizations, but partners and even defense service providers.

Credential reuse/extraction attacks, used in post exploitation environments, provide powerful tools to move around the enterprise leveraging SSO technologies. Very popular tools such as Mimikatz are designed to especifically exploit SSO features. Tools like this allow attackers to perform things such as Pass The Hash, Pass The Ticket and other related credential extraction/reuse attacks.

These type of attacks and tools constantly evolve as new ways of abusing/exploiting SSO features are discovered. Recently security researcher Juan Diego found a method to extract NTLM hashes that then can be reused (or cracked) to obtain credentials in a post exploitation environments to then move laterally. In spite of all the attacks already available and upcoming, single sign on cannot be abandoned.

Single sign on can be fortified by using strong password policies and complementing monitoring and detection technologies such as JASK Trident. JASK Trident uses a number of multiple sources of information and contextual indicators to detect abnormal activity and credential reuse attacks, these multi contextual indicators are based in experience security operation center operators along with machine learning models.

The following figures show multi contextual indicators used by JASK Trident, that can indicate credential extraction/reuse.

Fig 1 Shows Lateral Movement activity alert (SMB) Scanning

Fig 2 Shows First Seen Access – SMB Share

JASK Research team has produced a threat advisory outlining a proof of concept of this new attack and specific steps for mitigation.  Access the Threat Advisory by clicking here.

Share on