Pass-the-Hash Attack Mitigation: The Complete Guide

February 13, 2020
network isolation with virtual endpoints

The notorious “Pass-the-Hash” (PtH) attack is very much with us these days. If anything, it’s getting worse, as Advanced Persistent Threats (APTs) often use the technique to move laterally across networks in stealth mode. Virtual Machine (VM) isolation, as provided by Hysolate, offers an effective countermeasure.

What is a “Pass-the-Hash” attack?

To understand how a “pass-the-hash” attack works, it’s first necessary to grasp what a hash is, and how it is used in Identity and Access Management (IAM) and information security overall. A hash is a mathematical function that converts a piece of data into a scrambled cipher. It’s a “one-way” function. The hash is not designed to be decrypted. There’s no key.

With this design, hashes are useful for verifying passwords. When a user logs in to a system, it runs the same hash function that was used when the user first created his or her log in credentials. If the resulting ciphers match, the user is authenticated. Imagine that your password is “Lola1234.” The hash of “Lola1234” might be 376413685. As far as the app or device is concerned, your password is 376413685, not “Lola1234.”

Hashes are good for security because they prevent the storing of passwords, which creates risk. The word “Lola1234” will be nowhere to be found. They’re also effective for Single-Sign-On (SSO). Once the user has logged in to the network, the SSO system can use the username and hash/cipher combination repeatedly to authenticate them as they log into subsequent applications and remote servers.

Now, the problem: If a hacker then steals the hash, he or she can use the hash to impersonate the user across the SSO environment. The hacker can “pass-the-hash” from one log-in to another. They can then steal other hashed passwords and move from machine to machine. This is called “hash harvesting.” It’s like giving the hacker a universal pass key. With lateral moves and hash harvesting, the hacker can penetrate into the deepest and most sensitive parts of the network.

Impacts of Pass-the-Hash Attacks

A pass-the-hash attack can have a serious impact on a business. With the wide access granted, an attacker can  disrupt information systems by implanting malware on target machines, steal confidential and critical data and cease operations on critical servers. However, the impact can be even worse.

A hash harvesting attacker can move laterally and get inside the command and control (C&C) systems that run the entire network and IT infrastructure—the whole business, more or less. Once inside, they can wreak havoc on any digital asset they can seize control over. A variant of this risk, which is arguably even more problematic, is the penetration of privileged accounts.

Privileged accounts, also known as administrative accounts, have access to the crown jewels of an organization. Through these accounts, a privileged user can set up, modify or delete other user accounts. He or she may be able to reconfigure systems or access data. The highest-level privileged users, the so-called “super admins,” may even be able to delete databases and entire systems, and then erase any record of what they did. A privileged account login is a very valuable prize to a hash harvesting attacker. It’s the ultimate insider access, the role that can do the most damage.

Mitigating Pass-the-Hash Risk

A number of countermeasures give security teams the ability to mitigate pass-the-hash attacks. These include specialized solutions and system hardening policies that make it harder for hackers to steal hashes, along with monitoring of suspicious login behavior. Another effective practice is to segment the network to prevent an attacker from moving laterally from general corporate work areas to a “privileged zone” that contains access to critical systems.

Protecting the Privileged Zone

The privileged zone itself needs protection, and a lot of it. It’s going to be attacked more frequently and intensely than the regular network segments. One thing the privileged zone has going for it in this department is a smaller user pool. There are only so many people who need to be privileged users. It’s not enough, however.

Managing the access rights of privileged users usually falls under the rubric of Privileged Access Management (PAM). A PAM solution typically assigns privileged account passwords. It then manages and monitors privileged account sessions. This approach reduces the likelihood of a pass-the-hash attack succeeding beyond the compromise of a single machine.

Endpoints remain a source of risk exposure, however. No matter how well defended the privileged zone may be, and how tightly controlled the privileged passwords are, the entire structure is vulnerable if a malicious actor can compromise the privileged user’s endpoint. The attacker can harvest privileged user password hashes and proceed to infiltrate the privileged zone by impersonating the privileged user. 

The countermeasure to this risk, as recommended by Microsoft, is to implement privileged access workstations (PAWs). One practical implementation of PAWs involves the use of Virtual Machines (VMs) that run in a segregated mode on the privileged user’s endpoint device. This practice, as exemplified by Hysolate, has two completely separate VMs, each with its own segregated Operating System (OS) on a single device. The privileged user would have one physical device, for example,and it would run two completely segregated operating systems, one for general corporate work and the other for privileged account work.

The advantage of this approach, from a security perspective, comes from OS isolation. The privileged OS works on its own, typically configured not to allow connections to public URLs or download files. The corporate side of the machine is for regular work, and is thus exposed to more threats. However, if an attacker compromises the corporate OS, it will not have any idea that a privileged OS is running on the same machine. The attacker cannot hop between the VMs and penetrate the privileged zone.

OS isolation serves as a crucial layer of protection in a “defense in depth” strategy to mitigate pass-the-hash attacks. It erects a barrier between the attacker and the privileged zone at the endpoint. When used in conjunction with PAM solutions, dedicated anti-pass-the-hash tools and best security practices, OS isolation provides a robust defense against this type of attack.

Want to future proof your attack mitigation? Learn how Hysolate provides air gap grade security without restricting user experience. Start your free trial here.