70% of businesses report Pass the Hash attacks directly impact operational costs

Ignorance surrounding Pass the Hash attacks puts the majority of businesses at risk of compromised credentials.

The role of digital disruption in today's enterprise Antony Shields talked with TechRepublic at the 2019 SAP SAPPHIRE NOW conference about how organizations can leverage digital disruption to improve business processes.

Pass the Hash attacks are growing in prevalence and impact, but most organizations aren't even aware these attacks exist. These brute-force credential attacks have detrimental effects on organizations, acting as a wake-up call for businesses to stay protected, according to a One Identity report. 

One Identity's Global Survey 2019, released on Wednesday, surveyed more than 1,000 IT security professionals to determine the impact of Pass the Hash attacks on companies. An overwhelming 95% of organizations said Pass the Hash attacks have a direct business impact on their organizations, resulting in the loss of revenue (40%) and increased operational costs (70%), the report found. 

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

More than half of professionals (68%) said Pass the Hash attacks distract staff from other projects. Despite the prevalence and impact of these attacks, 4% of IT security stakeholders said they don't even know what a Pass the Hash attack is, and some 68% said they don't know if they've experienced one of these attacks, the report found. 

What are Pass the Hash attacks?

To understand what Pass the Hash attacks are, professionals must first know what hashing means.

"A hash is a function that you perform on a string of text," said David Mahdi, senior director analyst at Gartner. "Let's just say your password is 'David.' A hash converts David into a long string of other texts. So it can be like A-W-E-R-E-Z-C—gobbly gook, basically. The thought of using a hash is that it's more secure to use this mathematical representation of [someone's] password, that way if anything happens, it's just the hash that's there."

If an unauthorized person theoretically got the hash, they wouldn't be able to use the hash in someone's password field to log in, making that person's login harder to access, Mahdi added. However, attackers have found a way to exploit hashes. 

"What bad guys do is they're not going to bother trying to crack your password. What they can do, which is even more powerful, is crack into the system that stores [a person's] hashes," Mahdi said. "They can grab all of the hashes to log into other systems that might have valuable information on them."

A Pass the Hash attack uses a person's digital identity as an attack surface, specifically in legacy Windows environments, according to Mahdi. 

"Pass the Hash (PtH) is a widely discussed attack method against Microsoft Active Directory users," said Todd Peterson, senior manager of product marketing, content, and partner marketing at One Identity. "In a PtH attack, a bad actor obtains privileged credentials by compromising an end user's machine and simulates an IT problem, prompting a privileged user to log into the machine. Those privileged credentials used by the admin to log in are stored as a hash that the attacker extracts and uses to access elevated IT resources across the organization. This allows the bad actor to access an organization's most sensitive data and cause widespread damage." 

How to stay protected

Mahdi provided the following three best practices for protecting against Pass the Hash attacks: 

  • Implement a well-rounded program of PAM best practices, including password vaulting, session audit, and granular delegation of AD admin permissions.
  • If you've already implemented Red Forest, consider augmenting it with the above-mentioned PAM best practices.
  • If you have not implemented Red Forest, ensure that PAM best practices are addressed before investing in the complex AD architecture.

More than half (55%) of organizations said they have implemented privileged password management, and another 55% said the have forged better control over AD administrator access, the report found. Some 32% said they have advanced PAM practices in place and 26% said they have followed Microsoft's guidance and integrated an Enhanced Security Administrative Environment (Red Forest) into their organizations. 

However, among those who haven't taken any precautions toward preventing Pass the Hash attacks, 85% said they have no plans to do so, the report found. 

Large companies were reportedly more likely to be targeted by Pass the Hash attacks, and were subsequently more likely to take protective measures. Companies of all sizes must take significant steps to protect themselves against these sophisticated, dangerous attacks, Mahdi said. 

For more, check out How to protect yourself and your organization against digital identity fraud on TechRepublic. 

Also see 

idtheftistock000023789093brianjackson.jpg