Understanding Kerberoasting: An Evolving Cybersecurity Challenge

What is Kerberoasting?

Kerberoasting is a significant cybersecurity threat affecting environments that utilize the Kerberos authentication protocol, particularly within Windows Active Directory (AD) frameworks. This type of attack capitalizes on the mechanics of Kerberos by targeting the service tickets used for authentication.

The Kerberos Process

In a typical Kerberos interaction, the following steps occur:

1. AS-REQ: A user requests a Ticket Granting Ticket (TGT) upon signing in.
2. AS-REP: The Authentication Server verifies the user’s credentials and issues the TGT.
3. TGS-REQ: When the user seeks access to a service, they request a Ticket Granting Service Ticket (TGS) using their TGT.
4. TGS-REP: The TGS responds with a TGS, encrypting it with the password hash of the service account for the requested service.
5. KRB-AP-REQ: The user sends the TGS to the application server for authentication.

Hackers exploit this system by leveraging Lightweight Directory Access Protocol (LDAP) to find accounts linked to Service Principal Names (SPNs). Attackers request STGS without needing administrative privileges and can subsequently perform offline hashing to obtain service account credentials. This access can lead to lateral movement within networks, privilege escalation, and data exfiltration.

Challenges with Traditional Detection Methods

Many organizations employ heuristic detection techniques to identify unusual Kerberos activity. One common method involves monitoring spikes in TGS requests from a single account. For instance, if an attacker queries TGS tickets for all discoverable SPNs, this may initially trigger alarms.

Another tactic assesses the types of encryption used in TGS requests. Should attackers attempt to downgrade encryption from stronger AES to less secure options like RC4 or DES, this too can warrant a flag.

However, these heuristic methods often fall short. They are notorious for generating false positives and do not account for the unique behaviors associated with individual organizational setups. As a result, nuanced activities can go undetected, complicating defense measures.

A Statistical Approach to Anomaly Detection

Recognizing these drawbacks, the BeyondTrust research team set out to enhance anomaly detection within Kerberos traffic through statistical modeling. By analyzing data patterns, the goal was to accurately identify normal user behaviors and, thus, better flag any irregularities.

Developing the Statistical Model

The research team defined four key constraints for their model:

1. Explainability: Outputs should be easily interpretable based on established metrics.
2. Uncertainty: The model should reflect varying sample sizes when generating estimates, moving beyond simple binary outputs.
3. Scalability: The approach should minimize the need for cloud computing and data storage during model updates.
4. Nonstationarity: The model should adapt over time to ongoing data changes.

From these constraints, the team designed a model that clusters similar ticket requests, utilizing histogram bins to track activity frequency over time. By doing so, they aimed to create a context where what might appear suspicious in isolation could be deemed normal when viewed alongside similar patterns.

Results from the Statistical Model

After testing over a span of 50 days and about 1,200 hourly evaluations, the model produced promising results:

• Processing times consistently stayed below 30 seconds, which included updates, clustering, and result storage.
• Six anomalies with distinct temporal patterns were identified. These included: two associated with penetration tests, one mimicking a Kerberoasting attack, and three stemming from large shifts within the AD infrastructure.
• The model effectively managed extreme variability, adjusting anomaly scores based on observed spikes, thereby demonstrating enhanced adaptability compared to conventional detection methods.

This research highlights the potential benefits of integrating security expertise with advanced statistical techniques. While statistical models can adapt to capture variable behaviors, insights from security researchers are essential for understanding the context behind flagged anomalies.

Moving Forward in Kerberos Security

The research findings suggest that while traditional detection methods struggle with established threats like Kerberoasting, innovative approaches combining statistics and security knowledge are essential for evolving detection and response capabilities. Organizations seeking to mitigate risks should also assess proactive identity security measures to prevent Kerberoasting incidents before they arise, such as using identity threat detection and response (ITDR) systems. This approach allows security teams to remain vigilant, adapting to the complexities and scale associated with today’s cybersecurity landscape.

About the Authors

Christopher Calvani is an Associate Security Researcher at BeyondTrust, where he focuses on blending vulnerability research with detection engineering. A recent graduate from the Rochester Institute of Technology, he has prior experience working with large-scale infrastructure at Fidelity Investments.

Cole Sodja serves as a Principal Data Scientist at BeyondTrust, boasting over 20 years of applied statistics expertise across major tech firms. His specialty lies in time series analysis, changepoint detection, and behavioral monitoring, addressing intricate business challenges.