A Formal Model for Credential Hopping Attacks

Abstract

Centrally-managed authentication schemes allow users of complex distributed systems to present the same credentials to multiple applications and computer systems. To further simplify the user’s experience, the credentials are often cached on those remote systems. However, caching credentials introduces the risk of malicious actors stealing and using these credentials to hop between systems within the network. This problem has been studied by modeling authentication events as a graph, and proposed solutions rely on altering key properties of a system’s authentication graph to reduce the likelihood of successful attacks. However, current approaches make numerous simplifying assumptions, fail to reflect the time-variant nature of many of the variables involved, and do not readily accommodate modeling the effects of a wide range of potential countermeasures. To address these limitations, this paper presents a formal model that describes credential hopping attacks as iteratively performing multiple credential-harvesting operations and lateral movements to reach predefined objectives. We explicitly consider the time-variant nature of all variables involved. We show how different countermeasures impact key variables of the proposed model, and define an intuitive metric for quantifying the attacker’s expended effort to reach a given goal. Although direct computation of a verifiably minimum value for this metric is demonstrably infeasible, we propose heuristics to achieve reasonable upper bounds. We validate our model and bound-heuristics through simulations, including assessing the impact of a deployed countermeasure.

Appendices

A A Matrix Representation of Flushing Policies

A consistent flushing policy can be represented as a matrix, where rows correspond to nodes and columns correspond user accounts. For instance, the policy of Example 1 can be represented as shown in Fig. 4. This policy specifies that credentials for user \(u_1\) must be flushed from all nodes every 5 time units, credentials for users \(u_2\) and \(u_3\) must be flushed from nodes \(v_1\) and \(v_2\) every 10 time units, and credentials for user \(u_2\) must be flushed from node \(v_3\) every 15 time units. Each policy entry can be represented as a subset of the matrix that does not overlap with any other entry.

Fig. 4.

Example of matrix representation of a flushing policy

If a system allows the specification of an inconsistent flushing policy, the policy could be paired with a strategy to resolve conflicts. For instance, when two different frequencies are assigned to the same (u, v) pair, a conservative strategy would entail choosing the highest frequency.

B B Credential Update

A credential update policy can be defined as a pair \((\mathcal {W}_u,\varPsi _u)\), where (i) \(\mathcal {W}_u \subseteq 2^{\mathcal {U}}\) is a set of nonempty subsets of \(\mathcal {U}\), and (ii) \(\varPsi _u:\mathcal {W}_u \rightarrow \mathbb {N}\) is a mapping that associates each set \(\mathcal {U}_u \in \mathcal {W}_u\) with the frequency, expressed as an integer number of time intervals, at which credentials for users in \(\mathcal {U}_u\) must be updated.

Example 4

Consider a set of user accounts \(\mathcal {U}= \{u_1,u_2,u_3,u_4\}\). A possible credential update policy \((\mathcal {W}_u,\varPsi _u)\), with \(\mathcal {W}_u =\left\{ \{u_1\}, \{u_2, u_3\}\right\} \), could be defined as follows:

$$\begin{aligned} \varPsi _u(\{u_1\}) = 40 \quad \quad \varPsi _u(\{u_2, u_3\}) = 60 \end{aligned}$$

This policy specifies that credentials for user \(u_1\) must be updated every 40 time units and credentials for users \(u_2\) and \(u_3\) must be updated every 60 time units.

A credential update policy is said to be consistent if the set \(\mathcal {W}_u\) induces a partition on the subset of \(\mathcal {U}\) including all users that are covered by the policy, i.e., if the set \(\mathcal {W}_u\) is a partition of the set \(\cup _{\mathcal {U}_u \in \mathcal {W}_u} {\mathcal {U}_u}\). Intuitively, a consistent policy prevents that two different update frequencies are assigned to the same user account.

Example 5

Consider the update policy of Example 4. The subset of \(\mathcal {U}\) including all users that are covered by the policy is \(\{u_1,u_2,u_3\}\). The set \(\mathcal {W}_u =\left\{ \{u_1\}, \{u_2, u_3\}\right\} \) induces a partition on such set. Adding \(\{u_1,u_2\}\) to \(\mathcal {W}_u\) and setting \(\varPsi _u(\{u_1,u_2\}) = 7\) would render this policy inconsistent, as \(\mathcal {W}_u\) would no longer induce a partition on the set \(\cup _{\mathcal {U}_u \in \mathcal {W}_u} {\mathcal {U}_u}\).

If a user account u is not included in any \(\mathcal {U}_u \in \mathcal {W}_u\), then the owner of that account is not forced to update credentials periodically. For instance, the policy of Examples 4 and 5 is not defined for \(\{u_4\}\), so credentials for user \(u_4\) are never updated, as \(u_4\) is not covered by any other entry in \(\mathcal {W}_u\).

Given a consistent credential update policy \(\varPsi _f\) and a set \(\mathcal {U}_u \in \mathcal {W}_u\), to simplify notation, for each \(u \in \mathcal {U}_u\), we can use \(\varPsi _u(u)\) to refer to \(\varPsi _u(\mathcal {U}_u)\). The consistency of the policy ensures that \(\varPsi _u(u)\) is uniquely defined, and we assume that a policy is consistent, unless otherwise specified. If a system allows the specification of an inconsistent update policy, the policy could be paired with a strategy to resolve conflicts, or conflicts could simply be reported to an administrator. For instance, when two different frequencies are assigned to the same user u, a conservative strategy would entail choosing the highest frequency.

Given a credential update policy \((\mathcal {W}_u,\varPsi _u)\), we define its update schedule as a mapping \(\sigma _u: \mathcal {T}\rightarrow 2^\mathcal {U}\) that associates each time point \(t_i \in \mathcal {T}\) with the set of users whose credentials are updated at time \(t_i\), that is

$$\begin{aligned} \sigma _u(t_i) = \left\{ u \in \mathcal {U}~|~ \exists k \in \mathbb {N}, t_i = t_0 + k \cdot \varPsi _u(u) \right\} \end{aligned}$$

(10)

Based on our definition of active session, updating a user’s credential renders all sessions using that user’s prior credentials inactive. While this is a simplifying assumption, this objective could be achieved by pairing a credential update policy with a session termination policy. In the interest of focusing this paper on the key aspects of our attack model, we do not explicitly model a session termination policy as a possible countermeasure, and reserve this issue for future research. Instead, we assume that every time a credential is updated or revoked, sessions created using that credential are selectively terminated, which is what ideally should happen. The set of sessions that are terminated at time \(t_i\) as a consequence of a credential update policy \(\varPsi _u\) is defined as the set of sessions that were active at time \(t_{i-1}\) and used credentials that have just been updated.

$$\begin{aligned} \mathcal {S}^{\dagger }_j = \{(v,c) \in \mathcal {S}_{i-1} ~|~ c.\textit{user} \in \sigma _u(t_i)\} \end{aligned}$$

(11)

Terminating a session on a node the attacker was logged in prevents the attacker from moving laterally from that node, as captured by our definition of lateral movement. In Eq. 3, nodes that the attacker is no longer logged in due to session termination are removed from the set \(V^{*}_j\), which becomes the starting point for lateral movements during the next attack step.

C C Scalar Attacker Effort

We have defined the attacker’s effort as a triple \(I = (|H|,|M|,t)\), where H and M are sets of harvest operations and lateral movements respectively, and t is the time to reach the goal node. Then, we assumed the existence of a function \(f: \mathbb {N}^3 \rightarrow \mathbb {R}^+\) that converts a triple (|H|, |M|, t) into a scalar value. Equations 12 and 13 below represent two possible instantiations of such a function. Function \(f_1\) is a simple weighted average of the three elements, whereas function \(f_2\) is a more sophisticated way of combining the three variables, allowing to account for diminishing return effects and obtain a result that is normalized between 0 and 1.

$$\begin{aligned} f_1(|H|,|M|,t) = w_h \cdot |H| + w_m \cdot |M| + w_t \cdot t \end{aligned}$$

(12)

$$\begin{aligned} f_2(|H|,|M|,t) = \left( 1-e^{-\alpha \cdot |H|} \right) \cdot \left( 1-e^{-\beta \cdot |M|} \right) \left( 1-e^{-\gamma \cdot t} \right) \end{aligned}$$

(13)