Abstract
Centrally-managed authentication schemes allow users of complex distributed systems to present the same credentials to multiple applications and computer systems. To further simplify the user’s experience, the credentials are often cached on those remote systems. However, caching credentials introduces the risk of malicious actors stealing and using these credentials to hop between systems within the network. This problem has been studied by modeling authentication events as a graph, and proposed solutions rely on altering key properties of a system’s authentication graph to reduce the likelihood of successful attacks. However, current approaches make numerous simplifying assumptions, fail to reflect the time-variant nature of many of the variables involved, and do not readily accommodate modeling the effects of a wide range of potential countermeasures. To address these limitations, this paper presents a formal model that describes credential hopping attacks as iteratively performing multiple credential-harvesting operations and lateral movements to reach predefined objectives. We explicitly consider the time-variant nature of all variables involved. We show how different countermeasures impact key variables of the proposed model, and define an intuitive metric for quantifying the attacker’s expended effort to reach a given goal. Although direct computation of a verifiably minimum value for this metric is demonstrably infeasible, we propose heuristics to achieve reasonable upper bounds. We validate our model and bound-heuristics through simulations, including assessing the impact of a deployed countermeasure.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
MITRE ATT &CK®, https://attack.mitre.org/techniques/T1003/001/.
- 2.
The timing of attack step \(A_0\) is fixed, as we assume that it always happens at time \(t_0\), so we do not consider it in this analysis.
References
Albanese, M., Jajodia, S.: A graphical model to assess the impact of multi-step attacks. J. Def. Model. Simul. 15(1), 79–93 (2018). https://doi.org/10.1177/1548512917706043
Desimone, J.: Windows credential theft: Methods and mitigations. Rochester Institute of Technology (2012)
Dunagan, J., Zheng, A.X., Simon, D.R.: Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 305–320. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1629575.1629605
Hagberg, A., Lemons, N., Kent, A., Neil, J.: Connected components and credential hopping in authentication graphs. In: 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems, pp. 416–423 (2014). https://doi.org/10.1109/SITIS.2014.95
Hong, J.B., Kim, D.S., Chung, C.J., Huang, D.: A survey on the usability and practical applications of graphical security models. Comput. Sci. Rev. 26, 1–16 (2017). https://doi.org/10.1016/j.cosrev.2017.09.001, https://www.sciencedirect.com/science/article/pii/S1574013716301083
Kent, A.D.: User-computer authentication associations in time. Los Alamos National Laboratory (2014). https://doi.org/10.11578/1160076
Kent, A.D.: Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory (2015). https://doi.org/10.17021/1179829
Kent, A.D., Liebrock, L.M., Neil, J.C.: Authentication graphs: analyzing user behavior within an enterprise network. Comput. Secur. 48, 150–166 (2015). https://doi.org/10.1016/j.cose.2014.09.001, https://www.sciencedirect.com/science/article/pii/S0167404814001321
Microsoft: Windows defender credential guard (2022). https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
Noel, S., Swarup, V., Johnsgard, K.: Optimizing network microsegmentation policy for cyber resilience. J. Def. Model. Simul. Appl. Methodol. Technol., 1–23 (2021). https://doi.org/10.1177/15485129211051386
Pope, A.S., Morning, R., Tauritz, D.R., Kent, A.D.: Automated design of network security metrics. In: Proceedings of the Genetic and Evolutionary Computation Conference Companion, GECCO 2018, pp. 1680–1687. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3205651.3208266
Turcotte, M.J.M., Kent, A.D., Hash, C.: Unified Host and Network Data Set, chap. Chapter 1, pp. 1–22. World Scientific (2018)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A A Matrix Representation of Flushing Policies
A consistent flushing policy can be represented as a matrix, where rows correspond to nodes and columns correspond user accounts. For instance, the policy of Example 1 can be represented as shown in Fig. 4. This policy specifies that credentials for user \(u_1\) must be flushed from all nodes every 5 time units, credentials for users \(u_2\) and \(u_3\) must be flushed from nodes \(v_1\) and \(v_2\) every 10 time units, and credentials for user \(u_2\) must be flushed from node \(v_3\) every 15 time units. Each policy entry can be represented as a subset of the matrix that does not overlap with any other entry.
If a system allows the specification of an inconsistent flushing policy, the policy could be paired with a strategy to resolve conflicts. For instance, when two different frequencies are assigned to the same (u, v) pair, a conservative strategy would entail choosing the highest frequency.
B B Credential Update
A credential update policy can be defined as a pair \((\mathcal {W}_u,\varPsi _u)\), where (i) \(\mathcal {W}_u \subseteq 2^{\mathcal {U}}\) is a set of nonempty subsets of \(\mathcal {U}\), and (ii) \(\varPsi _u:\mathcal {W}_u \rightarrow \mathbb {N}\) is a mapping that associates each set \(\mathcal {U}_u \in \mathcal {W}_u\) with the frequency, expressed as an integer number of time intervals, at which credentials for users in \(\mathcal {U}_u\) must be updated.
Example 4
Consider a set of user accounts \(\mathcal {U}= \{u_1,u_2,u_3,u_4\}\). A possible credential update policy \((\mathcal {W}_u,\varPsi _u)\), with \(\mathcal {W}_u =\left\{ \{u_1\}, \{u_2, u_3\}\right\} \), could be defined as follows:
This policy specifies that credentials for user \(u_1\) must be updated every 40 time units and credentials for users \(u_2\) and \(u_3\) must be updated every 60 time units.
A credential update policy is said to be consistent if the set \(\mathcal {W}_u\) induces a partition on the subset of \(\mathcal {U}\) including all users that are covered by the policy, i.e., if the set \(\mathcal {W}_u\) is a partition of the set \(\cup _{\mathcal {U}_u \in \mathcal {W}_u} {\mathcal {U}_u}\). Intuitively, a consistent policy prevents that two different update frequencies are assigned to the same user account.
Example 5
Consider the update policy of Example 4. The subset of \(\mathcal {U}\) including all users that are covered by the policy is \(\{u_1,u_2,u_3\}\). The set \(\mathcal {W}_u =\left\{ \{u_1\}, \{u_2, u_3\}\right\} \) induces a partition on such set. Adding \(\{u_1,u_2\}\) to \(\mathcal {W}_u\) and setting \(\varPsi _u(\{u_1,u_2\}) = 7\) would render this policy inconsistent, as \(\mathcal {W}_u\) would no longer induce a partition on the set \(\cup _{\mathcal {U}_u \in \mathcal {W}_u} {\mathcal {U}_u}\).
If a user account u is not included in any \(\mathcal {U}_u \in \mathcal {W}_u\), then the owner of that account is not forced to update credentials periodically. For instance, the policy of Examples 4 and 5 is not defined for \(\{u_4\}\), so credentials for user \(u_4\) are never updated, as \(u_4\) is not covered by any other entry in \(\mathcal {W}_u\).
Given a consistent credential update policy \(\varPsi _f\) and a set \(\mathcal {U}_u \in \mathcal {W}_u\), to simplify notation, for each \(u \in \mathcal {U}_u\), we can use \(\varPsi _u(u)\) to refer to \(\varPsi _u(\mathcal {U}_u)\). The consistency of the policy ensures that \(\varPsi _u(u)\) is uniquely defined, and we assume that a policy is consistent, unless otherwise specified. If a system allows the specification of an inconsistent update policy, the policy could be paired with a strategy to resolve conflicts, or conflicts could simply be reported to an administrator. For instance, when two different frequencies are assigned to the same user u, a conservative strategy would entail choosing the highest frequency.
Given a credential update policy \((\mathcal {W}_u,\varPsi _u)\), we define its update schedule as a mapping \(\sigma _u: \mathcal {T}\rightarrow 2^\mathcal {U}\) that associates each time point \(t_i \in \mathcal {T}\) with the set of users whose credentials are updated at time \(t_i\), that is
Based on our definition of active session, updating a user’s credential renders all sessions using that user’s prior credentials inactive. While this is a simplifying assumption, this objective could be achieved by pairing a credential update policy with a session termination policy. In the interest of focusing this paper on the key aspects of our attack model, we do not explicitly model a session termination policy as a possible countermeasure, and reserve this issue for future research. Instead, we assume that every time a credential is updated or revoked, sessions created using that credential are selectively terminated, which is what ideally should happen. The set of sessions that are terminated at time \(t_i\) as a consequence of a credential update policy \(\varPsi _u\) is defined as the set of sessions that were active at time \(t_{i-1}\) and used credentials that have just been updated.
Terminating a session on a node the attacker was logged in prevents the attacker from moving laterally from that node, as captured by our definition of lateral movement. In Eq. 3, nodes that the attacker is no longer logged in due to session termination are removed from the set \(V^{*}_j\), which becomes the starting point for lateral movements during the next attack step.
C C Scalar Attacker Effort
We have defined the attacker’s effort as a triple \(I = (|H|,|M|,t)\), where H and M are sets of harvest operations and lateral movements respectively, and t is the time to reach the goal node. Then, we assumed the existence of a function \(f: \mathbb {N}^3 \rightarrow \mathbb {R}^+\) that converts a triple (|H|, |M|, t) into a scalar value. Equations 12 and 13 below represent two possible instantiations of such a function. Function \(f_1\) is a simple weighted average of the three elements, whereas function \(f_2\) is a more sophisticated way of combining the three variables, allowing to account for diminishing return effects and obtain a result that is normalized between 0 and 1.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Albanese, M., Johnsgard, K.L., Swarup, V. (2022). A Formal Model for Credential Hopping Attacks. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13554. Springer, Cham. https://doi.org/10.1007/978-3-031-17140-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-17140-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17139-0
Online ISBN: 978-3-031-17140-6
eBook Packages: Computer ScienceComputer Science (R0)