Search

US-12621311-B2 - Authentication attack detection and mitigation with embedded authentication and delegation

US12621311B2US 12621311 B2US12621311 B2US 12621311B2US-12621311-B2

Abstract

A system and methods for authentication attack detection with embedded authentication and delegation is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object, wherein subsequent access requests accompanied by authentication objects are validated by comparing identifiers for each authentication object to previous identifiers.

Inventors

  • Jason Crabtree
  • Richard Kelley

Assignees

  • QOMPLX LLC

Dates

Publication Date
20260505
Application Date
20230315

Claims (18)

  1. 1 . A system for mitigating an authentication attack, comprising: a memory storing instructions to be executed by one or more hardware processors; and one or more hardware processors configured to execute the instructions stored in the memory, wherein the instructions, when executed by the one or more hardware processors, cause the system to: maintain an authentication ledger comprising metadata associated with a plurality of authentication objects; receive network traffic associated with a first authentication object; update one or more portions of metadata in the authentication leger based on the received network traffic associated with the first authentication object; receive a request for access to a network resource accompanied by the first authentication object; upon a determination that the first authentication object is invalid, update the authentication ledger to reflect that the first authentication object is invalid, wherein the determination that the first authentication object is invalid is based on the received network traffic associated with the first authentication object; and revoke access to other network resources based on the determination that the first authentication object is invalid, wherein the revocation of access to the other network resources is performed based on one or more rules executed by a distributed computational graph.
  2. 2 . The system of claim 1 , wherein the instructions instructions, when executed by the one or more hardware processors, cause the system to: calculate an identifier comprising a cryptographic hash for the first authentication object by performing a plurality of calculations and transformations on the first authentication object; and update one or more portions of metadata associated with first authentication object in the authentication ledger to include the identifier.
  3. 3 . The system of claim 1 , wherein the metadata associated with the first authentication object comprises a randomly-generated unique identifier for the first authentication object.
  4. 4 . The system of claim 1 , wherein the metadata associated with the first authentication object comprises a numerical counter for the first authentication object.
  5. 5 . The system of claim 1 , wherein the authentication ledger comprises a second authentication object derived from the first authentication object.
  6. 6 . The system of claim 1 , wherein the first authentication object is embedded within a web request.
  7. 7 . The system of claim 1 , wherein the first authentication object is known to be generated by an identity provider associated with an authentication domain based on tracking of legitimate authentication events associated with the identity provider.
  8. 8 . The system of claim 1 , wherein the authentication attack is a golden ticket attack.
  9. 9 . The system of claim 1 , wherein the authentication attack is a silver ticket attack.
  10. 10 . A method for mitigating an authentication attack, comprising the steps of: maintaining an authentication ledger comprising metadata associated with a plurality of authentication objects; receiving network traffic associated with a first authentication object; updating one or more portions of metadata in the authentication leger based on the received network traffic associated with the first authentication object; receiving a request for access to a network resource accompanied by the first authentication object; upon a determination that the first authentication object is invalid, updating the authentication ledger to reflect that the first authentication object is invalid, wherein the determination that the first authentication object is invalid is based on the received network traffic associated with the first authentication object; and revoking access to other network resources based on the determination that the first authentication object is invalid, wherein the revocation of access to the other network resources is performed based on one or more rules executed by a distributed computational graph.
  11. 11 . The method of claim 10 , further comprising the steps of: calculating an identifier comprising a cryptographic hash for the first authentication object by performing a plurality of calculations and transformations on the first authentication object; and updating one or more portions of metadata associated with first authentication object in the authentication ledger to include the identifier.
  12. 12 . The method of claim 10 , wherein the metadata associated with the first authentication object comprises a randomly-generated unique identifier for the first authentication object.
  13. 13 . The method of claim 10 , wherein the metadata associated with the first authentication object comprises a numerical counter for the first authentication object.
  14. 14 . The method of claim 10 , wherein the authentication ledger comprises a second authentication object derived from the first authentication object.
  15. 15 . The method of claim 10 , wherein the first authentication object is embedded within a web request.
  16. 16 . The method of claim 10 , wherein the first authentication object is known to be generated by an identity provider associated with an authentication domain based on tracking of legitimate authentication events associated with the identity provider.
  17. 17 . The method of claim 10 , wherein the authentication attack is a golden ticket attack.
  18. 18 . The method of claim 10 , wherein the authentication attack is a silver ticket attack.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS Priority is claimed in the application data sheet to the following patents or patent applications, each of which is expressly incorporated herein by reference in its entirety: Ser. No. 18/152,142Ser. No. 17/163,073Ser. No. 15/837,84562/596,105Ser. No. 15/825,350Ser. No. 15/725,274Ser. No. 15/655,113Ser. No. 15/616,427Ser. No. 14/925,974Ser. No. 15/237,625Ser. No. 15/206,195Ser. No. 15/186,453Ser. No. 15/166,158Ser. No. 15/141,752Ser. No. 15/091,563Ser. No. 14/986,536Ser. No. 17/170,288Ser. No. 17/169,924Ser. No. 15/837,845 BACKGROUND OF THE INVENTION Field of the Invention The disclosure relates to the field of network security, particularly to the detecting and mitigating attacks involving forged authentication objects. Discussion of the State of the Art Maintaining the security of computer systems is a matter of great economic significance in the modern world. At the same time, computer users within large enterprises, which maintain one or several protected computing domains each comprising many computers and other devices, often require secure access on many devices across the domain. A common way of providing this securely is to use domain controllers (i.e. Key Distribution Centers or KDCs) to provide authentication objects for users—after they successfully authenticate themselves—so that they can access those devices, applications, and services within the domain that are authorized for their particular user profile. Unfortunately, even with strong authentication systems such as Kerberos, which is used within Microsoft Active Directory domains, security lapses do occur. In particular, a variety of Kerberos-based attack vectors have been shown to be possible, including “golden ticket” and “silver ticket” and “diamond” and “sapphire” ticket attacks, which may grant to hostile attackers elevated and even potentially unlimited access to and control of vital domain assets if not detected quickly. This is further exacerbated when federated to cloud resources of other identity providers (e.g. via AD Connect or AD Federation Services). What is needed is a system that can mitigate, in near real-time, both replay and forged or manipulated ticket-based Kerberos attacks in enterprise domains. SUMMARY OF THE INVENTION Accordingly, the inventor has conceived, and reduced to practice, a system and method for detecting and mitigating Kerberos ticket forgery and manipulation attacks within a domain. In a typical embodiment, a system for detecting and mitigating forged or tampered authentication object attacks acts as an external, and non-blocking (or optionally blocking via additional integrated active measures such as user or account disablement via LDAP call) validation service for existing implementations using an authentication domain that uses a common identity provider. The system provides services to generate cryptographic hashes to legitimately-generated authentication objects, and also to check incoming authentication objects against a database of cryptographic hashes of previously-generated authentication objects (and detecting fraudulent authentication attempts by detecting attempts whose authentication objects' cryptographic hashes are not present in the database of authentication object hashes). The system may also optionally keep an active list of domain controllers and other Tier 1 resources (E.g. AD Connect servers) as part of an integrated allowlist/blocklist in memory array to aid in DC Sync and DC Shadow type attacks which are often chained together with Kerberos manipulation. The system may also allow setting of a plurality of rules or model-based (e.g. machine learning or statistical) to trigger events after certain conditions are satisfied. In one aspect of the invention, a system for mitigating authentication attacks within a domain, comprising: an authentication object inspector comprising a first plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the first plurality of programmable instructions, when operating on the processor, cause the computing device to: receive network traffic comprising a first authentication object known to be generated by an identity provider associated with an authentication domain; determine a first identifier corresponding to the first authentication object; receive a request for access to a network resource within the authentication domain accompanied by a second authentication object; determine a second identifier corresponding to the second authentication object; and compare the first and second identifiers to determine whether the second authentication object is a forgery, is disclosed. In another aspect of the invention, a method for mitigating authentication attacks within a domain, comprising the steps of: receiving, at an authentication object inspector, network traffic comprising a first authentication object known to be generated by an identit