Cyber Intrusion Mitigation Strategies Part Three: Credential Management
ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.
It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.
The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.
The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.
Credential caching stores domain authenticators locally, allowing users to log in to a computer using domain credentials even if the machine is disconnected from the network. Credential caching should be disabled on all machines.
A common technique employed by attackers is referred to as “pass the hash.” The pass the hash technique uses cached password hashes extracted from a compromised machine to gain access to additional machines on the domain.
One caveat is that laptops will need to cache credentials so users can gain local computer access where the domain is unavailable. When it is necessary to cache credentials, only the least-privileged user credentials should be stored. Administrator account credential caching should be avoided whenever possible.
After credential caching has been disabled, execute an enterprise wide password reset. If a password reset is done first, the new credentials will be cached and continue to be at risk. Resetting passwords after disabling credential caching ensures the old passwords are no longer valid and the new passwords are not stored locally.
As a more long term strategy, ICS-CERT also recommends that organizations move away from using LAN Manager (LM) hashes, where possible. Companies that are switching from credential caching and doing a global password reset should disable LM hashes at the same time.
Otherwise, they’ll have to perform another global password reset when they disable that method of password storage. Not all companies will be able to make this switch (some legacy systems are incompatible), but it deserves serious consideration.
LM hashes are inherently weak and can be broken relatively quickly, allowing an attacker to use the actual password instead of relying on a pass the hash attack.