Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Protecting Your Infrastructure From The 'Skeleton Key' Malware

Protecting Your Infrastructure From The 'Skeleton Key' Malware

Skeleton Key malware allows attackers to bypass authentication, letting them log in without needing the users' passwords. Here's how to identify and prevent Skeleton Key from attacking your infrastructure.

Last week, Dell SecureWorks' Counter Threat Unit (CTU) announced the discovery of new malware -- coined Skeleton Key -- that allows attackers to bypass Active Directory authentication on networks using traditional, password-based authentication. Because the malware targets Active Directory domain controllers, Skeleton Key has the potential to compromise numerous networked services which rely on Active Directory for authentication such as file shares or VPN.

Dell's report offers some good news and bad news in regards to Skeleton Key. Once it has infected a domain controller Skeleton Key can authenticate as any Active Directory user without the need to change the user's password, meaning your users may not notice any ill effects. On the plus side, of the samples that the SecureWorks CTU came across none supported a persistent state, meaning domain controllers had to be re-infected after a restart.

Skeleton Key Prevention

As with many forms of malware, you can protect your network infrastructure and users by following industry best practices.

     1. Enable Multi-Factor Authentication

Because Skeleton Key targets Active Directory environments that still rely on password authentication, an obvious step is to enable multi-factor authentication. Smaller organizations concerned with the cost of implementing technologies such as Smart Cards or biometrics should do their research, there are other options on the market which can enable multi-factor authentication without an insurmountable cost (for example: Microsoft offers Azure Multi-Factor Authentication for $1.40/month per user).

See: Evolution of Next-Gen Sign-On: The Past, Present & Future Of Authentication

     2. Protect Critical Servers

Another angle to consider when attempting to prevent threats such as Skeleton Key is geared toward protecting critical servers -- specifically domain controllers -- from all forms of compromise. Step 1 is to restrict access to corporate domain controllers, both physically and logically, to the smallest group possible.

Microsoft's built-in domain controller protections, such as restricting console access to users with membership in the Domain Admins group and the absence of local users and security groups, will only protect you if you restrict access to these groups. Physical security for your domain controllers is also critical, as an attacker with physical access to your domain controller could compromise or steal the identities it contains. For some companies this could mean placing domain controllers in the server closet or datacenter, while larger IT shops may consider physically segregating domain controllers from the primary corporate datacenter in some way.

     3. Limit Privileged User Accounts

Another best practice to follow involves limiting the use of privileged user accounts. Even once you limit your domain administrators, any use of these highly privileged accounts is a potential window of opportunity for an attacker. Requiring administrators to maintain separate accounts for administrative duties and standard network activities goes a long way to protecting your network, particularly when you consider how many potential attack vectors are internet-based (email attachments, file downloads, malicious active code, etc.). Restricting administrative accounts from performing these potentially compromising tasks adds a layer of protection to your Active Directory environment.

Identifying Skeleton Key Malware

Because Skeleton Key does not initiate network traffic, traditional network-based intrusion detection is ineffective in identifying a compromised domain controller. Dell's analysis of Skeleton Key offers some symptoms and indicators to help you identify the malware on your network.

The first symptom of an affected domain controller is unexplainable replication errors, which can be discovered using Microsoft's Active Directory Replication Status Tool, the Repadmin utility, or a comparable third party toolset.

Another area to monitor is the unexpected use of the PsExec.exe on domain controllers, as Dell has identified PsExec.exe as a delivery mechanism for Skeleton Key. Monitoring event logs and audit trails can enable you to identify and mitigate potential attacks before your network is fully compromised.

No network is completely secure, but it's our job as IT Pros to ensure that our corporate resources are protected as much as possible. Understanding potential attack vectors and separating as far as reasonably possible from critical systems is a key step in maintaining a secure environment. A big part of our corporate role is helping users and management understand the importance of best practices and selling them on the fact that there is sometimes a financial and convenience cost to keeping our systems secure.

Industry best practices are there for good reasons, and following them will help prevent your network from becoming anecdotal evidence for future generations of IT Pros.