Sophisticated nation-state adversaries who compromised a string of federal agencies in recent months used Kerberoasting to steal the passwords of agency employees and move laterally within compromised government networks, according to the latest guidance from the Department of Homeland Security.
In an Emergency Directive, the agency instructs federal agencies to “take action to remediate kerberoasting,” including engaging with third-party organizations that have experience “eradicating APTs from enterprise networks,” a reference to so-called “advanced, persistent threats.”
“If anyone had any doubts about whether the attackers are already inside your networks, then the last week’s events indicate that you must expect that attackers already came in through various back doors,” explains Tushar Kothari, CEO of Attivo Networks®.
Some notable highlights from industry and government also drive this point home.
“Once inside the network, attackers almost always escalate privileges and move laterally to perform reconnaissance and access the information they are interested in stealing,” added Marshall Heilman, SVP at Mandiant.