Microsoft announced Thursday that it was buying Israeli cyber-security firm Aorato, confirming rumors that have been circulating for several weeks.
In a blog post, MS Vice-President Takeshi Numoto wrote that the company was “making this acquisition to give customers a new level of protection against threats through better visibility into their identity infrastructure. With Aorato we will accelerate our ability to give customers powerful identity and access solutions that span on-premises and the cloud, which is central to our overall hybrid cloud strategy.”
Neither Numoto nor Aorato would confirm what the purchase price was, but industry sources put it at about $200 million.
Regardless, said Numoto, Aorato will play a very important role at Microsoft. “Aorato’s sophisticated technology uses machine learning to detect suspicious activity on a company’s network,” Numoto wrote in the post. “It understands what normal behavior is and then identifies anomalies, so a company can quickly see suspicious behavior and take appropriate measures to help protect itself. Key to Aorato’s approach is the Organizational Security Graph, a living, continuously-updated view of all of the people and machines accessing an organization’s Windows Server Active Directory (AD). AD is used by most enterprises to store user identities and administer access to critical business applications and systems. Therefore, most of our enterprise customers should be able to easily take advantage of Aorato’s technology.”
Aorato has long been on the radar of Microsoft – for discovering and publicizing security problems in AD, the premier identity server in use today. Among those problems was one in which authentication of users and computers in a Windows domain-based network could enable an attacker to change a user’s password, despite identity theft measures.
Considering the fact that 95% of all Fortune 1000 companies have an Active Directory deployment, “we consider this vulnerability highly sensitive,” said Aorato’s vice president of research, Tal Be’ery. “And even worse, the vulnerability was put there by design.” Stopping short of using the term “irresponsible,” Be’ery thinks the company could do better. “With great power comes great responsibility,” he said. “If it was a smaller company I would cut them some slack, but when you power 95% of the enterprise infrastructure, you have to be much more careful.”
AD assigns and enforces security policies for all computers, folders, files, objects, and users on a network, and being able to access it gives attackers, in essence, free reign to steal data at will — or wreak havoc on a system, trashing the relationships between users and resources. That kind of attack could put a company’s computer out of business, for hours, if not days.
The exploit is based on the fact that an older user authentication method, called NTLM, is activated by default in AD. Attackers can use NTLM to obtain encrypted login credentials — called hashes — for users in order to access AD accounts, in what is called a “pass-the-hash” (PtH ticket) attack. The hashes can be captured using off-the-shelf hacking tools. According to Be’ery, “this activity is not logged in system and 3rd party logs — even those that specifically log NTLM activity. So there are no alerts or other forensic data to ever indicate that an attack took place.”
PtH attacks were first documented in 1997, but the emergence of automated hacking tools has made the risk to companies using AD all the greater. “Common tools such as WCE and Metasploit have support to carry out PtH attacks in an automated manner,” said Be’ery.
PtH, in fact, was a key component in a major attack hack on US retailer Target last December, in which the credit card information of millions of customers was compromised. And unfortunately, turning off the more risky NTLM authentication system and using the more secure Kerberos one (used by newer versions of AD) is not an option for companies that need to integrate older systems and networks into their corporate structure, said Be’ery. “We’ve discussed this with many customers, and relying only on the newer authentication procedures just isn’t practical.”
When it was discovered, Aorato informed Microsoft of the problem, to which the company responded that it wasn’t news to MS. Indeed, MS had already published details of the exploit and how to avoid it. But what really bothered Aorato, the company said, is that the AD vulnerability is not an exception or security hole — it was put there on purpose.
“Microsoft recognized our findings to be valid but confirmed that this is a ‘limitation’ that cannot be fixed as it stems from the design of the authentication protocols,” Aorato said in a blog post. “Additionally, since these protocols’ specifications are publicly available, Microsoft considers this ‘limitation’ to be ‘well known.’ We consider the fact that attackers can change the victim’s password by only knowing the NTLM hash to be a flaw. If this flaw is by design, this simply makes it a ‘by-design’ flaw.”
Aorato’s business is built around making AD more secure, said Be’ery. “We have developed tools to determine if this kind of attack, as well as others, have been carried out on AD, allowing us to help customers mitigate damage. To do that, we study closely the interactivity of elements in a network, including users, devices, servers, etc. Our tools can detect the very subtle changes that you would never find in log files.”
Now, Be’ery and his team will have first-hand access to the inner workings of AD – and Microsoft will be able to put Aorato’s considerable abilities to work making AD safer. “We are excited about the technology that Aorato has built and, especially, the people joining the Microsoft team through this acquisition,” Numoto wrote in the post. “In the mobile first, cloud first era, Microsoft is committed to moving nimbly and aggressively to provide customers with solutions to their top challenges.”