richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaning up the Sparks folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 09:31:41 +02:00
parent eb610a79b6
commit 96cd8fea7b
78 changed files with 149 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

84
Corpus/Sparks/Information Security/CIS Controls.md
View file

@ -1,84 +0,0 @@
# CIS Critical Security Controls
https://www.cisecurity.org/controls
Cyber attacks exploit bad cyber hygiene
CIS are security best practices for strengthening your security posture to defend agains top threats
maps to lots of frameworks
Safeguards are identified by attack patterns from the MITRE ATT&CK* framework
we verified that the CIS Controls are effective at defending against 86% of the ATT&CK (sub-)techniques found in the ATT&CK framework. More importantly, the Controls are highly effective against the top five attack types found in industry threat data.
![](../CleanShot%202024-10-08%20at%2016.10.32.png)
Source: CIS Community Defense Model version 2.0
3 levels:
IG1, 2 and 3
These CIS Controls Implementation Groups (IGs) are ment as a guidance to prioritize implementation.
IG1 is defined as “essential cyber hygiene”, targeted to small to medium-sized enterprises with limited IT and cybersecurity expertise.
Their main concern is operational continuity.
IG1 Safeguards are aimed to thwart general, non-targeted attacks.
IG2 enterprises have dedicated security staff, multiple departments with differing risk profiles, and regulatory compliance burdens.
A major concern is loss of public confidence if a breach occurs.
IG2 Safeguards help security teams cope with increased operational complexity.
IG3 enterprises employ security experts that specialize in the different facets of cybersecurity.
IG3 assets contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.
Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
![](../ISMS/Asset%20classes.png)
Source: CIS Controls v8.1 PDF, pp 8-12
![](../CleanShot%202024-10-08%20at%2016.27.06.png)
List of the CIS Controls in v8, and how many Safeguards in each are applicable to each Implementation Group. [source](https://www.cisecurity.org/controls/implementation-groups)
See CIS_Controls_Version_8.1_6_24_2024.xlsx for a table that shows all safeguards mapped to the three Implementation Groups.
### CIS version 8 has 18 controls, you only gave me 9. Can you make this complete?
Certainly! Here's a complete table including all 18 CIS Controls in Version 8, with simplified implementation group indications. This serves as a high-level overview and the specifics for each safeguard would need to be obtained from the official CIS documentation.
| CIS Control | Safeguard (Control ID) | IG 1 | IG 2 | IG 3 |
| --------------------------------------------------------- | ---------------------------------------- | ---- | ---- | ---- |
| 1. Inventory and Control of Enterprise Assets | 1.1 Inventory of Assets | ✓ | ✓ | ✓ |
| | 1.2 Address Unauthorized Assets | ✓ | ✓ | ✓ |
| 2. Inventory and Control of Software Assets | 2.1 Inventory of Software | ✓ | ✓ | ✓ |
| | 2.2 Address Unauthorized Software | ✓ | ✓ | ✓ |
| 3. Data Protection | 3.1 Data Management | ✓ | ✓ | ✓ |
| | 3.2 Data Recovery | | ✓ | ✓ |
| 4. Secure Configuration of Enterprise Assets and Software | 4.1 Establish Secure Configurations | ✓ | ✓ | ✓ |
| | 4.2 Secure Configuration Management | | ✓ | ✓ |
| 5. Account Management | 5.1 Account Inventory | ✓ | ✓ | ✓ |
| | 5.2 Admin Account Management | ✓ | ✓ | ✓ |
| 6. Access Control Management | 6.1 Access Control Policy | ✓ | ✓ | ✓ |
| | 6.2 Access Granting | ✓ | ✓ | ✓ |
| 7. Continuous Vulnerability Management | 7.1 Vulnerability Scanning | ✓ | ✓ | ✓ |
| | 7.2 Vulnerability Remediation | | ✓ | ✓ |
| 8. Audit Log Management | 8.1 Log Retention and Management | ✓ | ✓ | ✓ |
| | 8.2 Log Review | | ✓ | ✓ |
| 9. Email and Web Browser Protection | 9.1 Email Protection | ✓ | ✓ | ✓ |
| | 9.2 Web Browser Protection | ✓ | ✓ | ✓ |
| 10. Malware Defenses | 10.1 Malicious Code Detection | ✓ | ✓ | ✓ |
| | 10.2 Malware Defenses | ✓ | ✓ | ✓ |
| 11. Data Recovery | 11.1 Data Recovery Mechanisms | ✓ | ✓ | ✓ |
| 12. Network Infrastructure Management | 12.1 Network Inventory | ✓ | ✓ | ✓ |
| | 12.2 Network Segmentation | | ✓ | ✓ |
| 13. Security Awareness and Skills Training | 13.1 Security Awareness Program | ✓ | ✓ | ✓ |
| | 13.2 Training and Exercises | | ✓ | ✓ |
| 14. Security Operations Center (SOC) Functions | 14.1 Threat Detection | ✓ | ✓ | ✓ |
| 15. Security Incident Management | 15.1 Incident Response Planning | ✓ | ✓ | ✓ |
| | 15.2 Incident Response Testing | | ✓ | ✓ |
| 16. Application Software Security | 16.1 Software Development Security | ✓ | ✓ | ✓ |
| | 16.2 Application Testing | | ✓ | ✓ |
| 17. Penetration Testing | 17.1 Penetration Testing and Red Teaming | | ✓ | ✓ |
| 18. Cloud Security | 18.1 Cloud Security Posture Management | ✓ | ✓ | ✓ |
| | 18.2 Cloud Workload Protection | | ✓ | ✓ |
```
This table presents an overview of the CIS Controls with a basic distinction of which implementation groups might adopt each safeguard as part of their cybersecurity strategy. The tick marks (✓) are placed based on the assumption that lower IG numbers cover more fundamental controls, while higher IG numbers represent more sophisticated measures. Always refer to the official CIS documents for precise guidelines and safeguards as they relate to your organization's needs.

4
Corpus/Sparks/Information Security/Cracking passwords in 2024.md
View file

@ -1,9 +1,9 @@
# Cracking passwords in 2024
![](../Hive%20Systems%20Password%20Table%20-%202024_Dutch.png)
![](../Time%20for%20brute%20force%20on%20passwords%20NL.png)
![](../Hive%20Systems%20Password%20Table%20-%202024%20Square.png)
![](../Time%20for%20brute%20force%20on%20passwords%20EN.png)

10
Corpus/Sparks/Information Security/Data maturity model NL overheid.md
View file

@ -1,10 +0,0 @@
# Data maturity model NL overheid
Een data maturity model helpt Nederlandse overheidsorganisaties bij het beoordelen, verbeteren en volwassen maken van hun datamanagementpraktijken. Het model dient als een raamwerk om de huidige status van een organisatie op het gebied van data te beoordelen en verbeterplannen te identificeren.
### Elaboratie:
* Data Management Maturity Model (DMM): Dit model, ontwikkeld door de ~[Realisatie IBDS](https://realisatieibds.nl/groups/view/c23ab74c-adb4-424e-917d-773a37968efe/kenniscentrum-van-de-ibds/wiki/view/2986e2c2-77c0-4624-8a4b-7bde2c56b70a/data-management-maturity-dmm)~, biedt een systematische benadering om de data management capaciteiten van overheidsorganisaties te verbeteren. Het helpt organisaties bij het beoordelen van hun huidige datamanagement en het identificeren van kansen voor verbetering. 
* Data Governance Maturity Model: ~[Sprinto](https://sprinto.com.en2nl.search.translate.goog/blog/data-governance-maturity-model/)~ beschrijft de volwassenheidsniveaus van data governance programma's. Het model helpt organisaties bij het beoordelen van hun huidige staat en bij het identificeren van stappen om hun data governance te verbeteren. 
* Data Maturity Assessment for Government: Dit model, ook van ~[Realisatie IBDS](https://realisatieibds.nl/kennisbank/scan-datavolwassenheid)~, biedt een raamwerk om de gezondheid en sterkte van het data-ecosysteem van een overheidsorganisatie te meten en te verbeteren. Het helpt organisaties bij het identificeren van strategische verbeterpunten en bij het prioriteren van investeringen. 
* Morgens Data Maturity Model: Dit model, ~[www.morgens.nl](https://www.morgens.nl/actueel/groei-in-datavolwassenheid-met-het-morgens-data-maturity-model/)~, helpt publieke sector organisaties bij het in kaart brengen van hun datavolwassenheid en het identificeren van stappen voor verbetering. 
* Data-Analytics Maturity Model: Berenschot, in samenwerking met het A&O Fonds en de VNG, ontwikkelde een model dat helpt bij het beoordelen van de bereidheid van een organisatie om datagedreven te gaan werken. 

26
Corpus/Sparks/Information Security/Frameworks for defining roles and responsibilities in IT.md Normal file
View file

@ -0,0 +1,26 @@
# Frameworks for defining roles and responsibilities in IT
Several established frameworks exist for defining roles and responsibilities within IT departments. Here are the most widely used ones:
**RACI Matrix (Responsible, Accountable, Consulted, Informed)**
This is one of the most popular frameworks for clarifying who does what in IT projects and operations. It assigns four levels of involvement to each role for every task or decision, making it clear who owns what and who needs to be kept in the loop.
**ITIL (Information Technology Infrastructure Library)**
ITIL provides comprehensive guidance on IT service management roles and responsibilities. It defines specific roles like Service Owner, Process Owner, and Process Manager, along with their accountabilities across the service lifecycle. ITIL v4 emphasizes value streams and practices rather than rigid processes.
**COBIT (Control Objectives for Information and Related Technologies)**
This framework focuses on IT governance and management, defining roles and responsibilities for ensuring IT aligns with business objectives. It provides clear accountability structures for IT leadership, process owners, and stakeholders.
**DevOps Role Models**
Various DevOps frameworks define roles like Site Reliability Engineers, Platform Engineers, and DevOps Engineers, emphasizing shared responsibility between development and operations teams. These frameworks stress cross-functional collaboration over traditional silos.
**TOGAF (The Open Group Architecture Framework)**
For enterprise architecture, TOGAF defines roles such as Enterprise Architect, Solution Architect, and Business Architect, along with their responsibilities in architecture governance and development.
**Agile IT Frameworks**
SAFe (Scaled Agile Framework) and other agile methodologies define IT roles like Product Owner, Scrum Master, and Release Train Engineer, with responsibilities centered around iterative delivery and continuous improvement.
**Cybersecurity Frameworks**
NIST Cybersecurity Framework and ISO 27001 define security-specific roles and responsibilities, including Chief Information Security Officer (CISO), Security Analyst, and Incident Response Team roles.
Most organizations combine elements from multiple frameworks rather than adopting just one, tailoring the approach to their specific needs, size, and industry requirements.

16
Corpus/Sparks/Information Security/Identification.md Normal file
View file

@ -0,0 +1,16 @@
# Identification
Identification is the claim of a subject of its identity.
See also:
- [Authentication](../../Standards/ISO27x/Authentication.md)
- [Authorization](../../Standards/ISO27x/Authorization.md)
- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)
# Identification
Identification is the claim of a subject of its identity.
See also:
- [Authentication](../../Standards/ISO27x/Authentication.md)
- [Authorization](../../Standards/ISO27x/Authorization.md)
- [Identity and Access Management (IAM)](Identity%20and%20Access%20Management%20(IAM).md)

12
Corpus/Sparks/Information Security/Identifying and Managing Preventable Risks.md Normal file
View file

@ -0,0 +1,12 @@
Sidebar from [Managing Risks - A New Framework](../../Literature%20notes/Managing%20Risks%20-%20A%20New%20Framework.md)
Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter. Thus, the first line of defense against preventable risk events is to provide guidelines clarifying the companys goals and values.
**Define the Mission**
A well-crafted mission statement serves as a “true north” for all employees.
E.g. Johnson & Johnsons “We believe our first responsibility is to the doctors, nurses and patients, to mothers and fathers, and all others who use our products and services”.
**Articulate the Values** that guide employee behavior toward all stakeholders
**Set Boundaries** for what is and what is not allowed. Companies need corporate codes of business conduct that prescribe behaviors relating to conflicts of interest, antitrust issues, trade secrets and confidential information, bribery, discrimination, and harassment.
top managers must serve as role models and demonstrate that they mean what they say. Companies must institute strong internal control systems, such as the segregation of duties and an active whistle-blowing program, to reduce not only misbehavior but also temptation. A capable and independent internal audit department tasked with continually checking employees compliance with internal controls and standard operating processes also will deter employees from violating company procedures and policies and can detect violations when they do occur.

29
Corpus/Sparks/Information Security/Identity and Access Management (IAM).md Normal file
View file

@ -0,0 +1,29 @@
## How IAM works
With IAM, you manage access control by defining _who_ (identity) has _what access_ (role) for _which resource_. For example, Compute Engine virtual machine instances, Google Kubernetes Engine (GKE) clusters, and Cloud Storage buckets are all Google Cloud resources. The organizations, folders, and projects that you use to organize your resources are also resources.
In IAM, permission to access a resource isn't granted _directly_ to the end user. Instead, permissions are grouped into _roles_, and roles are granted to authenticated _principals_. (In the past, IAM often referred to principals as _members_. Some APIs still use this term.)
An _allow policy_, also known as an _IAM policy_, defines and enforces what roles are granted to which principals. Each allow policy is attached to a resource. When an authenticated principal attempts to access a resource, IAM checks the resource's allow policy to determine whether the action is permitted.
See:
- [Identification](Identification.md) "This is who I am"
- [Authentication](../../Standards/ISO27x/Authentication.md) "This is how I prove it"
- [Authorization](../../Standards/ISO27x/Authorization.md) "... then this is what you get access to"
- [CISSP_Domain_5_1](../../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../../Standards/CISSP/CISSP_Domain_5_2.md)
- [Roles in Identity and Access Management (IAM)](../../Literature%20notes/Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)
## How IAM works
With IAM, you manage access control by defining _who_ (identity) has _what access_ (role) for _which resource_. For example, Compute Engine virtual machine instances, Google Kubernetes Engine (GKE) clusters, and Cloud Storage buckets are all Google Cloud resources. The organizations, folders, and projects that you use to organize your resources are also resources.
In IAM, permission to access a resource isn't granted _directly_ to the end user. Instead, permissions are grouped into _roles_, and roles are granted to authenticated _principals_. (In the past, IAM often referred to principals as _members_. Some APIs still use this term.)
An _allow policy_, also known as an _IAM policy_, defines and enforces what roles are granted to which principals. Each allow policy is attached to a resource. When an authenticated principal attempts to access a resource, IAM checks the resource's allow policy to determine whether the action is permitted.
See:
- [Identification](Identification.md) "This is who I am"
- [Authentication](../../Standards/ISO27x/Authentication.md) "This is how I prove it"
- [Authorization](../../Standards/ISO27x/Authorization.md) "... then this is what you get access to"
- [CISSP_Domain_5_1](../../Standards/CISSP/CISSP_Domain_5_1.md), [CISSP_Domain_5_2](../../Standards/CISSP/CISSP_Domain_5_2.md)
- [Roles in Identity and Access Management (IAM)](../../Literature%20notes/Roles%20in%20Identity%20and%20Access%20Management%20(IAM).md)

26
Corpus/Sparks/Information Security/Importance of a BCP.md Normal file
View file

@ -0,0 +1,26 @@
# The importance of having a business continuity plan
Having a business continuity plan (BCP) is crucial for an organization for several reasons:
1. **Minimizing Downtime:** A BCP helps ensure that critical business functions can continue during and after a disaster or unexpected event. This minimizes downtime and the associated financial losses.
2. **Risk Management:** Identifying potential risks and preparing for them in advance allows an organization to manage and mitigate these risks more effectively. A BCP identifies vulnerabilities and puts safeguards and procedures in place to address them.
3. **Safeguarding Data and Assets:** A comprehensive BCP includes strategies to protect and recover important data and organizational assets, reducing the risk of data loss or corruption and ensuring business activities can continue without significant disruption.
4. **Maintaining Customer Confidence:** Promptly and efficiently responding to a crisis helps maintain trust with customers, suppliers, and other stakeholders, demonstrating that the organization is reliable and resilient even under challenging circumstances.
5. **Ensuring Compliance:** Many industries are subject to regulatory requirements regarding disaster recovery and business continuity. A formal BCP ensures compliance with these regulations, helping to avoid legal issues and penalties.
6. **Protecting Employees:** A BCP prioritizes employee safety by having procedures in place for communication, evacuation, and continuity of work in a safe environment. Ensuring the welfare of employees fosters loyalty and productivity.
7. **Financial Stability:** By minimizing operational disruptions and financial losses, a BCP supports the financial stability of an organization during and after an unforeseen event. This stability can be crucial for meeting contractual obligations and maintaining investor confidence.
8. **Competitive Advantage:** Organizations that can maintain operations during disruptions have a competitive advantage over those that cannot. This reliability can be a differentiating factor in the marketplace.
9. **Facilitating Recovery:** A BCP provides a clear roadmap for recovery, detailing roles, responsibilities, and procedures to be followed in the aftermath of a disruption, which accelerates the return to normal operations.
10. **Building Organizational Resilience:** The process of developing and maintaining a BCP helps foster a culture of resilience, ensuring that the organization is better prepared for a wide range of potential threats and changes in the business environment.
Overall, a well-crafted business continuity plan helps an organization anticipate, respond to, and recover from disruptions, ensuring long-term sustainability and success.

58
Corpus/Sparks/Information Security/Incident Response Planning.md Normal file
View file

@ -0,0 +1,58 @@
[SANS Incident Response Plan](../../Standards/SANS/SANS%20Incident%20Response%20Plan.md)
[Checklist for auditing Incident Response Plan](../../Literature%20notes/Checklists%20Gerardus%20Blokdyk/Checklist%20for%20auditing%20Incident%20Response%20Plan.md)
See also:
- [Ransomware Playbook](../Ransomware%20Playbook.md)
- [a-5.30-ICT-readiness-for-business-continuity](../../Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md)
- [BCP_Bedrijfscontinuïteitsplanning](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
ISO 27002 5.24 Planning and preparation [PE](../../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.24_PE%20Information%20security%20incident%20management%20planning%20and%20preparation.md)/ [OT](../../Standards/ISO27x/OST/27002/EN/a-5.24-Information-security-incident-management-planning-and-preparation.md)
CISSP Incident Response Steps[^1]:
- Detection
- monitoring, alerts
- Response
- decide if it is a security incident
- alert the CSIR Team
- Mitigation
- contain the incident, limit effect or scope
- Reporting
- Recovery
- return to fully functioning state
- Remediation
- root cause analysis
- Lessons Learned
- ISO 27002 5.27 [PE](../../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.27_PE%20Learning%20from%20information%20security%20incidents.md) / [OT](../../Standards/ISO27x/OST/27002/EN/a-5.27-Learning-from-information-security-incidents.md)
- prevent from re-occurring
- improve incident response
[^1]: CISSP Chapter 17, Preventing and Responding to Incidents, p.739
ChatGPT identifies the following steps:
### in information security incident response, what other actions are there, then mitigation and remediation
In information security incident response, there are several key actions in addition to mitigation and remediation. These typically align with the stages of an incident response process. Here's an overview:
1. **Preparation**: This involves establishing and training an incident response team, developing and updating an incident response plan, and ensuring tools and resources are available for effective incident management.
2. **Identification**: This stage focuses on detecting and identifying security incidents through monitoring, alerts, and reports. It involves confirming whether a security breach or event has occurred.
3. **Containment**: Once an incident is identified, immediate containment efforts are taken to limit damage, prevent further intrusion, and isolate affected systems. This can be broken down into short-term containment (immediate response) and long-term containment (applying temporary fixes).
4. **Eradication**: This involves removing the root cause of the incident, such as eliminating malware from all affected systems, closing vulnerabilities that were exploited, and ensuring that the threat is completely neutralized.
5. **Recovery**: During this phase, affected systems are restored and returned to normal operations. It includes validating systems to ensure they are operational and secure, implementing additional monitoring, and verifying that vulnerabilities are resolved.
6. **Improvement**: Also known as lessons learned, this step involves reviewing and analyzing the incident and the response. The objective is to learn from the event, improve future incident response, and update policies and procedures.
7. **Communication**: Throughout the incident response process, consistent communication is crucial. This includes informing relevant stakeholders, providing updates, reporting to compliance bodies if necessary, and managing public relations if the incident affects external parties.
8. **Post-Incident Review**: A detailed review is conducted after the incident is resolved to evaluate what happened, what was done well, what could be improved, and how to prevent similar incidents in the future.
These actions combined create a comprehensive approach to effectively manage and respond to security incidents in an organized manner.

3
Corpus/Sparks/Information Security/Incident Response playbooks.md Normal file
View file

@ -0,0 +1,3 @@
# Incident Response playbooks
[Repository](https://github.com/certsocietegenerale/IRM/tree/main) of Incident Response playbooks by CERT Societe Generale

68
Corpus/Sparks/Information Security/Kerberoasting.md Normal file
View file

@ -0,0 +1,68 @@
# How does Kerberoasting work
![What is Kerberoasting Attack?](https://d2u1z1lopyfwlx.cloudfront.net/thumbnails/da7d7f75-5240-5121-bcdb-42661d3658c7/39b56d8f-e141-5ba9-92d5-2add2173801a.jpg)
![Marshmallows & Kerberoasting](https://d2u1z1lopyfwlx.cloudfront.net/thumbnails/2b2fb80f-f352-5083-a050-97c5e70f18ff/1fe3cf37-8aca-5bbe-aa76-413147f4878b.jpg)
![What Is a Kerberoasting Attack?](https://lh7-rt.googleusercontent.com/docsz/AD_4nXflXNwTJwVm5OsvsXfq4CGVVVKtItVVE3FsJ7AO8aPWjUKPDh8swLeaih7NmGa6J5z6GjRDSwZjDfhXZrzbxUNUZ76hy8nizDLTnOkZa2B1HkQ5E4HKozH_qGIhzZeCaGmji5rr-ELqwUgXp_T0h4LfRg_g?key=sPnmmEBG5LKzk6cI9huPzg)
![What is a Kerberoasting Attack? Detection and protection](https://d2u1z1lopyfwlx.cloudfront.net/thumbnails/48a8bb2d-0fc4-5754-b710-56856837c3e2/f47ab36e-fb8f-5a32-a7d2-89b3d60c4633.jpg)
Kerberoasting is a cyberattack that exploits weaknesses in the Kerberos authentication protocol to steal service account credentials in Active Directory environments. Here's how it works:
## Attack Process
1. **Initial Access**
Attackers first gain authenticated access to the network using compromised domain user credentials. No elevated privileges are required at this stage[3](https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/)[7](https://www.ibm.com/think/topics/kerberoasting).
2. **Service Ticket Harvesting**
The attacker queries Active Directory for accounts with Service Principal Names (SPNs), which identify network services. Using tools like PowerShell or BloodHound, they request Kerberos service tickets (TGS tickets) for these accounts[1](https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/)[8](https://www.rapid7.com/fundamentals/kerberoasting-attack/). These tickets are encrypted with the service account's password hash[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003).
3. **Ticket Extraction**
Tools like **Mimikatz** or **Rubeus** extract the encrypted ticket data from memory. The attack specifically targets tickets using the weaker RC4_HMAC_MD5 encryption type rather than more secure AES encryption[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[4](https://www.strongdm.com/what-is/kerberoasting).
4. **Offline Password Cracking**
Attackers use brute-force tools like **Hashcat** or **John the Ripper** to crack the hashes offline. Success depends on password strength:
- Weak passwords (<25 characters) are vulnerable
- Computer/managed service accounts (with 120+ character passwords) are generally safe[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003)
|Attack Stage|Key Tools Used|Vulnerability Exploited|
|---|---|---|
|Ticket Harvesting|PowerShell, BloodHound|SPN misconfigurations|
|Ticket Extraction|Mimikatz, Rubeus|RC4_HMAC_MD5 encryption|
|Password Cracking|Hashcat, John the Ripper|Weak service account passwords|
## Why It's Effective
- **Stealth**: No network traffic generated during cracking[4](https://www.strongdm.com/what-is/kerberoasting)
- **Legitimate Appearance**: Uses normal Kerberos functions[6](https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/)
- **High Reward**: Service accounts often have elevated privileges[3](https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/)
## Mitigation Strategies
- **Enforce strong passwords** (25+ chars) for service accounts[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[4](https://www.strongdm.com/what-is/kerberoasting)
- **Use AES encryption** instead of RC4 for Kerberos tickets[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[7](https://www.ibm.com/think/topics/kerberoasting)
- **Implement Managed Service Accounts** with auto-rotated passwords[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003)
- **Monitor** for abnormal TGS ticket requests[4](https://www.strongdm.com/what-is/kerberoasting)[8](https://www.rapid7.com/fundamentals/kerberoasting-attack/)
- **Enable Multi-Factor Authentication** for sensitive accounts[4](https://www.strongdm.com/what-is/kerberoasting)
The attack chain demonstrates how attackers leverage legitimate protocol features to escalate privileges, making detection challenging without proper monitoring and encryption standards[1](https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/)[5](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003). Regular password rotation and eliminating weak encryption types remain critical defenses[2](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)[4](https://www.strongdm.com/what-is/kerberoasting).
### Citations:
1. [https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/](https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-kerberoasting-attack/)
2. [https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/](https://blog.quest.com/understanding-kerberoasting-attacks-and-how-to-prevent-them/)
3. [https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/](https://www.vaadata.com/blog/what-is-kerberoasting-attack-and-security-tips-explained/)
4. [https://www.strongdm.com/what-is/kerberoasting](https://www.strongdm.com/what-is/kerberoasting)
5. [https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003](https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003)
6. [https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/](https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/)
7. [https://www.ibm.com/think/topics/kerberoasting](https://www.ibm.com/think/topics/kerberoasting)
8. [https://www.rapid7.com/fundamentals/kerberoasting-attack/](https://www.rapid7.com/fundamentals/kerberoasting-attack/)
---
Answer from Perplexity: [pplx.ai/share](pplx.ai/share)