The Fraunhofer Institute for Secure Information Technology SIT and Arkoon Netasq, a subsidiary of Airbus Defence and Space, two leading European organisations in cyber security, have jointly developed Hash Guard, a proof of concept for protecting enterprises against widespread pass-the-hash attacks, as part of a new cooperation agreement. Pass-the-hash technique is used by hackers to circumvent server authentication and gain access to secret information and sensitive applications.

“Through this cooperation, we have successfully implemented a proof of concept that is currently being tested with key customers on our Network Security platform“ says François Lavaste, President of Arkoon Netasq.  “Our company is already a pioneer in pass-the-hash attack prevention thanks to our Stormshield Endpoint Security solution. Such a network-based protection will be a perfect complement and help us provide a comprehensive solution”.

“We are very happy with this partnership which brings together an elite security vendor with one of Europe’s biggest research organisations,” says Michael Waidner, Director of Fraunhofer SIT. “The result of this cooperation is Hash Guard, which is an effective building block to curb espionage and advanced persistent threats. It is easy to implement and combines high security with ease of use.”

Every time a user logs in to a Windows domain network, the domain controller uses the password to generate a number of security tokens a.k.a. hashes. These are used to connect the user’s computer with the different servers and applications inside the company network. Due to its design, Windows single sign-on authentication is lacking a mechanism to ensure that a hash is only used by the rightful owner. Consequently, attackers can steal hashes and use them to access sensitive parts of the enterprise’s IT infrastructure, steal valuable information or take control over the network.

Hash Guard provides the missing safeguarding mechanism: similar to a firewall it is situated in front of the enterprise’s servers and monitors the network traffic for authentication messages, verifies whether a hash is used by its rightful owner and if not it automatically terminates the connection.  The prototype supports smartcard authentication, where the user only has to enter the PIN when logging in to the computer. From there on Hash Guard regularly checks incoming connections to the servers. For each authentication request to a server Hash Guard will assure the legitimacy of the connection by verifying the presence of the user’s smartcard at the requesting computer.

Hash Guard protects protocols that employ the LAN Manager (LM) or NT LAN Manager (NTLM) authentication including Server Message Block (SMB), Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP) and more. Modifying these protocols is not necessary.

About Fraunhofer SIT

The Fraunhofer Institute for Secure Information Technology SIT is one of the world’s leading experts for R&D in cyber security. The institute is active in all important fields of IT security and forms a broad base of competence for cross-technology development at the highest level of quality. Fraunhofer SIT provides services for all branches of industry, and numerous successful projects at an international level visibly demonstrate the institute’s trustworthiness and reliability as a cooperation partner.

About Arkoon Netasq

Arkoon and Netasq, fully owned subsidiaries of Airbus Defence and Space, run the Stormshield brand and offer innovative end-to-end security solutions worldwide to protect networks (Stormshield Network Security), workstations (Stormshield Endpoint Security) and data (Stormshield Data Security).