A Formal Model for Credential Hopping Attacks

Centrally-managed authentication schemes allow users of complex distributed systems to present the same credentials to multiple applications and computer systems. To further simplify the user’s experience, the credentials are often cached on those remote systems. However, caching credentials introduces the risk of malicious actors stealing and using these credentials to hop between systems within the network. This problem has been studied by modeling authentication events as a graph, and proposed solutions rely on altering key properties of a system’s authentication graph to reduce the likelihood of successful attacks. However, current approaches make numerous simplifying assumptions, fail to reflect the time-variant nature of many of the variables involved, and do not readily accommodate modeling the effects of a wide range of potential countermeasures. To address these limitations, this paper presents a formal model that describes credential hopping attacks as iteratively performing multiple credential-harvesting operations and lateral movements to reach predefined objectives. We explicitly consider the time-variant nature of all variables involved. We show how different countermeasures impact key variables of the proposed model, and define an intuitive metric for quantifying the attacker’s expended effort to reach a given goal. Although direct computation of a verifiably minimum value for this metric is demonstrably infeasible, we propose heuristics to achieve reasonable upper bounds. We validate our model and bound-heuristics through simulations, including assessing the impact of a deployed countermeasure.