3 min read

CAEP Aims to Solve the Kerberos Golden Ticket Problem

CAEP Aims to Solve the Kerberos Golden Ticket Problem
The evolution of Authentication Services

The Kerberos Golden Ticket attack represents one of the most severe threats to traditional authentication systems. This sophisticated attack allows adversaries to create counterfeit authentication tickets that grant persistent, privileged access across an entire domain. CAEP (Continuous Access Evaluation Protocol) directly addresses this vulnerability through several key mechanisms. In example a Microsoft Entra ID enabled user can be protected with CAEP access tokens as opposed to legacy kerberos tickets in "on premise/ legacy mode".

CAEP has the abillity to revoke access based on events wheras kerberos tickets just has to "run its lifetime" before beeing revoked. The ability to act fast on security events, is key, in mordern it security.

The Golden Ticket Problem

To understand how CAEP solves this issue, let's first examine the vulnerability:

In Kerberos authentication, or "on premise", a Golden Ticket is a forged Ticket Granting Ticket (TGT) that's created by an attacker who has compromised the Key Distribution Center's (KDC) KRBTGT account hash. This ticket can:

  • Provide unlimited access to any resource in the domain
  • Be configured with arbitrary privileges
  • Remain valid for extended periods (up to 10 years)
  • Bypass standard account restrictions like password changes
  • Evade traditional detection methods

Once an attacker creates a Golden Ticket, they can move laterally throughout the network with minimal risk of detection, as the ticket appears legitimate to all Kerberos-authenticated systems.The problem is: you cannot revoke granted tickets, you have to wait its lifetime. This article from 2020 gives more context to the topic.

How CAEP Counters Golden Ticket Attacks

CAEP effectively neutralizes Golden Ticket attacks through several complementary approaches:

1. Continuous Authentication Beyond the Initial Ticket

Traditional Kerberos relies heavily on the initial authentication event. CAEP fundamentally changes this model by continuously evaluating trust throughout the session. Even if an attacker presents a valid Golden Ticket to gain initial access, CAEP will:

  • Continuously monitor the user's behavior patterns
  • Evaluate device health metrics in real-time
  • Assess network conditions and connection characteristics
  • Compare current activity against established baselines
  • React / Revoke / Reautheticate sessions in realtime based on CAEP events

This continuous evaluation means that even with access, attackers would still need to mimic legitimate user behavior patterns to maintain access. This protects against all but the most targeted attacks.

2. Multi-Factor Signal Analysis

CAEP doesn't rely solely on the authentication ticket's validity. Instead, it analyzes multiple signals simultaneously using the Shared Signals and Events Framework :

  • User behavior analytics (typing patterns, command usage, access times)
  • Device characteristics (patch status, security configurations)
  • Network anomalies (unusual connection paths, unexpected geographical locations)
  • Resource access patterns (atypical file access, unusual database queries)

A hijacked session or a Golden Ticket might fool the authentication server, but it won't affect the signals that CAEP continuously monitors.

3. Dynamic Policy Enforcement

When CAEP detects anomalies that might indicate a hijacked session (or a Golden Ticket attack), it can automatically:

  • Require additional authentication factors such as "re MFA" or require passkey (FIDO) for session privacy.
  • Reduce access privileges
  • Isolate the session to a restricted environment
  • Terminate the connection entirely

This dynamic response means that even if attackers initially gain access with a Golden Ticket or a hijacked session, their ability to maintain that access or escalate privileges becomes significantly limited.

4. Decoupling Authentication from Authorization

CAEP implements a fundamental shift in security architecture by separating authentication (proving identity) from authorization (granting access rights). Even if an attacker authenticates successfully with a hijacked session or a Golden Ticket, CAEP's continuous evaluation means that authorization decisions remain dynamic and contextual.

Implementation Considerations

Organizations implementing CAEP to address Golden Ticket vulnerabilities should:

  • Deploy comprehensive monitoring across all authentication endpoints
  • Establish behavioral baselines for users and systems
  • Implement risk-based authentication policies that adapt to detected anomalies
  • Integrate CAEP with existing security monitoring and response systems
  • Regularly rotate KRBTGT account credentials (as a complementary measure)

The Broader Impact

By addressing the Golden Ticket vulnerability, CAEP demonstrates how Zero Trust principles fundamentally transform security architectures. Rather than focusing on perimeter defenses or one-time authentication events, CAEP embodies the "never trust, always verify" philosophy by continuously evaluating all access attempts.

This approach not only mitigates Golden Ticket attacks but also provides protection against a wide range of other advanced persistent threats. As organizations continue to face sophisticated attacks on their authentication systems, CAEP represents a critical evolution in security architecture that addresses fundamental vulnerabilities in traditional models.

Kai Thorsrud