Many organizations introduce Microsoft Windows computers as from basic office workstations to core system computers. Active Directory (AD) realizes centrally manages users, computers, and their authentications. Therefore, AD is widely used as an authentication server [1]. According to a survey [2], 97% organizations answer that AD is mission-critical to their business. Thus, AD is very useful but also tends to be abused by attackers because once attackers steal the Domain Administrator's privilege, attackers easily compromise more computer resources [3]. Some computer security incidents were observed, and the attackers compromised AD using malicious tickets such as the Golden Ticket and the Silver Ticket attacks. However, there is no universal rule to detect these malicious tickets [4]. Especially, detecting the Silver Ticket is challenging since there are no logs and traces left on the Domain Controllers, and the attackers leverage specifications of Kerberos authentication, not vulnerabilities [5].
Recently, some organizations have been migrating their AD environment to Azure Active Directory (renamed to Microsoft Entra ID on August 15, 2023; however, this paper refers to it by its name at the time of the conducted verification, Azure Active Directory). They could operate a hybrid environment that combines on-premise and cloud resources. In addition, hybrid environments are expected to be adopted by many organizations for an indefinite period while continuing to invest in ongoing IT modernization initiatives [6]. In some forms of hybrid environments, seamless single sign-on (SSSO) can be optionally used; SSSO allows the on-premise AD Kerberos Ticket to be used for authentication to some Azure services as well. According to [7], From Fortune 500 companies using Azure AD, 27% introduce SSSO. In the SSSO environment, their users can log in to the Azure services without typing their password on their browser. In such an environment, attackers can compromise the on-premise AD and abuse the Silver Ticket for not only on-premise AD but also Azure services [8].
In this research, we focus on the lifetime of authentication tickets, then propose detection methods of the Silver Ticket attacks using Domain Controller event logs and Azure AD logs that are useful for hybrid SSSO AD environments.
Hybrid SSSO and on-premise authentication mechanisms themselves are different, but there are similarities in that both use authentication tickets based on lifetime. Therefore, the proposed method is also applicable for detecting on-premise the Silver Ticket attacks.
In this paper, we differentiate terms related to AD as follows:
AD is a directory service of Windows resources provided by Microsoft. A server called Domain Controller centrally manages and authenticates users and computers by active directory domain. In an on-premise AD environment, users who belong to Domain Administrators have full control of all resources in the AD domain. Therefore, attackers who intrude into the organization's network tend to target Domain Administrators to get higher privileges.
We will explain the Kerberos authentication used mainly in on-premise AD environments. In an AD environment, the Domain Controller uniformly processes the authentication of all users and computers using authentication tickets called Ticket-Granting Tickets (TGT) and Service Tickets (ST).
The flow of the Kerberos authentication upon the usage of a Windows service is as follows.
Recently, some organizations have been migrating their AD environment to Azure AD and operating hybrid environments on-premise AD and Azure AD. In hybrid environments, it is common that Domain Controllers authenticate on-premise computers, and Azure AD authenticates cloud services such as Microsoft 365, etc. The same users can be used by collaborating on-premise AD and Azure AD by the following three methods.
In this study, we focus on the PHS and the PTA. Both of them enable users to access Azure services such as the Azure portal and Office 365 without the Azure service password using Service Tickets issued by the on-premise Domain Controller. To realize this user experience, in the PHS environment, Azure AD Connect synchronizes a user's password hash from an on-premises Domain Controller to an Azure AD. In the PTA environment, the Pass-Through Authentication agent connects to the on-premise Domain Controller and confirms the password they typed is correct.
PHS and PTA can also realize the SSSO. SSSO enables users who have authenticated by on-premise AD to access some Azure services, such as Azure portal and Office 365, without typing passwords. Fig. 1 shows the overview of the SSSO, and the following is the flow of authentication of SSSO [9].
AD is very useful but also tends to be leveraged by cyber attacks. Though there are various types of attacks against AD, this research focuses on the Silver Ticket attacks that are especially difficult to detect [11]. This section introduces typical attack methods leveraging the Silver Ticket.
Attackers who successfully exploit the Domain Administrator privileges tend to create a backdoor called the Golden Ticket and the Silver Ticket in order to disguise themselves as legitimate administrator accounts over a long period.
There are several detection methods for the Golden Ticket, but few methods are proposed for the Silver Ticket detection. The Silver Ticket is a Service Ticket that has a legitimate signature created by attackers. Attackers tend to create the Silver Ticket with a significantly long-term validity (e.g., ten years) for accessing specific Windows services. If attackers can get administrative privileges on the server that provides the target service, they could create the Silver Tickets for the service. The use of the Silver Ticket means that the the server and its service are under the control of the attackers, thus requiring immediate detection and appropriate measures.
In the hybrid environment, attack methods are different depending on the target architecture. In this study, we focus on the Hybrid AD environment with PHS or PTA that provides SSSO.
In hybrid environments that integrate on-premise AD and Azure environments, various Single Sign-On features are provided for usability by Microsoft. Among them, Microsoft provides PHS and PTA that synchronize the passwords of the on-premise environment with the cloud environment. In addition, Seamless Single Sign-On (SSSO), an optional feature for PHS and PTA, uses Kerberos tickets for access to Azure as well for a more seamless login to Azure. In general, when users access Azure with a browser, they would normally need to type a password. On the other hand, in the SSSO environment, users can log in without a password once authenticated by Azure since the Kerberos ticket stored in the client computer's memory is sent to Azure. The Service Ticket for SSSO is signed and encrypted with a special account password hash called AZUREADSSOACC$.
If attackers steal this password hash, they can create the Silver Ticket to log in to the Azure environment. Once attackers obtain the Silver Ticket, it is possible to compromise the target organizations for a long period of time without re-invading their network, which is why the Silver Ticket is frequently abused for APT attacks.
There are several ways to use Azure services. The most common uses are listed below.
In the above cases, SSSO is available for only 1: browser case. In 2 and 3, password entry for Azure was required. In other words, attackers can access Azure Portal or Microsoft 365 Portal with a browser using the Silver Ticket for SSSO without plain text passwords. Attackers should obtain the password hash for the AZUREADSSOACC$ account and the name of the account to be impersonated for creating the Silver Ticket, however, it is easy if attackers obtain the domain administrator privilege. After logging in to Azure Portal with a browser, the scope of exploitation depends on the impersonate account's privileges. If you can log in with an account with higher privileges, such as Global Administrator, you can use most Azure-related services illegally [12].
An image of the attack scenario against the SSSO environment is shown as Fig. 2. The preconditions for Attack Scenario are as follows:
The attack scenario is as follows:
Note that once attackers steal credentials to create the silver ticket, attackers can create the Silver Ticket. If the target organization allows to access to the Azure AD from outside of the organization's network, attackers use the Service Ticket from anywhere.
An image of the attack scenario against the on-premise environment is shown as Fig. 3. The preconditions for Attack Scenario are as follows:
The attack scenario is as follows:
In this scenario, as described in subsection 2.4, attackers can access the Domain Controller as a legitimate administrative account by using the Silver Ticket as long as attackers have readability to the Domain Controller. Furthermore, detection is quite difficult if attackers use the same tools used by legitimate administrators.
Usually, the detection of the Silver Ticket is challenging for the following reasons.
In the default settings, the Service Ticket validation period is 600 minutes. Once the computer obtains the Service Ticket, the computer does not require the Service Ticket if the rest of the validation period is long enough. This behavior makes detection difficult if we use logs to detect malicious activities.
This section describes existing technologies and related research on detection and prevention methods for on-premise AD and Azure attacks.
[5] focuses on attack methods and detection methods on the Golden Ticket and the Silver Ticket. It mentions the silver ticket attack does not involve the Domain Controller, it is harder to detect, and the silver ticket was not able to detected at all.
[17] introduces a detection method of attacks against on-premise AD. However, detection methods against the Silver Ticket are not mentioned.
[18] proposes machine learning techniques, particularly several anomaly detection algorithms, for the detection of Kerberoasting, which is a password-cracking attack against Kerberos.
[19] introduces the Silver Ticket attacks and mentions detecting the Silver Ticket is possible only on the endpoint and involves examining TGS tickets for subtle signs of manipulation.
[20] introduces attacks against Active Directory and corresponding detection methods, including the Silver Tickets. However, these detection methods are only available in specific conditions.
[11] introduces protection methods against on-premise AD attacks, including the Silver Ticket. The authors say the Silver Ticket attack is difficult to detect since all attack activity is local to the endpoint, with no communication with the Domain Controller to indicate that an attack is underway.
[21] introduces attacks against Windows based on MITER ATT&CK and corresponding security features of Windows. However, they do not mention the Silver Ticket.
Microsoft released the Azure security best practice. However, these best practices do not describe how to protect and detect the silver ticket attacks against Azure [22] [23].
[20], [24-26] introduces attack methods and detection methods leveraging ADFS called “Golden SAML attack” observed in SolarWinds. Golden SAML is a common attack method against hybrid environments in addition to the Silver Ticket, our research does not focus on Golden SAML attack since the detection method is already published.
[27] introduces attack methods against Azure AD, such as leveraging PHS, password spray, the Silver Tickets. However, they do not mention detection methods for the Silver Ticket.
The Silver Ticket attacks can be a big threat for both on-premise and hybrid environments. However, as mentioned in the section 3, none of the studies referred to have addressed the detection of Silver Tickets or have limited applicable conditions. Therefore, this study focuses on the detection of Silver Tickets. [20] proposes a method for detecting Silver Tickets using event logs, similar to this study. However, the detection is limited to older versions of attack tools and specific attack methods that can be bypassed. This proposal, while having prerequisites, suggests a method that can be applied under a broader range of conditions. This research focuses on the lifetime of authentication tickets and then proposes detection methods of the Silver Ticket attacks using Domain Controller event logs and Azure AD logs that are useful for hybrid SSSO AD environments.
To realize our proposed method, we change the Domain Controller settings to reduce the Service Ticket expiration time from the default 600 minutes to 10 minutes. Under these settings, we found a new Service Ticket always requested by the Domain Controller each time, regardless of the remaining Service Ticket expiration time. This behavior is not mentioned in Microsoft's official white paper. We confirmed Service Ticket requests for SSSO, PsExec, and wmic are always issued from the Domain Controller by evaluations in several testbeds. Under the above configurations, the proposed method detects the Silver Ticket attacks by finding accesses without corresponding the Service Ticket requests. This method is intended for implementation in relatively small organizations (with about several dozen accounts).
The prerequisites for this method are as follows:
To modify the expiration of a Service Ticket, the following steps need to be followed:
The proposed method uses the Domain Controller's Event logs. Activities that occurred in the Windows system, such as authentication requests and process executions, are recorded as Event logs on the computer. The Event logs are a built-in Windows logging system and are divided into several categories, each of which has a unique Event ID. In the AD environment, logs related to authentication are uniformly recorded in the Domain Controller's Event logs. Table 1 shows the Event logs required to realize our proposed method. In this study the logs are transferred to the Elastic Stack to analyze logs in timely manner.
We propose the detection method for a hybrid environment based on Attack Scenario 1 shown in 2.3.1, and the method for an on-premise environment based on Attack Scenario 2 shown in 2.3.2.
In this scenario, we presume that Azure Portal and Microsoft 365 Portal are compromised using the Silver Tickets. If the Service Ticket expiration time is set to 10 minutes, our proposed method for the SSSO environment enables highly accurate detection of Silver Ticket abuse.
When a user accesses Azure services using a web browser by SSSO, the access is recorded in Azure Sign-in logs. At almost the same time, Event ID 4769 is always generated in the Domain Controller event log if the Service Ticket expiration time is 10 minutes. In the case of a Service Ticket using SSSO, the value of the service requester of Event ID 4769 is AZUREADSSOACC$.Therefore, if access from the same user is recorded in the Azure Sign-in logs and Event ID 4769, it is considered Azure access in legitimate operations.
Fig. 4 shows an overview of the detection logic.
Our proposed method for the on-premise environment can detect Silver Ticket abuse for services whose Service Tickets are issued every time per access when the Service Ticket expiration is 10 minutes.
There are many Windows services, in this study, we focus on detecting attacks against the Domain Controller using PsExec or wmic, which are commonly used by attacks against AD. Fig. 5 shows an overview of the detection logic.
When a user accesses a Domain Controller using PsExec or wmic, execution of the specific processes is recorded in the Domain Controller's Event logs. However, they are legitimate tools, so it was difficult to determine whether such accesses were due to legitimate operations or the Silver Ticket's abuse. By combining the following decision logic, the Silver Ticket attacks using PsExec or wmic can be detected.
To realize our proposed method, we constructed a detection system as shown in Fig. 6. Event Logs are stored in Elastic Stack. The Azure Sign-in logs are stored in the Azure AD environment and fetch the logs using an API called “Microsoft Graph.” Our custom Python program periodically compares the Event Logs and the Azure Sign-in logs to detect Silver Ticket abuse.
In this system, logs are polled periodically to review past logs. In this validation environment, polling occurs every 15 minutes, and the behavior is set to check logs from the past hour. Although the evaluation is set to poll every 15 minutes, the polling interval could be shortened if faster detection is desired. The reason for setting the log review and matching period longer than the polling cycle is that there is an average delay of about 5 minutes (99th percentile) before events occurring in Azure are logged [28]. By retrieving logs over a period longer than this delay, we ensure the logs are definitely reviewed and matched. Additionally, event logs stored on the Domain Controller are typically transferred to Elastic Stack immediately, with delays of a few seconds at most. Since this delay is significantly shorter than the time it takes for events in Azure to be logged, transfer delays to Elastic Stack are not considered in this validation.
In this section, we will describe not only the evaluation environment and detection results, but also consider resource consumption and false detection.
Table 4 shows OS and hardware specification for the evaluation.
The evaluation environment is a hybrid environment of on-premise AD and Azure. There are 17 unique users, with each individual assigned one account and one computer. The evaluation period is from January 12th, 2023, to March 31st, 2023. All users used Azure services several times.
In this evaluation, we carried out the following attacks using the Silver Ticket ten times respectively at random times, all of which were successfully detected.
We also ran the tool in a real environment and found that neither False Positives nor False Negatives occurred. The detection rate is 100%. However, False Positives may occur depending on some conditions. The possibility of false detection is explained in section 5.5.
We evaluated the side effects on the Domain Controller's performance by changing the period of the Service Ticket. There was no significant difference in resource consumption due to differences in the Service Ticket validation period.
Table 5 shows the result when the period of the Service Ticket was 600 minutes. We calculated the average of memory and CPU usage of the Domain Controller from January 23rd, 2023, to January 25th, 2023.
Table 6 shows the result when the period of the Service Ticket was 10 minutes. We calculated the average memory and CPU usage of the Domain Controller from January 26th, 2023, to January 31st, 2023.
When transferring logs to Azure Sign-in logs with an average delay of 5 minutes and polling every 15 minutes, the attack can be detected at most 20 minutes later. In addition, the time taken by tools to search and process the logs must be considered. In this evaluation environment, the proposed method searches logs for the past an hour, and evaluations are conducted at the most concentrated access times between January 12th and March 31st, 2023. For the number of matches that fit the criteria of the proposed method, Event ID 4769 had about 80 hits, Event ID 4688 had 1 hit, and the total number of accesses to the Azure Portal and Microsoft 365 Portal was 10 in one hour. Therefore, the detection tools completed processing in about 2–3 seconds.
Through the evaluation, the detection rate was 100%. However, False Positives may occur depending on the timing of user operations. The conditions under which False Positives and negatives may occur are described in Table 7.
In Attack Scenario 1, the proposed method judges access as legitimate if the corresponding Service Ticket for AZUREADSSOACC$ is issued. Attackers can actively request a Service Ticket with the account AZUREADSSOACC$ to bypass the detection logic. However, there is no advantage for attackers since they should intrude the on-premise AD environment to bypass. That could be cause of leaving extra traces [29]. One of the advantages of the Silver Ticket is attackers can access the Azure service without intruding the on-premise AD environment. Therefore, this bypass is not reasonable for attackers.
In Attack Scenario 2, the proposed method judges access as legitimate if the corresponding Service Ticket is issued by the Domain Controller computer account. However, in Scenario 2, the attacker's goal is to compromise the on-premise environment, so it is more likely that the attackers have already intruded on the target network. If the attackers are able to compromise the user's terminal again and intentionally request the Service Ticket to the Domain Controller to generate Event ID 4769, it is theoretically possible to induce a False Negative.
If the user logs in with the password, the Domain Controller will not generate Event ID 4769. This behavior triggers our detection logic. In other words, a False Positive occurs. However, if legitimate users always use the Service Ticket, they do not enter their password as an operational rules, the False Positive do not occur. If the operational rules are followed, this behavior could be an advantage rather than a False Positive. Azure is a cloud service, so basically, any user who knows the credentials can log in to the Azure services even their computer is not under the control of their organization. If attackers compromise the target network and obtain the domain users' credentials, attackers access the Azure services with domain users' credentials, but their activity would be detected. It is possible to manage computers using Microsoft Intune and restrict access using conditional access. For example, conditional access restricts only domain-joined computers when the “Require Domain Joined Device” option is enabled. Microsoft Intune and conditional access are included in the Azure AD Premium P1 (renamed to Microsoft Entra ID P1 on October 1, 2023) and Azure AD Premium P2 (renamed to Microsoft Entra ID P2 on October 1, 2023), but they are a paid license [30]. Our proposed method can be used to detect when a computer has not joined the Active Directory domain, even if the organization does not have such a paid license. It is expected that more and more users will access the organization's internal network and Azure services from their homes for remote work [31]. It is important to strict computers to access Azure services only domain joined computers.
When legitimate administrators access the Domain Controller by PsExec with -u (specify the user name) and -p (specify the password) options, False Positives occur. This is because if PsExec is used with the -u and -p option, Event ID 4769 would not be generated because the Domain Controller would not receive a Service Ticket request. In that case, inquiry for the administrators is required to judge the False Positives.
When applying this method, a Service Ticket is requested each time. Consequently, if the Domain Controller is inaccessible, it can lead to False Positives or affect the use of services that support SSSO or Kerberos authentication. However, if SSSO is unavailable, it is possible to access Azure services by entering a password. Furthermore, many Windows services can authenticate using NTLM if Kerberos authentication is unavailable [32], providing an operational contingency when NTLM is available. To assess the impact, this study accessed a Windows File Server with the Domain Controller shut down. During this test, NTLM authentication occurred in place of Kerberos authentication (Service Ticket request), confirming successful access to the file server. However, Microsoft announced a plan in 2023 to phase out NTLM authentication gradually [33]. Consequently, if NTLM authentication is eventually discontinued, services may become inaccessible when Kerberos authentication fails and cannot fallback to NTLM.
Next, we consider the operational impact of False Positives. The primary reasons for inaccessible Domain Controllers include:
For (1), it is possible to precisely identify the cause of False Positives. For (2), as mentioned in subsection 5.5.3, it implies that computers not authenticated are using Azure services, which can also serve as a means to detect undesirable security events.
We assume that the organization has a significantly larger number of users and accounts. Initially 17 accounts during evaluation, we virtually scaled up tenfold to 170 accounts for the test. As we mentioned in section 5.4, Event ID 4769 had about 80 hits, Event ID 4688 had 1 hit, and the total number of accesses to the Azure Portal and Microsoft 365 Portal was 10 at the most. We also assume each logs scaled up ten times, for Elasticsearch, the search time for Event ID 4769 was 800 hits, for Event ID 4688 it was 10 hits, and for Azure Sign-in logs it was 100 hits. Even when logs were intentionally increased to test the tool, the processing completed in about 10 seconds. It is believed that the search time did not simply increase tenfold compared to the results in section 5.4 due to overheads such as loading libraries.
Thus, depending on the scale, the attack can be detected in a maximum of 20 minutes and a few seconds. This method takes about 20 minutes to detect an attack. In targeted attacks, perpetrators tend to infiltrate for long periods, with some remaining undetected for over a year [34]. Although it depends on the attacker's ultimate goal, if misuse of PsExec or breaches into Azure are mid-attack stages, being able to detect an attack within 20 minutes could significantly obstruct the attacker's final objectives.
In this research, we evaluated with 17 accounts. Considering that it would be implemented in real-world scenarios with significantly larger account numbers, we deliberately increased the number of accesses and conducted load testing. The implementation of this proposed method results in the greatest increase in load due to requests for Service Tickets to the Domain Controller. The number of TGT requests, the number of accesses to Azure services do not change with the implementation of this method. Therefore, we intentionally generated a large number of Service Ticket requests to measure the impact on the performance of the Domain Controller. The results are shown in Fig. 7. The x-axis represents the number of requests per minute, which we increased by approximately 100 req/min; specifically, at 98 req/min, 225 req/min, 313 req/min, 424 req/min, and 533 req/min. The y-axis shows CPU and memory usage. It is observed that resource consumption increases with the number of requests, although the increase is minimal. To investigate if this trend remains the same under constant high load conditions, the CPU was kept at constant loads of 50% and 80% using CPUSTRES.exe [35]. For memory, constant loads of 2048MB and 4096MB were maintained using Testlimit.exe [36]. In all scenarios―high CPU load, high memory load, and high loads on both CPU and memory―the trend of load increase due to the rising number of Service Ticket requests was consistent. Furthermore, there were no log loss in any case.
We measured how the log volume changed in the evaluation period (between January 12th and March 31st, 2023). With the application of the proposed method and the change of the Service Ticket validity period to 10 minutes, the number of outputs for Event ID 4769 increased approximately sevenfold and accounted for 16.5% of the total Event Log. Before the application of the proposed method, Event ID 4769 constituted only 2.8% of the total Event Log. Additionally, We intentionally increased the number of accesses to see the log volume changes. The number of log outputs increased proportionally with the number of accesses to the Domain Controller, while the volume of other Event IDs remained unchanged. However, the size of the logs on the disk did not increase in proportion to the number of log outputs due to compression [37]. In the load test, the size of the log on the disk for only Event ID 4769 was 68 KB with 98 req/min outputs. However, when the outputs ranged from 225 to 533 req/min, the log size was consistently 1092 KB. The specifics of this phenomenon have not been disclosed by Microsoft. However it may be due to compression [37]
In our verification environment, as previously mentioned, the number of accesses to the Azure Portal and Microsoft 365 Portal was at most 10 per hour, even during periods of highest activity. It is conceivable that organizations that more often use browser-based services such as Microsoft Outlook or Office. Therefore, we intentionally generated requests, resulting in a rate of 47 requests to Microsoft365 (https://login.microsoftonline.com) per minute. However, there were no occurrences of log losses in either the Windows Event ID 4769 or the Azure sign-in log, nor were there any false detections.
Even with Windows Server 2022 configured as the Domain Controller, it was possible to change the ticket expiration time to 10 minutes. Additionally, Windows 11 clients request a ticket each time they access Azure services, proving that this method is effective when the Domain Controller is Windows Server 2022 and even when clients operate on Windows 11.
Recently, a managed service known as Azure Active Directory Domain Services has become available, which implements some Domain Controller functionalities in the Azure environment, and its usage is expected to increase. Azure Active Directory Domain Services allows for domain joining and Group Policy management directly within the Azure environment. In this study, We install Active Directory administrative tools to manage the domain (this server is referred to as the Azure AD Domain Services Server). However, according to [38], “Azure AD Domain Services is not intended to completely replace existing on-premises Active Directory Domain Controllers. It facilitates the migration of on-premises servers that use traditional protocols such as Kerberos, NTLM, and LDAP to the cloud (Azure), and is meant to reduce the server management burden on organizations (Translated from Japanese by authors.)” Even if Azure Active Directory Domain Services is implemented, it is not recommended to replace on-premises Domain Controllers entirely with Azure AD Domain Services Servers in Azure [38]. Therefore, the on-premises Domain Controller continues to exist within the organization's network, and clients are authenticated through it, making the proposed method effective. Additionally, if the on-premises Domain Controller is compromised, it can lead to the creation of Silver Tickets, potentially compromising Azure Services as well, thus making Attack Scenario 1 valid. Although not recommended, if the on-premises Domain Controller were to be discontinued, attackers would need to steal the AZUREADSSOACC computer account from the Azure AD Domain Services Server to compromise. However, even if user accounts are synchronized from the on-premises Domain Controller, there is no AZUREADSSOACC computer account on the Azure AD Domain Services Server. thereby Attackers can not continue with the attack scenario. However, as previously mentioned, discontinuing the on-premises Domain Controller is not recommended.
Once the on-premise AD environment is compromised, attackers abuse the Silver Ticket to spread the compromise not only to their on-premise environment but also to the Azure services. In this research, we propose a detection method, especially for attacking against the Azure environment, despite detecting the Silver Ticket is difficult. Our proposed methods are easy to implement and perform a high accuracy rate for detection without paid services, especially for the Azure services. This method allows for the identification of computers accessing Azure services without authenticating to the on-premises AD. Furthermore, our methods can also detect the Silver Ticket attack against an on-premise Domain Controller.
Wataru Matsuda joined NTT WEST, Ltd. in 2006. Now, he engages in research and analysis in NTT Social Informatics Laboratories. He is also currently a Ph.D. student at the Department of Architecture, Civil Engineering and Industrial Management Engineering, Nagoya Institute of Technology, Japan.
Mariko Fujimoto is a security analyst at NEC Solution Innovators, Ltd., working on security diagnosis, penetration tests, etc. She is a concurrent Project Researcher at Toyo University and is engaged in research on the cyber security of Active Directory and education. She is also a Ph.D. at Nagoya Institute of Technology and is engaged in Industrial Control Systems cyber security.
Takuho Mitsunaga is an Associate Professor at Toyo University. He is also a senior fellow at The Tokyo Foundation for Policy Research and a security expert at Information-technology Promotion Agency in Japan. After completing his degree at Graduate School of Informatics, Kyoto University, he worked at the front line of incident handling and penetration testing at security organizations.
Kenji Watanabe is a professor at the Nagoya Institute of Technology, specializing in risk management, business continuity (BCM), and critical infrastructure protection (CIP). With nearly 20 years of experience in financial business and risk management, he has worked at Mizuho Bank, PwC, and IBM. He serves on governmental committees, including the Critical Infrastructure Protection Council, and leads Japan's delegation for ISO/TC292. Notably, he led the JICA-sponsored Area-BCM project in Thailand. He holds a PhD from Waseda University and an MBA from Southern Methodist University.
会員種別ごとに入会方法やサービスが異なりますので、該当する会員項目を参照してください。