Bad guys don't need no stinking tickets
If a bad guy has full control of your domain, they can modify your operating systems, domain controllers, and Active Directory -- forget running Mimikatz to forge a few Kerberos tickets. With that type of god-like modification control, why not modify all security checks to allow all access? Essentially, you already have it with domain admin privileges. The world is your oyster.
I have a hard time getting worked up about latest threat announcement because the golden ticket attack essentially says, "I have complete control of your forest. I'm omnipotent, and I will be doing this one specific attack."
Microsoft could fix all credential theft attacks and it wouldn't stop the attackers for a millisecond, not if they have domain admin privileges. Organizations should be more concerned about why they are letting the bad guys become domain admins so easily.
You want to make it hard for attackers to get domain admin status? Don't have any. The most secure companies in the world have zero permanent members of their highly elevated groups (domain admins, enterprise admins, schema admins, and so on). They also alert when anyone tries to add accounts to those groups. In normal operations, everything else is accomplished using task delegation and strict authentication, with time-limited use of elevated accounts.
There are ways to perform malicious acts without domain admin privileges, but the bar will be significantly higher for the bad guy.
Organizations like to complain about what the bad guys do once they have complete control over the environment. From here on I refuse to participate in whack-a-mole defense, helping my customers to protect against the latest supposed threats, only to have to create new defenses once the bad guy steps sideways a little.
Nope, I'm going to spend all my energies telling my customers the cold, hard truth: Stop the bad guys from getting access to your highly privileged accounts. Nothing else matters. That's the real gold.
Sign up for CIO Asia eNewsletters.