Evaluating, Benchmarking and Creating a Strategy
By Justin Kohler, Director of BloodHound Enterprise, SpecterOps
Over 90% of the Fortune 1000 use Microsoft Active Directory (AD) for identity and access management. This ubiquity makes AD a prime target for attackers because compromising it almost always gives them the access they need to achieve their goals. Additionally, attackers can compromise AD easily by manipulating common errors in user identity and privilege.
Consider this scenario: An attacker gets an employee’s credentials through a phishing attack. That user is a member of the “Help Desk” security group in AD with a low level of privilege. But the Help Desk group has been nested inside another group that has privileges over a PCI server. Our hypothetical employee is not supposed to have control over that server, but the group nesting has given them privilege over it accidentally. That server also has a service account logged in, and it’s simple for an attacker to steal those credentials now that they have control over the server. That service account happens to have the “Add Member” privilege to the Domain Administrators group, so now the attackers can make themselves a domain admin. This chain of steps that allows an adversary to escalate privilege and move laterally through Active Directory is an example of an Identify Attack Path (referred to as “Attack Path” for the rest of this article). Multiple Attack Paths just like this exist in nearly every environment my colleagues and I examine.
Improving AD security to prevent these attacks requires IT Operations, Security Operations, and Identity and Access Management (IAM) teams to work together since each owns a portion of securing AD. A successful strategy must 1) be understandable and defensible to management, 2) give practical solutions that can realistically be implemented by AD administrators, 3) be measurable so that the organization can track progress over time, and 4) cannot require changes that greatly interfere with normal business operations.
How can this strategy be implemented? Let’s look at a practical, actionable approach to securing AD security with these four steps:
Step One: Define High-Value Assets
First, think like an adversary and focus on what they’ll focus on. Define the high-value assets in Active Directory that most attackers will target. A great place to start is the objects in Active Directory that enable full control over the domain. Commonly referred to as “Tier Zero” or “Control Plane” in Microsoft’s new Enterprise Access Model, these include the Domain, Enterprise, and Schema Admins, and Domain Controllers groups, plus the domain head object, and applicable group policies. Adversaries want to get privilege on these assets because they enable additional access required to accomplish their objectives. IT may also consider including other critical systems that would have a significant payoff for attackers, such as privileged access management (PAM) solutions.
Step Two: Map Attack Paths
Next, map out all of the ways an adversary could compromise those high-value assets. Unfortunately, AD’s interface and built-in tooling do not provide the necessary visibility to audit privilege effectively. This lack of visibility makes it very difficult to see users’ privileges, which groups they are members of, etc., which causes Attack Paths to build up over time. Surfacing these paths will require specialized tools like BloodHound (an open-source Attack Path mapping tool), which gives visibility into AD to map out how attackers can use misconfigurations to control high-value assets.
Step Three: Start with Critical Paths
An enterprise AD environment can easily have tens of thousands of potential Attack Paths. For an AD security plan to be practical, it must prioritize which ones to fix first. Without the ability to measure the exact risk of each path in your environment, two manageable areas present a significant risk to any environment. 1) attack paths from large groups in the environment to critical assets and 2) Kerberoastable critical assets. Here is a full explanation of how to find and fix these specific issues.
These two areas represent a significant risk because each may be executed by effectively any member of the organization through the use or abuse of AD configurations. Another area the security or IAM team may consider reviewing is any permissions granted to the large default groups such as Domain Users, Authenticated Users, or Everyone. These permissions can create large beachheads for attackers to move laterally within the environment, even if they don’t grant full access through a critical asset.
Step Four: Develop Actionable Remediations
The final piece of the puzzle is to create clear remediation guidance that all teams can understand. AD administrators or IAM team members will likely implement any changes to AD. They have different priorities than the security team, and they’re under extreme pressure to maintain the backbone of the enterprise. Therefore, they need to consider how any changes to AD will affect the user’s ability to do their jobs.
That means any remediation recommendations need to clearly explain what the AD admins should do, the side effects of the change, and how the fix will affect overall risk exposure. This lets AD admins, executives, and management make informed decisions about executing the change. For example, remediation could break legacy application functionality. As a result, the change may need to be logged for a substantial amount of time before the organization feels confident that it won’t cripple a critical business function.
Active Directory has existed for over 20 years. Unfortunately, 20 years without visibility into how privileges are applied leads to seemingly insurmountable challenges. To make real progress, teams must use other methods to evaluate their AD environment, measure risk, and give practical, actionable guidance for fixing problems. Any plan that can account for all these elements will be a massive step towards a more secure AD environment for everyone.
About the Author
Justin Kohler is the director for the BloodHound Enterprise product line at security consulting company SpecterOps. He is an operations expert who has over a decade of experience in project and program development. After beginning his career in the US Air Force, he worked for several consulting firms focused on process and workflow optimization and held positions at Microsoft and Gigamon. He enjoys building and leading teams focused on customer delivery at Fortune 500 companies.
Justin can be reached online at @JustinKohler10 and at our company website https://specterops.io/