Cloud Summit, Mainz Frankfurt 27.09.2022: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster with SpecterOps Bloodhound and Quest Software
Right Money Management App For Your Financial Goals
Cloud Summit: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster
1. Protect Hybrid Active Directory
from cyber threads,
track attacks and recover easily
in case of disaster
Ragnar Heil
Microsoft MVP
Channel Account Manager, Quest
2. Where Next Meets Now.
Ragnar Heil
ragnar.heil@quest.com
www.linkedin.com/in/ragnarheil
ragnarh
https://ragnarheil.de
3. Where Next Meets Now.
Active Directory attack paths
If an adversary owns Active Directory, they own the enterprise
AD is the adversary’s favorite target – 25 BILLION attempted attacks on Azure AD
accounts in 2021
Constant change combined with user behavior creates more attack paths daily
Finding an attack path is virtually guaranteed
4. Where Next Meets Now.
• Defenders think in lists
– Listing thousands of generic configuration issues
solves nothing
• Attackers think in graphs
– Which makes it much easier to find effective attack
paths
Active Directory attack paths
5. Where Next Meets Now.
An Attack Path
Member Of Member Of Local Admin Has Session Add Member
DAVID HELPDESK PAYMENT-01
TIER TWO SUPPORT SVC_PAYADMIN DOMAIN ADMINS
A user was
phished.
The user
was a
member of
a group..
…which was a
member of
another
group…
…which had
local admin
privileges over
a system.
A high privilege
service account was
logged on to that
system.
The attackers stole
that service
account’s password.
That service account
had the “Add
Members” privilege
on the Domain
Admins group.
6. Where Next Meets Now.
Where Next Meets Now.
SpecterOps
BloodHound Enterprise
8. Where Next Meets Now.
…many, many paths
https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/
9. Where Next Meets Now.
• It is impossible to effectively view/audit privilege in AD and answer
the question:
“How many users have administrator rights on this computer?”
Why does this happen?
The Windows command line similarly lists just the principals that directly belong to
the local admins group on a computer
10. Where Next Meets Now.
Group nesting
In reality, a computer can have hundreds, thousands, even tens of thousands
of administrators thanks to nested security groups.
Above, we can see that, thanks to security group nesting, 7 users have admin
rights on the computer — not just 4.
11. Where Next Meets Now.
• Random users with ownership of Domain Controllers
• AUTHENTICATED USERS group with full control over the domain
head
• WORKSTATION ADMINS with local admin on Servers
• Kerberoastable Domain Admin accounts with 7-character
passwords set in 2008
• DOMAIN USERS group in the RDP Users group on Domain
Controllers
….and millions more
20 years of AD has accumulated misconfiguration debt
12. Where Next Meets Now.
Top-down adversary view from Critical Assets
Map every Attack Path using every
misconfiguration, every relationship
13. Where Next Meets Now.
Identify and quantify exposure Choke Points
37%
11%
92%
14. Where Next Meets Now.
Identify and quantify exposure Choke Points
37%
11%
15. Where Next Meets Now.
Continuously maps all attack
paths in Active Directory
Provides precise, practical
remediation guidance
Prioritizes and quantifies
attack path choke points
Monitors and measures
improved security posture
16. Where Next Meets Now.
Continuous attack path mapping
• Continuously charts every relationship and connection
• Reveals full understanding of real permissions
• Exposes new and existing
hidden attack paths
17. Where Next Meets Now.
Attack path choke point prioritization
• Identifies the optimal location to block the largest number of pathways
• Ranks these finite set of choke
points by collective risk reduction
• Minimizes remediation efforts and
eliminating misconfiguration debt
cleanup
18. Where Next Meets Now.
Real-world remediation guidance
• Delivers practical remediations without drastic changes to AD or
negative impact
• Provides precise and
comprehensive guidance to ensure
attack path elimination
• Furnishes instructions on how to
validate privileges being removed
are not required
19. Where Next Meets Now.
Charts security posture improvement
• Establishes a baseline of AD, identifying each attack path and the risk of
any given point on the attack path
• Measures continuously as changes
to Active Directory are made,
reassessing risk
• As choke points are eliminated,
significant security posture
improvements are observed
20. Where Next Meets Now.
Where Next Meets Now.
Quest & SpecterOps
Better Together
21. Where Next Meets Now.
Assets, policies, vulnerabilities & risk
Identify
Limit the impact of a cybersecurity event
Protect
Continually monitor for anomalies
Detect
Take appropriate action
Respond
Restore impaired services or capabilities
Recover
Hybrid AD cyber resilience lifecycle
Quest solutions based on NIST core principles
22. Where Next Meets Now.
+Recovery Manager DRE / On Demand Recovery
Recover
Change Auditor / GPOADmin
Protect
+IT Security Search
Respond
On Demand Audit Hybrid Suite
Detect
SpecterOps BloodHound Enterprise
Identify
Hybrid AD cyber resilience lifecycle
Improve response time and resilience during & after attacks
23. Where Next Meets Now.
BloodHound / Quest AD Security Suites
AD CYBER RESILIENCY SUITE
AD RISK PROTECTION
SUITE
AD RISK ASSESSMENT SUITE
HYBRID AD CYBER
RESILIENCY SUITE
BLOODHOUND ENTERPRISE
ON DEMAND AUDIT FOR AD
CHANGE AUDITOR FOR AD
CA FOR LOGON ACTIVITY
GPOADMIN
RECOVERY MANAGER DRE
ON DEMAND RECOVERY
BLOODHOUND ENTERPRISE
ON DEMAND AUDIT FOR AD
CHANGE AUDITOR FOR AD
CA FOR LOGON ACTIVITY
GPOADMIN
RECOVERY MANAGER DRE
BLOODHOUND ENTERPRISE
ON DEMAND AUDIT FOR AD
CHANGE AUDITOR FOR AD
CA FOR LOGON ACTIVITY
GPOADMIN
BLOODHOUND ENTERPRISE
ON DEMAND AUDIT FOR AD
CHANGE AUDITOR FOR AD
CA FOR LOGON ACTIVITY
per managed person / year per managed person / year per managed person / year per managed person / year
24. Where Next Meets Now.
Microsoft cloud
auditing
Dashboard that analyzes millions of events and summarizes in interactive
visualizations
Automated detection of anomalous spikes in suspicious tenant activity
Tracking of security related trends such as account lockouts and risk events
Combine on-prem AD and authentications with cloud activity into a single view of
your hybrid environment
Email alerts on critical audit activities
Built-in searches to detect common security related activities an administrator
should monitor
Normalized event format for every cloud change, that matches on-prem changes
as well (5 W’s + before/after values)
Quest vs. Microsoft cloud auditing
25. Where Next Meets Now.
Microsoft cloud
auditing
Granular role-based access (RBAC) to the audit data
Search by any event field including the target object, activity details, specific
attributes and before and after values
Combine multiple search criteria into a single search
Google-like search for any value across all workloads and audit fields
Responsive search builder with immediate feedback on your search criteria
Pivot to related search on any event (e.g. show me everything else this user/actor
has done)
Store audit data for a minimum of 3 years, and up to 10 years, based on
subscription type*
Quest vs. Microsoft cloud auditing
*Azure AD events are stored by Microsoft for a max of 90 days (with a Premium 2 license) and Office 365 events for a max of 1 year (with an E5 license)
26. Where Next Meets Now.
Securing your AD attack paths
• Assess and map all AD attack paths
• Prioritize choke points to eliminate
most critical attack paths
• Continuously scan and measure
improvements to security posture
BloodHound Enterprise
• Continually validate GPOs through
automated attestation
• Roll-back to an approved configuration in the
case of unapproved GPO changes
• Remove critical attack paths by securing
GPOs and GPO change workflows
GPOADmin
• Audit all security changes across your
AD and Azure AD environments
• Monitor AD in real-time for active
attacks and IOCs
• Block attackers from leveraging critical
attack vectors
Change Auditor
• Quickly recover domains or entire AD forests
from an attack
• Restore unwanted changes to any object
including users, GPOs and AD configuration
• Roll-back AD when remediation changes
have unintended consequences
Recovery Manager