Cloud Summit: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster

Protect Hybrid Active Directory
from cyber threads,
track attacks and recover easily
in case of disaster
Ragnar Heil
Microsoft MVP
Channel Account Manager, Quest

Where Next Meets Now.
Ragnar Heil
ragnar.heil@quest.com
www.linkedin.com/in/ragnarheil
ragnarh
https://ragnarheil.de

Active Directory attack paths
If an adversary owns Active Directory, they own the enterprise
AD is the adversary’s favorite target – 25 BILLION attempted attacks on Azure AD
accounts in 2021
Constant change combined with user behavior creates more attack paths daily
Finding an attack path is virtually guaranteed

• Defenders think in lists
– Listing thousands of generic configuration issues
solves nothing
• Attackers think in graphs
– Which makes it much easier to find effective attack
paths
Active Directory attack paths

An Attack Path
Member Of Member Of Local Admin Has Session Add Member
DAVID HELPDESK PAYMENT-01
TIER TWO SUPPORT SVC_PAYADMIN DOMAIN ADMINS
A user was
phished.
The user
was a
member of
a group..
…which was a
member of
another
group…
…which had
local admin
privileges over
a system.
A high privilege
service account was
logged on to that
system.
The attackers stole
that service
account’s password.
That service account
had the “Add
Members” privilege
on the Domain
Admins group.

SpecterOps
BloodHound Enterprise

There are many paths

…many, many paths
https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/

• It is impossible to effectively view/audit privilege in AD and answer
the question:
“How many users have administrator rights on this computer?”
Why does this happen?
The Windows command line similarly lists just the principals that directly belong to
the local admins group on a computer

Group nesting
In reality, a computer can have hundreds, thousands, even tens of thousands
of administrators thanks to nested security groups.
Above, we can see that, thanks to security group nesting, 7 users have admin
rights on the computer — not just 4.

• Random users with ownership of Domain Controllers
• AUTHENTICATED USERS group with full control over the domain
head
• WORKSTATION ADMINS with local admin on Servers
• Kerberoastable Domain Admin accounts with 7-character
passwords set in 2008
• DOMAIN USERS group in the RDP Users group on Domain
Controllers
….and millions more
20 years of AD has accumulated misconfiguration debt

Top-down adversary view from Critical Assets
Map every Attack Path using every
misconfiguration, every relationship

Identify and quantify exposure Choke Points
37%
11%
92%

Identify and quantify exposure Choke Points
37%
11%

Continuously maps all attack
paths in Active Directory
Provides precise, practical
remediation guidance
Prioritizes and quantifies
attack path choke points
Monitors and measures
improved security posture

Continuous attack path mapping
• Continuously charts every relationship and connection
• Reveals full understanding of real permissions
• Exposes new and existing
hidden attack paths

Attack path choke point prioritization
• Identifies the optimal location to block the largest number of pathways
• Ranks these finite set of choke
points by collective risk reduction
• Minimizes remediation efforts and
eliminating misconfiguration debt
cleanup

Real-world remediation guidance
• Delivers practical remediations without drastic changes to AD or
negative impact
• Provides precise and
comprehensive guidance to ensure
attack path elimination
• Furnishes instructions on how to
validate privileges being removed
are not required

Charts security posture improvement
• Establishes a baseline of AD, identifying each attack path and the risk of
any given point on the attack path
• Measures continuously as changes
to Active Directory are made,
reassessing risk
• As choke points are eliminated,
significant security posture
improvements are observed

Quest & SpecterOps
Better Together

Assets, policies, vulnerabilities & risk
Identify
Limit the impact of a cybersecurity event
Protect
Continually monitor for anomalies
Detect
Take appropriate action
Respond
Restore impaired services or capabilities
Recover
Hybrid AD cyber resilience lifecycle
Quest solutions based on NIST core principles

+Recovery Manager DRE / On Demand Recovery
Recover
Change Auditor / GPOADmin
Protect
+IT Security Search
Respond
On Demand Audit Hybrid Suite
Detect
SpecterOps BloodHound Enterprise
Identify
Hybrid AD cyber resilience lifecycle
Improve response time and resilience during & after attacks

BloodHound / Quest AD Security Suites
AD CYBER RESILIENCY SUITE
AD RISK PROTECTION
SUITE
AD RISK ASSESSMENT SUITE
HYBRID AD CYBER
RESILIENCY SUITE
BLOODHOUND ENTERPRISE
ON DEMAND AUDIT FOR AD
CHANGE AUDITOR FOR AD
CA FOR LOGON ACTIVITY
GPOADMIN
RECOVERY MANAGER DRE
ON DEMAND RECOVERY
GPOADMIN
RECOVERY MANAGER DRE
GPOADMIN
per managed person / year per managed person / year per managed person / year per managed person / year

Microsoft cloud
auditing
Dashboard that analyzes millions of events and summarizes in interactive
visualizations
Automated detection of anomalous spikes in suspicious tenant activity
Tracking of security related trends such as account lockouts and risk events
Combine on-prem AD and authentications with cloud activity into a single view of
your hybrid environment
Email alerts on critical audit activities
Built-in searches to detect common security related activities an administrator
should monitor
Normalized event format for every cloud change, that matches on-prem changes
as well (5 W’s + before/after values)
Quest vs. Microsoft cloud auditing

Microsoft cloud
auditing
Granular role-based access (RBAC) to the audit data
Search by any event field including the target object, activity details, specific
attributes and before and after values
Combine multiple search criteria into a single search
Google-like search for any value across all workloads and audit fields
Responsive search builder with immediate feedback on your search criteria
Pivot to related search on any event (e.g. show me everything else this user/actor
has done)
Store audit data for a minimum of 3 years, and up to 10 years, based on
subscription type*
Quest vs. Microsoft cloud auditing
*Azure AD events are stored by Microsoft for a max of 90 days (with a Premium 2 license) and Office 365 events for a max of 1 year (with an E5 license)

Securing your AD attack paths
• Assess and map all AD attack paths
• Prioritize choke points to eliminate
most critical attack paths
• Continuously scan and measure
improvements to security posture
BloodHound Enterprise
• Continually validate GPOs through
automated attestation
• Roll-back to an approved configuration in the
case of unapproved GPO changes
• Remove critical attack paths by securing
GPOs and GPO change workflows
GPOADmin
• Audit all security changes across your
AD and Azure AD environments
• Monitor AD in real-time for active
attacks and IOCs
• Block attackers from leveraging critical
attack vectors
Change Auditor
• Quickly recover domains or entire AD forests
from an attack
• Restore unwanted changes to any object
including users, GPOs and AD configuration
• Roll-back AD when remediation changes
have unintended consequences
Recovery Manager

Cloud Summit: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster

Recommended

Recommended

More Related Content

Similar to Cloud Summit: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster

Similar to Cloud Summit: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster (20)

More from Ragnar Heil

More from Ragnar Heil (10)

Recently uploaded

Recently uploaded (20)

Cloud Summit: Protect Hybrid Active Directory from cyber threads, track attacks and recover easily in case of disaster