Let’s start with a little history lesson… Back in 2014, there were a series of articles calling for the dismantling and death of Active Directory (AD) for various reasons. Fast forward to 2018, and we made calls for its demise, or simply that companies should take their AD servers, throw them off the cliff and jump onto the cloud bandwagon of managed directory services and identity as a service…
Today, if you listen to some of the identity vendors out there, they’ll explain that AD is 20 years old and needs to be pensioned off and boiled down for glue sticks because they can take care of everything. And heck, who needs to deal with shared printers and all that minutia in the office? It’s ok, the cloud’s got it, and whatever that misses they’ll take care of, OR it’s no big deal.
Hmmm, reality check, please.
Firstly, yes, Active Directory has been with us for around 20 years, and it’s evolved, matured, and become multifaceted to be able to deal with a lot of the modern complexities that we’ve thrown at it. It’s not perfect, neither is anything else out there, but it’s able to work as part of a hybrid solution to take care of many of those cloud-related applications we’re all using.
Secondly, anyone who thinks that resources like printers will “just look after themselves” needs to get their head examined. As a hacker, printers are one of my favorite places to hang out, map the landscape, watch the office, harvest, collect, and exfiltrate data from… they’re great. Nobody likes putting antivirus on them, patching them, or even adding them to any network lockdown rules because they’re a pain in the arse to manage…meaning they’re akin to a front-row seat at the opera for anyone with an attacking mentality.
Thirdly, you’ve got to be out of your gourd if you think that what you have today can be taken away and handed to an identity management organization. Yes, a lot of what they do is excellent and supplements some of the AD architecture. It adds a layer and provides additional authentication mechanisms that AD simply doesn’t have. But, it’s sure as heck NOT going to manage all of your systems, architectures, shares, environments, and nuances within your enterprise.
Which neatly brings us to the “WHY” section…
As noted above in the 3rd point, Active Directory is complex and vast. It has more tentacles embedded in your enterprise than Cthulhu does on a good day–which means it’s got vulnerabilities and challenges. Some of these issues are due to how AD is set up, some down to management and how it’s evolved, and some simply because administering AD (I mean REALLY administering it)is a black art known only to a few good folks…most of whom have gone mad over the years.
All of this results in AD being a prime target for any adversary working on getting into your environment. At a quick count of various vulnerability databases, AD has enough that we’d need a group of friends to chip in fingers and toes to count how to break into it or exploit it. And poor LDAP has enough issues that it’s been seeing a therapist almost weekly since it came on the scene (nearly 600 ways to use LDAP to breach systems…and counting).
So, congratulations, at the center of your enterprise is a fantastic technological solution that manages all of your assets, users, systems, policies, profiles, and rights…yet is as leaky as a sieve and as vulnerable as a day-old foal.
What do you do? You surround it with a plethora of acronyms designed to protect and serve, yet as an adversary, I’m still going to get in. Heck, on average, I’m already in. I’m probably sitting in that printer, and I’ve been there for several months just watching…and you didn’t even know I was here. We’ve had this discussion before, but I’ll remind you. You can’t keep me out, no chance, nothing you buy, nothing you subscribe to or invest in will stop me from getting to first base on your (or in your) network. The challenge is, what do you do next?
IF you have the philosophy of “assume breach,” then you’ll already have some considerations. You’ll have run tabletop exercises. You’ll know your issues and challenges. You’ll have various technologies deployed to give you more proactive and preventative notices, which is where the folks at Semperis come in. AND it’s also the logic for why I’m hanging out with them and helping them understand a little more. (They already have a ton of information on how the adversary works… I’m just here for the really sneaky stuff…)
Taking a proactive approach…how about taking the concept of AD health, safety, and security monitoring tool…turning it up to 11 and releasing it to the community for free? Yeah, that’ll be something coming out soon for the researchers and geeks.
Taking the audit approach…how about we take the challenges of AD, map the attack vectors to the MITRE ATT&CK framework, and then help you understand how we mitigate those issues? Yea, that’s coming out soon and should keep audit and management happy.
Looking at the worst-case…when you DO get hit, how about we work out a recovery process to spend your time getting back on your feet NOT paying ransoms to faceless identities on the Internet? Yea, we got that covered… that’ll keep the geeks AND the insurance folks happy.
You get the idea. The team here is taking a proactive approach to things. They’re reaching out to the community to set up a research facility to foster knowledge sharing, and bringing a much-needed sense of collaboration to the conversations.
Hence, the logic for hanging out with them, they care.
‘all for now
Chris