Ran Harel

After announcing Forest Druid, our free Tier 0 attack path discovery tool, at Black Hat 2022, we’ve used it to help some of the largest organizations in the world close off attack paths to Tier 0 Active Directory assets. Our work with these organizations has validated that defenders can save time by focusing on low-hanging fruit for remediation, accelerating the process of closing backdoors into AD. (If you’re curious about how Forest Druid works, check out this Forest Druid video demo, review the online user guide, or download the Forest Druid software.)

Active Directory is a complex system with numerous configurable settings, making it notoriously hard to secure. Design flaws, operational mistakes, and misconfigurations accumulate over time, exposing AD to a spectrum of attacks. For years, attackers have had the upper hand in identifying privilege escalation paths to AD: Countless attack paths lead to AD. Defenders facing the challenge of combing through those thousands of attack paths are likely to miss some risky violations. 

Forest Druid is the second in our arsenal of Active Directory community security tools, joining Purple Knight, an AD security assessment tool used by more than 10,000 organizations. Whereas Purple Knight scans for indicators of exposure (IOEs) and indicators of compromise (IOCs) and provides an overall security score, Forest Druid focuses on attack paths that lead to critical Tier 0 assets. Check out the video interview below for some insights we shared at Black Hat USA 2022 about the origin of Forest Druid and our vision for its evolution. 

Related reading

Identify the true Tier 0 perimeter

One of the problems with traditional attack path management methods is that organizations often don’t have an accurate definition of their Tier 0 assets, and current tools don’t help to define those assets. It’s hard to defend resources that aren’t defined.  

Forest Druid uses an iterative process to clearly define Tier 0 assets. In every iteration, all the control relationships that originate in a node outside of Tier 0 and reach a node inside Tier 0 in a single hop are analyzed to determine whether the originating node should be added to Tier 0 or whether it violates the security model and should be removed. The process concludes after an iteration that shows no additional relationships to Tier 0, thus establishing your privileged-defined perimeter.  

Forest Druid accelerates attack path analysis by focusing on privileged access to Tier 0 from the inside-out, while other attack path discovery tools identify an extensive list of attack paths and chokepoints from the outside-in. Forest Druid automatically graphs relationships among Tier 0 assets, creating an independent source of truth for Tier 0 security that allows defenders to quickly eradicate the threat from AD and identify previously undisclosed domain persistence techniques.  

Save time and resources protecting Tier 0 assets

Rather than chasing down thousands of potential attack paths, defenders can save time by using Forest Druid to identify and address the most problematic security violations—the paths that lead directly to your most sensitive assets.  

To learn how Forest Druid works, check out this demo video, join the Purple Knight community discussion on Slack, and check out additional resources below. Or download Forest Druid now and start closing attack paths to your Tier 0 assets.

More resources