Die Bedrohungsakteure von heute entwickeln sich nicht nur weiter - sie organisieren sich auch. Von Ransomware-Banden, die Unternehmensstrukturen imitieren, bis hin zu nationalstaatlichen Bedrohungen, die auf kritische Infrastrukturen abzielen, sehen sich Sicherheitsteams einer unaufhaltsamen Welle identitätsbasierter Angriffe gegenüber. Im Mittelpunkt dieses Angriffs steht Active Directory (AD) - nach wie vor das häufigste Ziel für Seitwärtsbewegungen und Privilegieneskalation.
In diesem Webcast werden Semperis-Experten und Gastredner - darunter der langjährige Microsoft MVP Sean Deuby - die realen Risiken für Unternehmen und die besten Methoden zur Absicherung von Identitätssystemen, zur Beschleunigung der Wiederherstellung und zur Gewährleistung der Geschäftskontinuität erläutern. Auf der Grundlage der Forschungsergebnisse von Semperis über die Krisenbereitschaft von Unternehmen, die Widerstandsfähigkeit kritischer Infrastrukturen und die Trends bei Ransomware-Terminen erhalten Sie in dieser Sitzung die Anleitung, die Sie benötigen, um Widerstandsfähigkeit aufzubauen, bevor Angreifer zuschlagen.
Hello, everyone. I’m Adrian Snabria, host of the Enterprise Security Weekly podcast and founder of the Defenders Initiative. Welcome to this webcast sponsored by Semperis. I have two guests with me today, Sean Deuby, Principal Technologist at Semperis. How you doing, Sean? How you doing, Adrian? I’m doing great. We’re we just had a really great conversation about astronomy just before we started today. So. Yeah. And that conversation was started because, Jeff Wickman, Director of Incident Response at, Semperis, has a telescope behind him. And it turns out we all have telescopes. Yeah. How are you doing, Jeff? I am wonderful. It’s a happy Wednesday. Alright. Hopefully, you get some good use out of that telescope. We’re just, talking about what we do with ours or or don’t do with ours. Mine is about to get packed away somewhere. I haven’t pulled it out in a while. It’s too hot and humid in the summer. And then when the sky is crisp and clear, it’s super cold. So, you know, it’s tough to, tough to get some good use out of it. But for the audience, some quick, instruction before we get started here. You’ll notice four blue bubbles at the bottom of your screen. And the first one of those is the chat window. You can, ask questions there, or you can chat with other attendees, or you can just share your thoughts on things. I will be checking that throughout this webcast for any questions. And I would urge you to ask your questions when they occur to you, so that we can answer them within the context of the conversation before we’ve moved on to something else and the and the context changes. So I would not save your questions towards the end. I can’t always guarantee we’re gonna have time at the end. And then the other blue button I wanna direct your attention towards is the third one there. That is the handouts button, and you’ll notice we have three handouts in there. One is the Purple Knight Report, which we will be referencing a lot. So if you wanna go ahead and grab that report, and, peruse through it as we have this conversation, maybe some of your questions will come from there. And then we also have The State of Enterprise Cyber Crisis Readiness and The State of Critical Infrastructure Resilience are the other two links there. So those are also reports, I have not had a chance to check out yet, but I have gone through the Purple Knight report, and I’m very excited to talk about Purple Knight and some of the insights there. So grab those handouts. I’ll remind you again before we end the webcast, that they’re there, and, you can grab them anytime. And with that, let’s jump into the conversation. So, Jeff, just to make sure the audience is on the same page with us, I wanna kick off, talking a bit about Active Directory identity infrastructure. Why are they such attractive targets for attackers? It’s easy. It’s the keys to the kingdom. It literally is. You think about it. Active Directory contains all of the users. It contains your critical assets, your high value targets, and your domain admins. I, as an attacker, if I can get to a domain admin account and take over, I own everything in your environment. I can deploy malware, steal any information I want. And we know attackers are constantly going after the privileged accounts. Yeah. It’s very true. For sure. Go ahead, Sean. Oh, I was just gonna say is, you know, if you attack identity, as Jeff says, you own everything. And that’s a combination of a high value target and a very, very easy target, at the same time. Absolutely. A technology that’s that’s literally a quarter of a century old. And most organizations have had it in place for some significant percentage of that time. And though, you know, it’s easy to rag on Active Directory for being insecure, it can be pretty secure. But of course, it wasn’t designed for the world we’re in now. But the other part is any system that you have that’s been in production for literally decades has got decades of hurried, less secure choices made for it. As any of us that have worked in IT know, people are always in a rush to get the new accounts, to get the new applications installed, to get the new groups created. They don’t care if you’re doing least privilege implementation to do it. Or even if you’re trying to do it and you can’t make it work, at some point, you’ve got a long list of things to do. People say, the hell with it, and over privilege it, Yeah. Creating more vulnerabilities. And on top of that, you think about all of the cases where years ago, someone deployed a piece of software, and that was what the vendor told them. Hey. We need admin credentials or we need this type of service account. No one really thought about it. No one put the security context. Nobody challenged them on it? No. Because, you know, that’s what the vendor said and that’s what the vendor knows. And we run into that all the time. Service accounts that just are over permissioned, it is just the easiest way for an attacker to get in. Jeff, when you when you talk to your clients, how often do you see, as I said, the fact that AD has been around as long as it’s been. Are you get, what I guess I would call second generation or maybe even third generation administrators that may recognize something as insecure, but they’re afraid to touch it. Oh, absolute. All the time. Because no one wants to be that guy or gal who makes a change and brings down the entire environment. You know, it’s sensitive software. You know, it’s robust. It’s been around forever, but the pieces inside of it are you know, they’re they’re sensitive. You make the wrong configuration change. And we had a actually, we had someone who did this, I wanna say it was, like, a couple months ago. They wanted to change their encryption type. They didn’t understand what that meant, but they went ahead and did it, and it did not work out well for them. Luckily, they had a backup of their forest so they could put it back in place, with the correct settings. But at the time, they were sweating bullets because literally everything stopped. That sounds like a career limiting move. Yeah. Well and, I mean, as we talk about the need to build resilience, we’ve got resilience right in the title of this. That’s a culture shift. We got to get away from the, we’re not in the business of changing things that ain’t broke. Right? Like that that’s how it’s been. You know? Like, if it ain’t broke, don’t touch it. You know? What what are you doing touching it? And, that’s just not gonna work anymore. You know, now, you know, we find the industry split where, you know, we’ve got the Netflixes of the world creating software just to break things in new and creative ways on purpose. Right? You know, so they can be prepared for every possible way that something could break. You know? So the idea of SREs and chaos engineering, versus we still have a lot of this old world, this, you know, it’s running, walk softly, don’t touch it. Don’t do anything. And, I mean, that’s great for, you know, now ransomware has has kinda moved its focus from just blindly encrypting data to, okay, where is this gonna hurt the most? You know, where can I impact operations? And you got a bunch of fragile systems everybody’s afraid to touch. That attacker is not afraid to touch it. Yeah. I agree. The great adjective I heard for that is brittle. Brittle applications. And certainly maintaining every keeping everything green in an on premises infrastructure is the diametric opposite of chaos engineering. Yeah. Yeah. And we we hear the term, fragility also. Like, there was a book on antifragile, that I think, kinda pushed the the term of fragility into the vernacular. But, you know, you you talk about the the chaos engineering and the resilience aspect of it. And, boy, it’s tough to be in IT and cybersecurity nowadays because it wasn’t so long ago, the whole world was, you know, as it was. Keep the lights green, change control, don’t touch anything, etcetera, etcetera. And then we’ve gone through this evolution, or we’ve been pushed to this evolution of going from don’t touch anything to, okay, we have found that bad guys are targeting lots of companies. Oh, I think we’re okay. Oh, they don’t want us. Oh, more and more it happens around them. Okay. We’re going to have to build out a practice to understand how to handle it. These are IT pros that have never had to do this before, so they have to learn how to do this. And then and now we’re moving towards, okay, just when you think you might get your arms around that, now we’re all about resilience. And how do you keep things up and accept that they’ll be down, but keep the business running? So this is rough. It is. It is. Yeah. I mean Oh, go ahead, Adrian. I’m answering a question for a journalist today. You know, it’s all about incident response and, D. F. I. R. Forensics and incident response. And, you know, one of the questions was around, you know, how’s the the process change? You know, the the framework. And and I learned the typical preparation identification. Yeah. Containment, eradication, recovery, and then lessons learned. And one of the things that really changed there, like, that used to be a very linear process you would go through. Like, we, you know, back in the sands five zero four days when I first got my my incident handling certification, you know, that’s how it was taught. That’s how we looked at it. You know? But these days with ransomware targeting operations, oftentimes, that recovery step, begins, the moment you do identification. So you’re doing containment. You’ve got one team doing containment, the other one trying to get the lights back on. You’re not gonna wait for containment and eradication. In some cases, you don’t even know if you’ve successfully eradicated them, and you’re doing lessons learned. And you’re, you know, you’re gonna stop the investigation because you’ve already put in that best effort. Correct. And it’s more of a cyclical cycle now. You know, as you’re doing containment, you’re doing your investigation, you’re finding things, you’re doing lessons learned even then and then feeding that back in. I look at it from a perspective of when I was doing ransom negotiations previously. I was filling in the incident handlers and the, forensics analysts on where to look based on the discussions I was having with the attacker and things that, you know, the attacker may have left behind because of something I extracted from the attacker. And they would do the same for me, and I think that’s the whole incident response cycle. I don’t think it’s I don’t think it’s linear anymore. I think that you have to be able to do cycles, and you have to be able to adapt for sure. The complexity just keeps going up and up again in that spectrum that I’m talking about. Just so you think this I mean, making yourself a resilient organization is so complex. Yeah. Yeah. Yeah. And, you know, one of the things, I’m wanting to connect here is how readiness and resilience are are connected, when it comes to preparing for attacks and incident response process. Like I mentioned, that first stage is preparation. Right? Like, there’s so much in that. So I don’t know. Jeff, wait, who’s the incident response guy? Jeff, you’re the IR guy. Right? Yeah. Yeah. I guess both of you. Like, how do you think of both readiness and resilience? Are they the same thing, or is one the product of the other? I think they go hand in hand. I don’t think you can separate them really. So you know, as you are preparing, you’re getting things ready. The resilient side comes in when, you know, the doo doo hits the fan. You have to be able to recover quickly. You have to be able to prepare for things that you may have missed, may have not understood. You still have to be able to recover from that. The way I like to look at it is readiness is just being prepared, training for it. The resilient side is being able to adapt in the situation at hand. So if you have a ransomware attack, you can I mean, every organization out there can plan for a ransomware attack and be ready, for when it happens? But the moment it happens, the attackers are going to throw something in that’s a complete different loop that they have ever prepared for. Unless you have a lot of experience dealing with ransomware, you know, most organizations, they don’t. I mean, they struggle just with basic incident response. They’re not gonna be ready for what a, you know, a true attacker throws at them. Yeah. Yep. So readiness is, like, tone readiness is a component of resilience. Yeah. But you can’t you can’t have resilience without without readiness. Absolutely. Yeah. Yeah. Makes sense. Yeah. And it’s, what was I going to say? You can tell often in the public when somebody’s handling an incident just how prepared, like what that readiness level was in a lot of cases. Sometimes it takes a week or two before there’s even the company even admits that they’ve had an attack. Meanwhile, all their employees are on, Reddit talking about it. You know? Like like, we can see their website’s been down for weeks. The licensing check with the product, like we saw with whoever makes MATLAB, you know, that, like, that that was a big issue. Yeah. It’s, I think that’s even more reason to get that done because it becomes very visible very quickly if you’re not prepared. Absolutely. Absolutely. There was a there was actually a, a company up here in Wisconsin, just a couple months ago. They had a cyber event. They just said it was downtime. They didn’t say anything. But I think you’re a cell company, service was down for everybody. No one could use their cell phones. And it was just like, oh, no. This is a routine outage. It was like, we’re going on a month. This is this is not routine. Well, and for a telecom provider like that, there is a very critical window upon which everybody will just flee the provider and go to someplace else. Absolutely. Oh, yeah. That’s tier zero. If I’ve ever seen a tier zero application, like, there is no scheduled downtime or should be no scheduled downtime for Internet access. Yep. Well, the crazy part was with those, they couldn’t really transfer numbers so no one could keep their own number if they tried to move because their system was god. Yeah. It was Right. Hey. So the the number portability. Yeah. It was locked. Couldn’t do anything. What a mess, that’s an interesting come customer retention strategy. Uh-huh. I have some trauma for that. I used to do, Internet tech support was one of my first jobs for a company that was buying up, ISPs all throughout the southeast. And they bought up, nashville dot com, which had a BBS for many years. And, people loved having their nashville dot com email address. And then, they had a very convoluted system. They their billing system, the website hosting, the BBS was all on one system. This was not segregated out. It was all running off of one system. And, of course, you know, the company I’m working for comes through, fires all the admins, you know, all the people, drops in their, drops in their SunDNS, web, email, you know, like they have the same boxes. Every time they acquire an ISP, they come in, rip out their stuff, drop in this stuff. And, and that system went down. They could not get it back up and running. And, those folks went without email for, like, seven months or something like that before they finally resolved things. And, they lost ninety percent of the subscribers. So, yeah. That’ll do it. It happened back in nineteen ninety nine, two thousand, something like that. Very, very old story. But, but, yeah, you see it happen. So let’s, kind of pivot into Purple Knight, because I was not aware of this before preparing for this, this webcast. And I’m very excited to talk about it. And, so let’s start with, who’s the best to talk about what Purple Knight is? I’m happy to talk about it. Okay. Purple Knight is a free community tool from Semperis. And by free, I mean, it’s free. You can go to the Purple Knight download page is https://www.semperis.com/purple-knight/ And download it. And we don’t chase you down. We don’t have a subscription. You know, you may get a, you know, a curiosity contact from us, but it’s yours to use. And we have about forty five thousand downloads of Purple Knight so far. It’s an Active Directory, Entra ID, and Okta security assessment tool. It looks at the security surface of your AD, Entra, ID, or Okta, and looks for indicators of exposure or indicators of compromise. Last check, it has a hundred and eighty five different security indicators from Purple Knight. It’s very easy to run. It doesn’t require any privileges in the domain. And it doesn’t even require any privileges on the client to run. What I would recommend, depending on where you are in the company, if you’re not in security, I would be sure to notify the stock before you ran it because hopefully bells and whistles will go off. It’ll make some noise. Yeah. It does. Yeah. If you are in security, you might not wanna mention anything to the SOC to see if they do notice it. So, you know, there’s that. Good test. Yeah. Exactly. And we were very pleased last fall that, the Five Eyes Intelligence Alliance, which is the intelligence community of Australia, New Zealand, United States, Canada, and, the UK, they published about a seventy five page report called Detecting and Mitigating Active Directory Compromise. And it’s all about the risks that the importance of Active Directory and the risks that Active Directory can pose in the environment. I highly recommend you read it just for the two page summary in the beginning. Because it’s coming from the highest authority, which this includes, CISA and NSA saying, you know, the importance of Active Directory and the risks posed to it. And one of the three assessment tools that they mentioned in this document is Purple Knight that they recommend for understanding your security vulnerabilities. So that’s pretty cool. Yeah. I just, signed up for it, downloaded it. So confirmed, that process is pretty smooth. And, I don’t have an AD environment up and running in my lab at the moment, but next time I fire up something there, I’m totally gonna check it out. The nice thing from the from the practitioner’s viewpoint, the people that are running at the IT pros or the security pros, is it doesn’t just tell you what went wrong or what doesn’t look good or whatever. It puts out this it’s about an eighty page report, depending on how many vulnerabilities you have. And it lists the most important critical vulnerabilities at the top. Well, at the top, it gives you an overall score, which is sort of what we’re talking about here today, some. And then it breaks it down into different categories and what those scores are. And then you can click on these. It’s an HTML report, and you can get it in other formats. And you can drill down into these vulnerabilities, and it will tell you what the vulnerability is, where it fits in the MITRE ATTACK framework or the MITRE defend framework or the ANSI framework. And not just tell you, hey. This is broken. It will give you guidance on how to fix it as well. But from a practitioner’s point of view and from the point of view of somebody that is like, man, we really need to improve our AD security. And management’s like, yeah. Okay. Well, I wanna spend money on this shiny thing rather than this twenty five year old thing that always works. Yeah. Until it doesn’t. Yeah. Until it doesn’t. You know, it’s it’s so often we jokingly at Semperis, we we often jokingly say it’s, oh, yeah. It’s maintained by that one white haired bearded guy in the corner, and it’s always worked. So why should we worry about it? But it presents this very nice report that you can hand to management to say, look, these are the things that need to be fixed to make us more secure, and this is the order in which they need to be fixed. And by the way, oh, look at how lousy our score is and you thought we were great. Yeah. Yeah. I think that’s one of the interesting things coming out of the report here is, and we often seen cognitive dissonance in security where people think they’re doing great, but they don’t really have, like, a feeling is one thing, you know, but without, like, a good framework or benchmark, to assess yourself against, you don’t know how good that good feeling is. And oftentimes, it’s a failing grade according to Purple Knight, it seems like. So one of the things I wanted to ask, you know, there there are a lot of benchmarks out there, you know, CIS has benchmarks. Right? You know, but, the way those are designed, if you do a hundred percent of, like, level two CIS benchmarks, nothing works anymore. Right? Like, it’s kinda like the MITRE attack framework. It’s a list of everything you could possibly change that would impact security. It’s not intended to be a checklist of you do it all because, like like I said, you know, your system just doesn’t work anymore if if you do everything that that’s on there. So Purple Knight, is it something where, the goal is a hundred percent, or is it just above a certain level? Like, what what is the how is the score designed to be used? Well, I mean, we leave the we leave the goal of what you wanna get to up to you. But we don’t try to, you know, if you get a hundred percent, and I don’t know. I’ve never met anyone that had a hundred percent in Purple Knight. It’s not, you know, it’s not locked down completely tight. It is, it’s best practices to have a resilient working Active Directory, not the kind of thing that is, you know, only going to show up in a nuclear silo or something like that. So it is designed to be very practical, and real world focused on it. And, again, especially, this is, you know, the old eighty twenty rule. If you run a Purple Knight score and you clean up the top ten vulnerabilities or just your critical vulnerabilities, you’re gonna improve things quite a bit. We found that I have to look up my that from organizations that ran an initial score, and then they, they followed the guidance for Purple Knight to improve their score, it raised their scores by an average of twenty one points. And in some cases, as much as sixty one points. That was a pretty bad environment if they raised it by sixty one points. But, but, yeah. Raising it by twenty one points. This is, I would tell the story about, you know, you don’t, your score doesn’t have to be perfect. It just helps if you’re better than especially around cybercrime. If you’re better than a lot of your fellow organizations, because cybercrime is all about making as much money as possible as quickly as possible. So if you slow them down enough, the idea, of course, is that and some surveys have shown this to be the case. That if you slow them down enough, they go, alright. This is not a good use of my time. I’m gonna go to the next company. And, Rachel Wilson, who is a former NSA cyber offensive director, and she’s at Morgan Stanley now. She has a more succinct way of describing it. She says, you don’t wanna be the slowest gazelle in the herd. So improve your score a reasonable amount, and so that you make it, more of a deterrent for the threat actors that they’ll go someplace else. And it is a target rich environment. So we’ve absolutely seen, we have all kinds of intelligence on that where somebody will, you know, give up on you know, they see, you know, some better than normal defenses. They will move on to the the lower hanging fruit for sure. Not that that’s a guarantee or anything, but that is something that we’ve seen happen in the wild. Yeah. So let’s kind of dive into some of the details here. The survey breaks down scores, like there’s different categories for the scores here. And it seems like, so first of all, I think you might have already mentioned this, but the average across everyone using it was a failing grade. But it was sixty one percent, right? If we’re going by letter grades. And that’s eleven percent lower than the previous year that you ran this report. Any thoughts as to why things are trending downward? I was thinking about that a fair amount. And the best I can come up with and by the way, the the worst were smaller organizations between two thousand and five thousand employees. They scored a fifty two on their initial, their initial score, which is not so great. And the best answer that I can come up with for this is that because people haven’t been wildly and obviously sabotaging their environments. I hope that they’ve not been. Is that Purple Knight, since the last report was run-in twenty twenty three, has expanded its security indicators considerably by maybe as much as fifty percent. So, you know, we have a hundred and eighty five security indicators. So we are now doing a much more thorough assessment of an organization than probably back in twenty twenty three. So, including areas that we didn’t really hit very much in twenty twenty three at all, like certificate services. Yeah. This is an effect we see in vulnerability management a lot too, where as you increase your visibility of your environment and your assets, it looks like vulnerabilities are getting worse because you’re seeing more. Right? There there’s more visibility into it. You know? So it’s not that people are getting worse. It’s that you’re actually seeing more of the problem. And I suspect in this case, maybe Purple Knight is just more popular than it was then. You know? So you’re getting a whole lot more data, maybe from from more vulnerable organizations, than you were initially. Yeah. We’ve also seen, in some cases so we’re we also have an Active Directory security assessment, which is, you know, a step higher than Purple Knight. We’ve seen Human driven. Human driven. Yes. Absolutely. Oh oh, okay. Mhmm. Yeah. So my consultants come in, and we assess their environment, not only with Purple Knight, but we have other tools. So we’re taking a much deeper look into the configuration. And what we have seen sometimes is where an organization will make specific changes in their environment to address specific issues, break something and not realize it. And then, you know, they go to fix that, but they actually make things worse by, you know, making a different change. If they don’t fully understand the context of the changes that they’re making and they try to revert something back, sometimes that has more of a detrimental effect. Right. So we do have a question in the chat. I’m not sure I fully understand it. You know, the what will be the difference between AD and Microsoft OneDrive? I’m not sure if that question is about Purple Knight, and this is why I asked to ask during the context, but I didn’t, didn’t have it at the moment it was put in. So I’ll assume it’s in the context of Purple Knight. So I guess maybe it’s a good question. Like, Active Directory touches a lot of things. You know, how I imagine it’s not broad enough to tell you anything about how OneDrive is configured or correct me if I’m wrong. No. You’ve got it. It’s very identity focused. So it will look at Entra ID, which is the authentication system that handles access control and authentication to OneDrive and SharePoint and Microsoft online and Azure and half the things in the universe. And that is an aspect of what Purple Knight does an evaluation on is the security posture of Entra ID as well. Which there’s all sorts of interesting little implications in there that are maybe organizational in method. You know, as I’ve consulted with various companies before joining Semperis, you would see the, as we all know, you know, the reason Entra ID and Azure Active Directory as it was known is so popular. It’s the same tactic that Microsoft used to make Active Directory popular. Nobody gave a hoot about Azure Active Directory. They just wanted Office365. So they sign up for Office365 and voila, you have an Azure AD tenant. And then somewhere along the line, somebody goes, oh, gosh. We’ve got another identity system here that has to be managed. Who’s gonna do it? And what I’ve seen is, sort of two ways. One is the AD team picks it up. But I’ve also seen, in some very large companies also, the application team picks it up because the Office three sixty five management team. And because they’re the ones that are provisioning and handling everything, and so what what you have is a team that has no identity or little identity system experience managing it. And so now you have this dichotomy between on prem AD, who they’re generally, at least originally, they looked askance at the Entra ID stuff like, like that. And then you have the applications people that are trying to manage Entra ID. And that causes a real disconnect. And some organizations are still trying to rectify that and the confusion between the two. So I mean, to me, it seems I don’t know, it seems like a lot of a liability to run on prem AD like we’ve seen what’s happened with exchange where even exchange hosting companies, you know, we saw rack space a few years back, get rid of their entire, hosted exchange business after getting hit by ransomware affecting impacting all ten thousand of their exchange hosting customers. No problem. That that was kinda breathtaking, You know? And that was a patch that had been out for a month or so. I don’t know what led to them not applying it in time, but, it was painful to watch. And, you know, I would think people would be running for something Microsoft hosted, you know, where only they have to worry about patching stuff as quickly as possible. But do you so it sounds like you still see some people holding on to that on prem AD infrastructure. Well, I mean, yeah. So first off, you know, you mentioned the exchange fiasco, perpetrated by the China nation state, Nobelium. Mhmm. And and just last week, this week, something similar happening with SharePoint server on premises as well as zero day. Right. Mhmm. Be actively being exploited. So, yeah, that’s the world is definitely not getting any easier. The on prem defense world is definitely not getting any easier. And maybe Exchange and AD are not good comparisons. You know, obviously, one is very specific to just email. Whereas AD is a lot more than just an identity system. You know, like, it hooks into so many things. That’s the problem. I mean, I’m sure every organization, you know, would say, yeah. I’d love to I’d love to get rid of this albatross around my neck. But what if you look at the alternatives, so there’s mountains is an understatement of technical debt for on premises organizations that have been around for a while. Everything. If not everything, then most things. Even a lot of companies down to routers, backup systems, infrastructure systems depend on, I mean virtualization systems, security systems depend on Active Directory. And so, those systems still need to run one way or another, or they have to replace them with something new, or they have to refactor them to go up in the cloud. And so you have this, and I’m sure Jeff has lots of experience around this. You have this on one side, the security risk weighed against the fact that this on premises stuff is paid for and is generating revenue and is working versus the enormous cost to develop alternatives for it and the disruption. And of course, Adrian, you brought out human nature. I think we’re good enough. I think this is pretty safe. No. I don’t wanna spend the money. It’s not broken. Why change it? Exactly. Right. And and I’m gonna be long retired before we see AD. You’re probably gonna be dead before we see AD go away for these reasons. But, Jeff, do you I mean, you you hit that stuff, don’t you, when you’re All the time. Dealing with stuff? Yeah. We we get that customer that question a lot from customers. Which way should we go? Should we do on prem or should we do enter or should we do hybrid? It’s just like it really depends. It’s, yeah, it’s your business model, in most cases, from discussions that I’ve had. It’s always, well, we feel we’re fine. We don’t wanna incur the monthly subscription costs for all of these users when we have what we have what’s here. It’s been working forever. I hadn’t thought about the financial side of it moving to a subscription model. Yeah. Yeah. The CapEx when when the CapEx is paid for and the OPEX never ends. Yeah. It’s a really good point. But it’s, I mean, we have a whole generation of penetration testers who have been trained that success is measured by speed to getting domain admin. Right. Like even penetration testing is a whole generation of folks who learned it, revolved around Active Directory, right? Yeah. Yep. So, diving into some of the details in this report, and maybe we should tackle this question first. We had somebody just asking, if you guys have recommendations on, training for people who wanna learn AD hardening, attack path mapping, attack surface reduction, that that kind of thing. I don’t know if you guys do training or if you have anything off the top of your head. I know we’ve got, the blog series, that contains a bunch of useful information out there. I don’t know if there’s anyone that has what I would call a true AD hardening, and attack path. Maybe I think there are resources out there on the Internet where you can piece it all together yourself, but I don’t know if there’s a and I could be wrong. I don’t think there’s, like, a certification path behind it or an actual, you know, certification style training. Right. There I mean, there are certainly resources in Microsoft if you do searches for AD hardening that give about the classic examples. You know, this product’s been out for a long time. But the degree to what you to which you can do it, it gets more and more complicated depending on, again, how secure you wanna be and how willing you are to potentially break the business that’s running. You mentioned, you mentioned attack paths. And so this is a we’re talking about Purple Knight in here, for attack surface analysis. And but we also offer a free tool called Forest Druid. And Forest Druid is another community tool, and it is an attack path analysis tool. But it approaches attack path analysis from the blue team side, the defenders, rather than the red team attackers. So instead of trying to analyze everything on the outside and look for paths into privilege management. Essentially, what you do with Forest Druid is you fire it up. It makes suggestions as to what it believes your tier zero environment is in Active Directory and Entra ID. And then you fine tune it saying, hey, I found these other resources. Things that you might not immediately think about, like containers in Active Directory that hold privileged accounts. Or the Entra ID connect sync server, which is the server that synchronizes identities between on prem Active Directory and Entra ID. And then you define that. And then it will show you the attack paths into your defined tier zero. I think Jeff’s team works with it all the time. He knows more about it than I do, actually. Yeah. Yeah. Every time. And and you nailed it, nailed it on the head. It’s a blue team perspective of looking at what your attack paths look like. We run it in all of our assessments to get an understanding, you know, what the blue team side looks like as well as from a red team side because there are sometimes where there is no overlap and it does show something that’s different that one side or the other does not pick up. And, I mean, like Sean mentioned, it’s a free tool. It’s got a steep learning curve. I personally don’t use it and run it because it’s beyond my technical capabilities. My team, on the other hand, they love it, they like I said, they use it on every engagement. And, yeah, it gives you a wealth of information. Grab it, download it, run it in your environment. Obviously, run it through security. Make sure you got your, you know, permission slip, and start working with it. You’re analyzing offline data, so it’s you know, chances of you messing something up in AD, it’s pretty slim, but it gives you a good understanding of what your environment looks like. Yeah. Be prepared to be further dismayed by your results. An example I like to use about Forest Druid is, so I may give you a practical example of Forest Druid. So what Forest Druid will find for, perhaps, is that you have a group policy applied to the domain controllers OU. Maybe it’s a specialized software update, just for the domain controllers. And, you find out, okay, so great, there’s this group policy. Who has permissions to use this group policy? Who has permissions to alter this group policy? And maybe there are nested groups in there, and maybe three nests down in a nested group is a group that shouldn’t have it. So the threat actor just has to compromise this otherwise ordinary looking group to gain control of group policy to the domain controllers in your domain and wreak havoc on it. Forest Druid will point out the path to make that work that otherwise, how would you how would you ever figure it out? Okay. Very cool. So I did find I got introduced to this, the other day for the first time, but there’s a new training, school called just hacking dot com that’s related to John Hammond, the if you’ve ever seen John Hammond on on YouTube. And, there’s a bunch of people creating courses for it. So it’s not it’s not his course, but there there is a three part Active Directory security course in there. Oh, cool. I think it’s a good point because as we said, we have second and third generation AD administrators and AD security people that need to learn how to do this. Absolutely. And it looks like it takes you through everything. So even if you’re not familiar with AD at all, like, it should take you from that beginning level. Like, the looks like the first volume is all just learning how, Active Directory works. I’ve been using it for all twenty five years. And even before that, I was beta testing it when it was, you know, release candidates for Windows two thousand. But I bet I have a ton of gaps even though I’ve been using it for for that long. Yeah. That could be that could be filled in there. Yeah, I wanna explore some of the findings here a little bit more. You know, one of the things I came across that I wasn’t familiar with was ADCS. Apparently, it’s been targeted by, attackers. So what is it and why is this so challenging for defenders to secure? Well, it’s a little bit of a, I think of it as a little bit of a branding thing. So the Active Directory moniker, for on premises actually encompasses three different services. There’s Active Directory itself, which to be pedantic is Active Directory Domain Services, ADDS. And then there is Active Directory Federation Services, ADFS, which was unfortunately most noticeably brought out in SolarWinds, because that was the path that the actors used to gain control of Office365. But Active Directory ADCS, Active Directory Certificate Services is the third one. And a little bit like, a lot like ADFS, it has Active Directory in it, but it is really not related to Active Directory. It’s only peripherally related to Active Directory. And if you’re an AD administrator and someone says, hey, it’s that’s ADCS, and how different can it be? You’re like, no. No idea. So is it suggesting is this like PKI? That’s exactly what it is. Your name is suggesting here? Okay. Yeah. That’s exactly what it is. It is what, ADCS is is PKI integrated with Active Directory for the Windows environment. So it issues, manages, and validates digital certificates, you know, for secure authentication, encryption, digital signatures. And in the Windows tradition, it is pretty easy to deploy, poorly. Yeah. No. A Microsoft product? No. One of our, many experts, and and and Jeff knows Jake Hildreth very well. Jake wrote a fantastic tool for Active Directory Certificate Services called Locksmith. But, Jake just describes ADCS as an island shrouded in mystery for most AD administrators. It seems like it’s either working or it’s broken and you don’t know why it’s not working right. Oh, wow. Yeah. Right. Yep. Yeah. You don’t want anything to be a mystery from a security perspective. No. And this is absolutely the in the same category of, well, it’s working. I don’t know why it’s working. I hope it keeps working. I’m afraid to touch it. But we’re there’s lots of security indicators and vulnerabilities in ADCS. Yes. And Purple Knight jumps out with that and actually so does Jake’s, Locksmith tool. Right, Jeff? Correct. Yeah. Jake’s Locksmith tool. It is open source. It is on, GitHub, I believe. Pretty easy to find. You know, give it a try. It’s got some amazing features behind it. I would say in ninety nine point nine percent of our, assessments, we do identify ADCS as issues. Wow. Yeah. It was easy to find. I pulled it right up. I just searched for GitHub Locksmith in Active Directory, and it was the first link that came out. Nice. The reason Jake wrote Locksmith was as an AD administrator, he realized, you know, this is people this is crazy. People don’t know how this works, what to do with it, and all that. So he made a tool to take care of all the stuff that people don’t want to have to figure out to to make ADCS safer. That is lovely. Community is lovely when that happens. So we’re running out of time here and there’s a few other questions I want to get to here before we have to wrap up. I think I’m gonna go with, something I found, I guess not too surprising, you know, but, you know, it kind of needs an answer in that a survey found SMEs for AD and Entra ID were unfamiliar with Entra ID best practices. And I think you may have answered some of it, you know, that there is kind of a line, kind of a split between, people who do AD, people who do Entra ID. But I wanna give you guys an opportunity to answer why somebody responsible for Entra ID would be unfamiliar with Entra ID best practices. I’ll start. I think from my experiences, and I think Sean would agree, sometimes people just get shoved into it. Hey. This falls into your category of IT. Figure it out. I don’t know if there’s that much preparation when and it’s and it’s still somewhat newer of a technology if you think about it in the AD world. People are just not familiar with it, and there are definitely slow adopters. If I was, you know, if I came up through the AD realms, and I used it from the very beginning, I don’t know. Would I be interested in looking at the cloud version if I really knew AD? Typically, they’re gonna get you’re gonna get the newer folks who have to learn it. And I think that’s just a part of the business is there are a lot of people who just get tasks handed to them. I mean, sometimes we even find IT owns identity or IT owns security, and those are really specialized areas where it should be someone who has time to focus on that. And with today’s business world, I don’t know if there’s really that much time for individuals to focus on their area of expertise unless you’re lucky enough to be in a company such as Semperis where we do AD. Yeah. To follow on to what Jeff was saying, I think some percentage of this is organizational. Like I said, you’re either there’s a subset where and maybe this is and I’m speculating here. Maybe this is more prevalent in the organizations where they went in application first. Where it’s, we want Office365, oh, I guess we have to manage Entra ID because we’re the Office365 administrators. But they’re not identity people. And there’s a whole different world underneath the covers. They finally got rid of the Active Directory comparisons, but the whole authentication scheme, the protocols, everything under the covers. Once you get below the fact it’s got users and groups and policies and computers in there, that pretty much is the end of the resemblance on there. So it’s a very different skill set. It’s a very different UI to management, if assuming that you’re using UI and you’re not using graph. You have tricky things like conditional access policy. You have really tricky stuff like, Intune, which always gave me a rash. Yeah, it’s a complicated beast to manage on top of everything else. There are also a few cool security features in there. There’s like risky behavior detection and stuff like that as well. And I think that’s only in Entra ID. Right? And only in, what is it p five, Jeff, that requires to get the, Oh, jeez. Oh, yeah. Of course, the license. License license. Yep. No one knows, Sean. No one knows how any of that works. I know. Well, people have been complaining. There’s another tool for that just for the just for figuring out Microsoft licensing. People have been complaining about understanding Microsoft licensing ever since Windows three one one, I think. But, maybe it’s that’s the reason. But, yeah, the that is the thing. We’re talking about CapEx versus OPEX. Right? And so, yeah, you wanna use, identity protection, which is a really cool thing to have in risk analysis and all that. And, well, guess what? That costs extra. They do some basic aspects to it. And under pressure, they have added more security, just in basic licensing. But, yeah, you, yeah, you gotta pay for it. And, Jeff, I found this, you know, last time I did incident response when I was running a consulting firm. Does Microsoft still turn off logs by default for things? Is that still something you have to check? I think it’s still something you should check. I remember what you’re talking about. That was, Microsoft was disabling something with the exchange logs, for the Yes. Three sixty five. And, you know, of course, it was during the BEC craze. Yes. That was exactly the incidents I was working. Yeah. Those are so painful, especially when the, you know, the logs didn’t exist, and then you had to figure out what happened. And we had no idea when the attacker got in, how long they’ve been there, what other accounts you know? And within moments of enabling logs, we caught them almost succeed. And this was the one case I’m thinking of, was a, retail, or commercial, mortgage company, mortgage and title company. So these were, like, seven, eight digit transactions that they’re trying to redirect to Seashells bank accounts or whatever. Absolutely. And I think that, you know, that little last piece there highlights the whole, readiness and resilience. Everybody assumes that data is being logged. Everybody assumes that it’s being backed up. Is it being backed up? Do you have access to it when your environment goes down? If you haven’t tested for it, you’re not ready. Yeah. Alright. So, yeah, nearing the end here, any recommend you know, obviously, there’s, you know, running yeah. I think there’s some clear paths out of this. Right? Check out Forest Druid, check out, Purple Knight, check out Locksmith. These are all tools you can run that will tell you how good or how bad, you’ve done stuff, and will give you guidance. But from you guys and your experience, you know, where where where do you see people having, either getting stuck or finding the most bang for their buck when improving their environments? From my perspective, I think getting the most bang from their buck is just starting off small, making small changes to correct. I mean, it can be something as simple as you have fifty domain admins. You don’t need fifty domain admins. Knock it down to three. Yeah. I can’t tell you how many organizations we’ve gone into where it’s over permissioned. Well, Joe needs to be a domain admin because of this one specific task. Create a special group. Yeah. Exactly. Create a special group, give him the exact permissions he needs, and let him do his job. Don’t give him everything because that’s what the attackers are looking for. Small incremental changes, test afterwards to make sure that you are improving your security posture, not making it worse. And like you said, download tools, they’re there. They give you the information. They don’t phone home. The most we are getting, I think, out of you is your email address for downloading it. Sean, correct me if I’m wrong. All of the data that’s built into Forest Druid or Purple Knight, that gives you a score. None of that scoring comes back to us. We don’t we don’t want it. I mean, from a marketing side, I’m sure they would love it, but we don’t want it. And I think that’s one of the big things that organizations typically miss is they’re worried that their data’s coming back to us and we’re gonna use that data somehow, and it’s simply not the case. You know, run your tools, test, validate, test. Yeah. More broadly, I would say, since we were talking about resilience, is this is this is about realistically table topping what’s going on, not just using a happy path where we come across organizations say, well, we were able to do an Active Directory Forest Recovery in, you know, in eight hours, but we had our virtualization infrastructure there. We had this, we had that, we had the other thing. They’re making all sorts of assumptions to make the exercise easier, Which is great if your goal is to just make the exercise look easier. But if the goal is to actually build in a little, and this isn’t even to resilience. This is just in this is just in readiness. You have to be a little more cutthroat as to what that environment is going to be like. And actually, free plug, we’re if you’re going to Black Hat, we’re going to be doing a tabletop. Semperis is going to be doing a tabletop exercise there, sort of emulating what some of these ugly scenarios could look like. So that’ll that’ll be fun. And the the cool part of that tabletop is it’s so typically, when I go into an organization and do a tabletop, it was solely responders responding to a scan scenario. The beauty of this is there is a blue team, there is a red team. So the red team is modifying based on what the blue team responds to. It is a million times harder. And I would say in my, like, twenty years of doing IR, whenever we did tabletops, customers, you know, if you talk to the IT team and get it set up, they wanna glance, gloss over all of their bad stuff. They don’t wanna touch on them during the tabletop because it makes them look bad. That’s sometimes the goal. Yeah. Is to pinpoint those areas so that they can get fixed. Yeah. Yeah. Absolutely. We’re also in the blind spot. Yes. Yeah. Great stuff here. Thank you Sean and Jeff so much for joining me today. Great conversation. I think a lot of good stuff came out of it. Pleasure. It was a lot of fun and, for the audience, make sure you check out those handouts. There’s, or if you just wanna go directly there, https://www.semperis.com/purple-knight/ and https://www.semperis.com/forest-druid/ And the Locksmith tool we mentioned is from Jake Hildreth. Big thanks to Semperis for sponsoring this webcast and, making today’s, conversation possible. And finally, a big thanks to the audience for joining us, and we’ll see you next time. Cheers. Thanks for joining.
