Che cos'è l'Identity Threat Detection and Response?

Hi there. I’m Tom Field. I’m Senior Vice President of Editorial with Information Security Media Group. Topic of the day is identity, threat detection and response. It’s my privilege to be speaking today with Sean Deuby, Principal Technologist, North America at Semperis. Sean, thank you so much for taking the time to speak with me today. Hi, Tom. Nice to have the chance to chat. So as the new acronym ITDR, talk about it. What is ITDR and what’s the significance of Gartner now standing up and recognizing it? It’s a category of its own. ITDR throws a lot of us that the acronym throws a lot of us for a loop because we immediately think of IT and disaster recovery. But it’s not that. It’s identity, threat detection and response. And what it means—and the way Gartner defines it is correct insecure operation of the identity infrastructure rather than the individuals and resources in that infrastructure. What that means to me is, look, we have enough categories to talk about end points and email and applications and network. We need a category to talk about the identity infrastructure that everything else depends on. In other words, how do you protect identity itself? Because identity has become so important. That’s really. That’s the significance of it. We’ve been, as we were talking about before this before that we started on camera is you know, I’ve been attending identity conferences for 15 years, something like that. And it would be just 200 people in a room at a small hotel. And now it has grown over the years. You just go look at the Gartner IAM summit that just finished or Identiverse that’s coming up in June. They’re huge and it’s the recognition that identity has come from just some other part of the infrastructure. As we’ve moved to the cloud and we’ve moved to all these untrusted networks, identity is one of the most important things that you can have for security. You could argue it is the most important thing because, I mean, that’s what all zero trust is based on, is you’re trying to access a resource across an untrusted network and you’re continually verifying the user’s identity to make sure they are who they say they are to access that we’ve in the identity community, we felt that way for a long time. And what’s happened is Gartner has come around to say, you know what, this is really important and it’s really important to make sure that organizations explicitly work on protecting their identity systems. Sean, you have said, and rightly so, that identity is the first line of attack. How do you see adversaries taking advantage today of our legacy approaches to identity? Well for most of the world, the on-premises identity system is Active Directory. It’s pretty much ubiquitous and any organization over about 500 users or so has it. And most have it as critical—as a critical part of their infrastructure. And it’s even gotten more critical over time because as we have moved to the cloud—most organizations have a hybrid identity infrastructure where they take on-premises identity and then they project it out into a cloud service provider like Azure Active Directory—now Entra ID—or AWS or Okta, you know, to provide single sign on for web applications. Well, Active Directory is almost a quarter of a century old is 25 years old. And the threat actors know that. So what you have is, for them, a wonderful combination of an old technology—beautifully designed, by the way. Fantastic that it’s lasted and continues to be so relevant. But what’s happened is over a quarter of a century, many organizations have got 20-plus years of the same Active Directory environment, and they’ve accumulated vulnerabilities over time because in operations—and if anyone has spent time in IT operations, they know there’s rarely enough time to add users or groups or applications with least privileged access to something. You just have to get stuff done. And so they get things done and you accumulate a vulnerability here and another one there. You add a service account that has administrative rights because it’s got to run SQL Server and you don’t have time to figure out how to make it a little more secure. And you’ve accumulated a host of vulnerabilities. The one I just mentioned with service accounts is a popular vulnerability called kerberoasting. And what the threat actors do, they know that the tools have gotten better. And they know that if they can gain access to Active Directory, the common phrase is you can get the “keys to the kingdom,” which is true. But Active Directory, because it’s designed to make it easy to find resources, you can also look at it as the treasure map to the treasure, because once you’ve gotten a hold of Active Directory, you can find out where all the resources are and you now also have control of the resources if you have control of Active Directory. So what this means is that in almost every—and I mean almost every—cyberattack, Active Directory is involved. Mandiant says that in 90% of the investigations that they do for their clients, they find that Active Directory was either directly targeted or was used as a means to get to the target. I’ve been fortunate to talk to a lot of CISOs and they have told me when they look at their pen test reports, they scoff at the 90%. They say 90%, 100% goes through Active Directory. So, yeah, adversaries are absolutely taking advantage of this. And that’s what they’re doing to get in. They may get in through many endpoints and many different ways that they get in, but once they get in, they all go through this identity system. So Sean, couple of questions I want to ask you specifically about ITDR. How do we minimize the attack surface? Well, as I said, a lot of vulnerabilities have accumulated and there are free tools that will allow you to understand what your vulnerabilities are. One of the challenges of working with Active Directory is that because it’s been around so long, the original highly skilled practitioners are often no longer around. They’ve retired, they’ve gone on to something else. And when we talk to organizations, we find that most organizations have inherited their Active Directory environments from somewhere else or not from somewhere else, I’m sorry, but from their predecessors. And they don’t even know why things are done the way they are and they’re afraid to touch them. So Semperis offers a free tool called Purple Knight, which is designed to do Active Directory security vulnerability assessment. It’s completely free. We don’t see any of the data. It all runs entirely in your local environment, doesn’t require any rights in the environment. It looks at Active Directory the way a threat actor would. And it will show you more than 185—it will analyze Active Directory for 185 plus vulnerabilities. And then spit out a report that is about 70 pages long and give you explicit guidance on how to remediate those vulnerabilities and put them from most critical to least critical. So you can look at it, hold it up and say, all right, these are the things that we need to do to reduce our attack surface as quickly as possible. We have another tool called Forest Druid that is a Tier 0 attack path analysis tool. This is a more sophisticated tool that requires a little practice to run and an understanding of attack path analysis. But what Forest Druid does is analyze the attack paths from the inside out. If you think of the castle analogy, you know, the king and his courtiers and the most important things are inside the castle. So what Forest Druid does is it looks inside and it looks for paths outward from what we call Tier 0, the most important aspects that are running the Active Directory service and it looks for paths into Tier 0 that you may not have been aware of. Maybe there is a group policy object that has a user that has rights to do something that can change domain controllers. That helps reveal those vulnerabilities. So absolutely the first step to take is purple-knight.com Now let’s talk about the R in ITDR. When attacked how can enterprises best respond and remediate? Well, what I would say in the response department is—also what we do as our incident response team does is, number one, take a copy of your Active Directory, back up a copy of Entra ID right away and get it offline. Air gapped, whatever you need to do to get it offline. Hopefully you can do that before the threat actor has a chance to crypto lock your Active Directory environment. And it used to be they would come in and they would immediately lock it or to gain the ransom for it. Now, more often than not, they get in—the dwell time in an Active Directory in an organization is anywhere between 20 and 200 days now. So they don’t cripple it right away while they’re looking for things. Get a backup of Active Directory, restore it hopefully malware free into an isolated environment and where you can threat hunt and dig around and try to figure out what the threat actor has been doing without giving your hand away, that they know that something’s happened. Because if they decide, all right, it’s not worth it, I’m just going to lock the environment, then you’ve lost you’ve lost the initiative. So that’s a couple of the first things that you can do. Doing that is very difficult. One of the aspects that we have in our Semperis products is the ability to see everything that is going on in Active Directory. And our incident response team actually uses our Active Directory Forest Recovery tool to take a backup of your forest without any malware on it. The nature of the way the tool works, is we restore it into that isolated environment, and then we run some post breach tools to find out what those vulnerabilities are. So it’s a tough situation, for sure, but at minimum, those are some of the steps you should be taking now. Sean, how do you recommend for enterprises to assess their own ITDR maturity and understand where they need to go? Well, certainly a first step is, as I say, it is to, you know, run these assessed security test assessment tools. That’s just one step. But if you really—and I’m sure Gartner is going to be coming out with their own steps for evaluating identity maturity, really it falls under the same IT maturity guidelines that other aspects of IT do. It’s you know, the governance. Make sure that—and most Active Directory environments have really horrible governance because it just works and people don’t pay attention to it. And oh, is that system in the corner that just kind of always going. I would say it is to put it under governance and really scrutinize it and bring it into the fold instead of leaving it out in the corner and saying, hey, it just works. We have to get away from the “oh Active Directory, it just works” mentality and recognize it as the critical asset that it is in so many different ways. I’m talking with folks that are involved in backup and recovery, for example, and a common route now the threat actors use is one, they’ll compromise Active Directory and then two, they’ll go in and they’ll destroy backups because many of on-premises backup systems depend on Active Directory. So if you cripple Active Directory, either A, you can no longer log into your backup system or B the threat actors will actively go in and destroy your backups. There is there’s a great quote from Alex Weinert, who’s the partner director of identity security at Microsoft. So he’s responsible for all of identity security for Microsoft. And he says that ransomware attacks are really the second phase in a campaign. The first phase is identity compromised. And when I heard that, I’m like, oh, that totally makes sense. Sean, one more question for you. We’ve talked a little bit about Semperis, but want to bring you back to your company. How are you helping organizations to hone ITDR particularly in alignment with the niche cybersecurity framework? I know you’re big on that, right? Right we’re big on the cybersecurity framework. Let’s face it. Humans like to collect their problems in terms of a framework. It makes life easier. And we align our products to the NIST cybersecurity framework. So I was talking about Forest Druid and Purple Knight. So the first phase of the sense of the cybersecurity framework is identify: identify the threats. So using tools like Purple Knight to look and identify what your vulnerabilities are. Then the next tool, the next step is protect. So protect the environment. So go off and remediate those vulnerabilities that we’ve identified for you. There are a variety of ways to do that. The next is detect. So detect is detecting unauthorized activity. Our Directory Services Protector product analyzes changes and shows you all of the changes that are going on in both on-premises Active Directory and Entra ID as they’re happening. We actually tap into the Active Directory replication stream, which is the untamable source of truth of what is going on. And so a threat actor can’t hide there, they can’t hide their actions, they can trace logs, they can do this, they can do that. We can see every change that’s being made in Active Directory. Since you can see them, this is the next step in the framework, which is respond. So you have the ability to either manually or automatically rollback unauthorized changes to Active Directory that a threat actor might make, or an Active Directory administrator says oops and an OU gets deleted and all of the users inside of it. This is also where we use Active Directory Forest Recovery, as I mentioned before, to take a backup of an organization under attack and then take it isolated and go threat hunt with the isolated copy of Active Directory and a tool that is called Active Directory Purple Knight post breach. And look for the look for the attack paths and come up with a method of PowerShell scripts or whatever so that you can immediately kick the threat actor out of the production environment. And then finally respond, recover, which is the recognition that, hey, you know, the bad guys sometimes get through, they sometimes can lay waste to your environment. I look at, for example, I don’t know the details, but I know that what’s going on with DISH network right now was Active Directory related, and they’ve been down for weeks. So with our Active Directory Forest Recovery process, it allows you to recover your forest in minutes or hours instead of days or weeks—and do it malware free into a variety of systems. Active Directory people, I joked that the AD forest recovery process has been keeping AD admins awake at night for 20 plus years and they are very happy to have this tool to allow you, if the worst comes, to be able to quickly recover your environment and then get start working on getting everything else back. Very well said, Sean. I’m grateful for your time and insights. Thanks so much for speaking with me. It’s been a pleasure. Again, the topic is identity, threat detection and response. You just heard from Sean Deuby, principal technologist, Americas, at Semperis. For Information Security Media Group, I’m Tom Field. Thank you for giving us your time and attention today.