Porque é que o seu AD é um alvo fácil para os piratas informáticos?

Hey. Good afternoon, everyone. Thank you very much for joining our webinar. Just to give some time to the or time for the people that couldn’t join us exactly at two o’clock, to join, we’d like to give everyone just another minute. So please bear with us. Okay. Well, that minute went by very, very quickly. So let’s, let’s kick this off. It’s as I said, it’s great to have everyone, online this afternoon. Thank you very much for joining us. My name is Jason Goode. I’m from iC Consult, and I’m joined this afternoon, by my colleague at Semperis, Guido Grillenmeier, who is a Principal Technologist. And, Guido will be talking you through, the technology, that we’re presenting this afternoon and also some of taking you through the value proposition, associated with Semperis. But before we get there, I’d like to just tell you a little bit about iC Consult. So if we could move to the next slide. Great. So we like to say that we stand out from the crowd, and, the reason we like to say that is because, we completed more than two thousand identity and access management projects worldwide. We are considered by organizations like Gartner and Kuppin Jacole of being, one of the world’s leading consultancy and systems integrators. And we probably have more than any other organization globally, dedicated and focused on identity and access management. So my colleagues, there are nearly nine hundred of us worldwide. All we do every day and have been doing for more than well, nearly thirty years, believe it or not, delivering identity and access management projects. Over the years, we’ve developed our solution portfolio, and I’m very happy that we have Semperis, speaking with us today because as you’ll see, Semperis are solving some real world challenges that we’re seeing today. So even though we’ve been doing this for nearly thirty years, we’re keeping up, with the technology. Have a look at us on Gartner, and, we’ve completed, as I said, nearly two thousand projects, and, we’ve done that at and we’ve won awards for Schenker, Swisscom, Siemens, and many, many others. So if we switch to the next slide. And we are where you are. Our heritage is is German. We started the organization back in 1997. And as you can imagine, as a German organization, there’s a huge attention to detail, and that’s why with identity and access management, it’s all about the attention to detail. But over time, we’ve obviously expanded, and we cover well, we cover all of Europe. We cover North America. And for some of our larger or larger clients, we also deliver services for them in China. And if you’re interested in how we can do that, then after this call, we can talk to you about that a little bit more. But what that gives us is the opportunity, to offer not only onshore but also near and offshore capability as well. So next slide, please. So wherever you are in your identity and access management journey, you can speak to iC Consult. If you’re thinking about what to do next, so you’ve done you’ve done some, identity management, you’ve delivered single sign on, you’ve delivered multifactor authentication, but you’re worried about DORA or you’re worried about NIST two, we can support you around the advisory business consulting element. We can help you put together RFPs, go to market strategies, I’m life cycles, road maps. You know, we have experience in all of that. But if you have technology and you’d like to understand, how to fit all of these different pieces of identity and access management, IGA, PAM, and I know I’m using a lot of acronyms, but, you know, they’re all very important. How to architect that through to implementation, and then even taking that, off your hands and delivering support, and operations. And that can be seven by eight. It can also be, twenty four by seven. That’s, that’s completely up to you. So in terms of our portfolio, as I said, you know, business and strategy all the way through from advisory, through to you know, we’re focusing on identity orchestration, decentralized identity. So if you’re thinking about how those elements can add value, to your business, you can talk to us. IT security, and that list, you know, over time has just grown and grown and grown in terms of the elements that need to be taken under consideration. And we’re talking about Internet of things, identity map, API security, multifactor authentication. And then how do you then, manage that, if you’ve got privileged access management, seam, and how all of these elements, fit together. And we can wrap all of that into a managed service for you. So I think the next slide. So as I said, it’s a pleasure to have Guido, with me this afternoon. I’m glad I got your title right. You are a Principal Technologist. And, you know, what I’d love to do is to ask you a couple of questions upfront, if you don’t mind, just to just to set the scene. But, you know, one of the most common vulnerabilities in Active Directory that make that make it such an easy target for attackers, and let’s face it. You know, probably a hundred percent of the people on this call have Active Directory in production somewhere in their business. If not, it is the main, identity provider for their business. And then, you know, how does the age of Active Directory contribute to its susceptibility to modern cyberattacks? And don’t have to answer those questions directly now, but when you’re going through the presentation They’re great questions, Jason. First of all, thanks thanks, to you and everyone at iC Consult for having us, for this webinar. Always a pleasure to work with you. I’ve done quite a few of these in different, regions. And, the topic, like you say, is, a hot topic, because everyone, if they want it or not, that’s the that’s the point, is most likely still using, Microsoft Active Directory. Active Directory has been and still is, the most distributed software from Microsoft. It’s the most, most, deployed feature, function in Windows Server ever. Yeah. Because, of course, it’s part of Windows Server. It’s not a separate, application that you buy. It’s a core element of the identity security system that was born a quarter of a century ago. Yeah. Twenty five years ago. More or less, now February was it fourteenth? What I think it was some February fourteenth, February eighteenth, two thousand was the birthday. The official one, of course, bits and, pieces were available earlier. But the general release date was in February of the year two thousand, and we’re February of the year twenty twenty five. And that is a quarter of a century later. And Microsoft has been amazingly good at, you know, solving a core problem that companies have had, with, you know, having multiple segregated directories all around that plenty of people, needed to manage down to well, for many companies, it was the first global project that they had to have a centralized identity store, you know, combined with new capabilities that we back then wanted, on the collaboration front with, Microsoft Exchange. You know, they pushed, AD forward because the new version of Microsoft Exchange, Exchange two thousand back then required to be hosted on, or in a domain that ran Windows Active Directory Services and no longer the Windows NT domains. If I’m sure, quite a few of our listeners, will have, been part of those days. So that’s why basically most companies now just switch to, the next, pieces of of the presentation because I’ll be answering a lot of what you just asked throughout the presentation as, like you say, it’s a topic of, of interest and and concern, to many companies that they still have that dependency on Active Directory if they want it or not, because it’s actually not because somebody wants AD or doesn’t want AD. Most companies these days are in this hybrid landscape. Yeah. That, everybody wants to move to the cloud. Actually, I shouldn’t say everybody, but many and most companies. But, there are still elements that you either want to keep offline and, or at least self hosted in your environment. Think of infrastructure for factories. That is piece by piece also going, online with, you know, smart factories, that that are managed in different ways. But a lot of those are highly segregated, networks, that don’t allow themselves, to create cloud connectivity. But the office workspace. Yeah. I just said office, and that doesn’t only mean Microsoft Office, but for many people, it’s at least a tool, Microsoft Office, that they use to run, their office workloads. And that has moved into the cloud. And with it, it also pushed, a lot of customers to use Office365. Yeah. We’re using GoToWebinar now, but, there’s there’s other tools. Of course, Teams is is being used. I couldn’t tell percentages, but to many, many, in many, many companies. Certainly those that have built on the office, suite, and that is the majority of most companies. And so if they wanted it or not, the next step was to go into the cloud and and manage a Microsoft Entra Tenant, even though they hadn’t necessarily realized that when you have Office365, you need an identity store in the cloud. And that’s what this picture is showing often comes from your core directory services still on prem. Active Directory for the majority of companies is the leading identity directory. Newer or let’s say segments of companies are then, managed in a way think of your consulting people or the external users that don’t need access to some legacy business applications, but maybe just the modern apps. You can have those as native users in the cloud. But for a lot of, companies, there are certain applications and it’s always the apps, that keep you in that on prem Active Directory. I’m gonna call it legacy Active Directory, user space. And that’s why we always we also say that that’s why it’s sort of, you know, if AD isn’t secure, nothing is because, intruders do go after your weakest link in your security chain. Yeah. That’s that’s a given. Yeah. That’s what we all know. And it’s not just us who say that, I think that’s also important to highlight. Just recently, this was September, 2024, like it actually says here on the screenshot. The Five Eyes report from, you know, the Australian government, Canada, US, New Zealand, and England, they highlighted the fact that, companies and these are actually, you know, institutions that wouldn’t typically look at old technology. Yeah. But when they realize that it is a piece of old technology that is very much, distributed and in use in companies, they do give out warnings because the increase of attacks to take down companies often come through that weakest link through Active Directory. And so this is a very worthwhile read, the Detecting and Migrating Active Directory Compromises, that white paper. I forgot to check, the number of pages right now. I also didn’t read all the pages, but it’s absolutely worthwhile to read. And if I’ve definitely checked out, they have a nice overview of all the different attack types. They describe them, they explain them, they explain how you can detect them and what you can do to protect yourself. A little bit of an overlap, a good overlap with this, webinar because we’re going to highlight quite a few of those as well. And we’re even going to use a tool that they also highlight in their report. As you can see here, Purple Knight, one of our free tools from Semperis to get to know the security vulnerability or the security landscape of an identity environment. And that’s why, we’re actually quite proud, of course, to be mentioned on that report. No doubt. Semperis has now been around for well over ten years. Purple Knight has been around for three and a half years. Yeah. And it’s use has exploded. Yeah. Because it’s very easy to use and it helps people understand what are the weaknesses in my, Active Directory environment. And I’m gonna move on to, a slide where, I deliberately want to start, you know, high level with, you know, getting that understanding. And, Jason, you had a question here. Right? Yeah. I do. And I hope you don’t mind that I No. Just as I think of questions, I’d be okay if I could ask them. So, you know, how does a zero trust model integrate with Active Directory, and why is that crucial for hybrid identity systems? And that’s what I’m exactly what I’m trying to show, on the slide because what does zero trust actually mean? Zero trust means that you don’t trust, your devices or your users just by plain, let’s say, username and password at one time log on. You recheck whatever a user does and, basically validate that he really is who he is depending on what access, he’s trying to, get to, what type of, resource he’s using. And, you recheck his credentials, ideally through multifactor authentication, which wasn’t built in an on prem Active Directory. But as we see here, on prem Active Directory, like I’ve already mentioned, is also the piece that syncs your identities to the cloud. And if you don’t enable MFA and if you don’t have a good additional access policies defined that then, invoke and let’s say implement the zero trust capabilities of the cloud, then you’re making a mistake. There is no real zero trust in the on prem world. You log on once and then you have a token and, yes, that does have, some expiry, but technically, anybody that has your token, can do a lot of activities in that on prem world. Because, basically when you when you log on, that’s that’s a big piece of what, AD is there for, the authentication part in the on prem world. Many companies still have domain joined machines. Most would move into, cloud joined devices these days, and basically do the whole authentication, the primary authentication of a, work, machine against the cloud and then only reauthenticate, against the on prem Active Directory when you do use a legacy application. But I couldn’t tell you how many, where we are. Are we 50/50? Are we 60/40? Or 30/70. Wherever we are, we’re on that road, of moving to the cloud and plenty of companies are still utilizing this mechanism. And for your, you know, domain joint servers, you obviously have the authentication also of those devices against the on prem Active Directory. And then, of course, with the tokens that you have from your authorization, from your authentic occasion, you’re authorized against the various resources in your environment, files, data, apps, specifically, of course, business apps. A lot of the file services is totally mixed world in many companies. You wanna get rid of classic file services, but OneDrive and SharePoint doesn’t replace everything, especially for some legacy applications, so you still need them, etcetera. And SQL databases and whatnot. So, but, like you just, highlighted, you know, from that zero trust perspective, it’s just binding the the cloud synchronization between the on prem Active Directory and the cloud, directory Entra that makes it vulnerable at that zero trust level through the connectivity to, on prem AD. Now mind you that sync of course is performed by services, Entra Connect or Entra Cloud Sync, that are using specific identities, to have access. And those are highly privileged access both in the on prem world and in the cloud world, and they are prime targets for intruders to also bridge between these environments to attack the one from the other. And Microsoft does a way of of these, activities happening, and that’s why Microsoft is also investing quite a bit of money to improve the cloud sync. There is work going on. I can’t say much more about that because it’s still in progress, but there’s good work going on to make that connection more secure. But let me also highlight why it’s so easy in the on prem world to attack, the Active Directory. Like I said, weakest link. I’m not gonna spend too much time on this, phases of a ransomware, but it’s still good to get that overview that, you know, it’s typically that classic initial access that’s actually, basically a separate business, from ransomware gangs that then sell their initial access, their initial access brokers. Once they broke into your environment, they sell that access, on, platforms in the dark net. So they might not even be the guys that then attack you to the next step, but they’ve gotten in somehow through your VPN, through some stolen credentials, through whatever way. And even by misusing your device drivers, b y o v d is bring your own vulnerable driver. It’s, of course, more, good for the attacker than it is for you because companies don’t always update drivers properly. They might have a good hand at updating the Microsoft layer, but there’s plenty of drivers that are not, part of the Microsoft ecosystem, and not everybody is keeping drivers, basically safe. And so, basically, once somebody is in and, be it through credentials or, access that they required on the Internet, from that dark web, The next step is, of course, the recon phase where they will have established a command control system. That’s a fancy name for just one PC potentially and later multiple PCs that they have, been successfully able to install some malware to. And then that is their machine of choice where they reconnect to and and basically can check out the the internal network. And AD is on the forefront of everything because it has access to all of your network, server or connected servers. It’s like a map of your on prem infrastructure for many. Also, the groups that are available in a tell you, what permissions to expect, what systems to expect. Is there HR data? Is there development data? And then where is that actually allowed? AD gives a lot of that. And so that’s why you go after those vulnerabilities, you elevate your privileges, to become a domain admin and then you’re in. Yeah. And that’s basically, the classic attack path of most, attacks that we see these days. And that is why it is so important to give that identity protection a lot of focus in companies. And ideally, you know, you want to, not, you know, you want to prevent any breach, but you also have to prepare for the worst. If you have been breached, how do you basically get out of that? Yeah. And what I first want to show, I think it makes, sense to speak through this quickly because it’s a bit technical, but I think it’s still good for any listener and viewer, to be aware of this. There’s default weaknesses in Active Directory. And, I’ve talked about this at different conferences and I have, you know, some blogs, on these, issues, but people are not necessarily totally aware of them. And this is default read permissions. Read, not necessarily write. There’s also issues with write permissions, but what does an, what does an intruder need at the beginning? Just needs to read, information from Active Directory Yeah. To do the reconnaissance. Right? To find out where are the weak spots. And by default, and most of our listeners will have this in their environment, and they don’t need it for AD to work, is that authenticated users, which is not only all your users in your forest, but also all the machines that are domain joined in the forest. They are authenticated users, and they have by definition of, their memberships in the pre Windows 2000 compatible access group. Pre Windows 2000 compatible means before Windows 2000 was released, means more than twenty five years ago. These are permissions that are for Windows NT, and they basically mean that I have full read permissions through this group. If I’m a member, which everybody is, yeah, I have full read permissions on all your objects, all your groups, all your users, even the inad org person, object type that basically nobody is using, but it’s part of LDAP definition, why which is why Microsoft implemented it. At the root of each of your domains, these permissions are set. And it basically translates to the fact that an intruder can easily find out weak accounts, accounts that aren’t allowed to not have a password, what group memberships are, who is a domain admin in the first place, etcetera etcetera. Yeah. And, so plenty of reasons to actually remove that, which is not easily done, especially not on a Monday morning and not directly after this call. Yeah. People should that’s a plan that people need to have because, you know what, scripts, default scripts, other tools, they, in the meantime, expect those rights to be there. Although nobody needs it for the system to work, you would need to replace it with, you know, other accounts or machines in that group, and people can easily break their environment. The the blog goes into much more details there. Another related one, and this one is one that can easily be fixed, is, in the so called admin SD holder. And again, don’t wanna make us too technical, but it’s good to know that this exists. This is a special template permission, like it says SD holder, security identifier holder, yeah, or security descriptor holder, I should say, for admins. Yeah. And that is basically a template for permissions that the domain controller stamps on everybody that you make a domain admin or an account operator or enterprise admin, whatever, and it has these two permissions in it again. There you see it pre Windows 2000 compatible access and authenticated user. That is absolutely not required now for the system to work and that can easily be taken out without any of your business apps breaking. Yeah. Some IT, some mostly AD monitoring or, even, you know, management tools, they might again expect that permission can easily be granted separately. It’s not really not difficulty well described. I hope in that, blog post, actually white paper with the link here in the, in the, slides that we’re gonna share, right? We’re gonna share the slides to our, our listeners. Yeah. And so, the key thing is there is hardening to do and even Microsoft realized this. Microsoft sort of asked the question, well, what do you want your AD to look like? These cute little doggies. Yeah. Or these dogs that really protect your AD. Yeah? And and this is, from I took the picture from from a really cool blog post from Dagmar Heidegger from Microsoft. Worthwhile read that tiering and protecting your AD is absolutely worthwhile to do just what we talked about, prevent an intruder from easily doing reconnaissance in your environment and knowing who are your domain admins, who do I need to attack. Okay? Yeah. And then we’re, basically at our, pre attack phase from that NIST, cyber, security, framework. Okay. Do you cover a bit. So sorry, Guido. Love the picture of the dogs, by the way. Big big dog lover here. Just taking a perhaps a little bit of a step back, but how how do you explain tools like Purple Knight? You mentioned it right at the beginning. You also have a tool called Forest Druid. Yeah. Great names, certainly stick in the mind. How do they help in identifying and mitigating some of those, AD vulnerabilities that you’ve spoken about. Yeah. And they’re exactly made for just that. And they are free tools, and I have a slide coming up that that, shows links to that too. But they are made for this so called pre attack phase. If we look at the, NIST cyber security cyber, security framework, that’s basically what we’re looking at here. That’s the whole circle and the initial part here, the IOE and IOC, which are indicators of exposure, indicator of compromise discovery and then the continuous security monitoring. This is specifically that first part, the discovery of what is what are my weaknesses. That’s what those tools help you to do. And they help you to do that in different ways. And, we’re gonna, come back to that circle in a minute. But, I wanna make sure that people understand that our tools are not the only tools on the market. Yeah. There’s really good free vulnerability scanning, tools out there on the market. And, don’t hesitate to mention them either. Next to what we have with Purple Knight, there’s Ping Castle now part of Netwrix. So not maybe a little bit more controlled than what it used to be. And next to what we have with Forest Druid, which is a graphical tool for attack path analysis and basically understanding my real tier zero. We’re gonna look at that in a bit more. There’s Bloodhound that’s, known for years for, especially, red teams that try to get in, to an AD environment. It’s a very powerful tool, but it’s also a bit more complicated to use. Yeah. The the Forest Druid tool that also helps, yeah, companies to understand where are relationships in my ad environment that might be risky. That’s what an attack path is about. That is meant for the defenders. That’s more easily digestible in in how to actually find those relevant relationships. And that’s why that’s why we say it’s made for the defenders and not to say that Bloodhound can’t be used by the defenders, but they’re mostly overwhelmed by that tool. It’s a bit more complicated to use, very powerful nonetheless. Forest Druid is made to be a bit more easier, to use and again, for free and and has absolutely no hurdle when it comes to first needing to install something. Yeah. Because you run it right out of the box. Yeah. You both with Purple Knight and with Forest Druid, you basically download once you register for them, and those are the links here. You download a zip file. You unpack the zip file, you of course unblock it as you do when you download something from the net. You don’t run it on a privileged system, you run it on an unprivileged system of course, and then, you execute, the executable in the folder that you’ve just unpacked and then you can either run Purple Knight or with a download of Forest Druid that tool right away without any installation. Yeah. So it’s very, very easy to use and we’re first gonna have a look at, a few more details of, what, Purple Knight, finds as an example. And, this can be a big list and I was even thinking, should I demo it or not? But, but I thought it’s actually quite okay to look at some screenshots. It’s totally easy to use, like I’ve already mentioned, but to understand what type of information comes back. That’s what we wanna do here. The tool, goes against Entra ID here in the screenshot I see is still an older one, showing Azure AD, but everybody knows that. It’s the same thing and it’s basically going against both worlds. Yeah. So you can check, your, weaknesses in Entra as well as in the on prem AD. We’ve got something like a hundred and fifty, checks against both worlds and a few that are actually, like hybrid. Yeah. We’re like that initial one here at the top that says eighty privileged users that are synced to Azure AD. You should not sync your domain admins to Azure AD. You have to have separate native accounts in the cloud that manage your cloud. You don’t sync privileged accounts. So that’s one of the initial and important warnings, where we basically compare what you’re actually doing in your environment and then of course we give you more information to that. So for any of the checks that come up, there is like a read war element to it where you get this description and, let’s have a quick look at this. This is a classic one that most companies will find non default principles with DC sync rights on the domain. Why would people find this typically? Well, because to do a synchronization between on prem AD and Entra ID, there is an account, a service account, and you have it right here at the bottom, the my dom, MSOL account that’s, through a default installation from the Azure AD Connect, Entra ID connect tool. Most companies have deployed it that way and sort of went click, click, click, click, next, next, next, next. Some have pre created their own service account, but no matter what, it has a whole lot of permissions in your environment. And the important one is this guy, d s replication get changes all. And, that one allows that account or any other account like this one that I’ve highlighted here to basically use proper sync command, yeah, to read any of your objects out of AD and the old part means including the hash of the password. That’s how Entra ID can actually know what your password on prem is because your hash, which is then further hashed before it’s then sent into the cloud. So it’s double encrypted, but still that’s how, Microsoft can actually do, you know, log on with the same password in the cloud by syncing those passwords, which is actually recommended, best practice to do. Yeah. So it’s not like a bad thing. The the reason why it’s recommended is first of all, it’s easier for your users than having different passwords in the one area than the other one. But Microsoft is spending a ton of money. I don’t know if it’s daily or monthly, but certainly, very often to reap the dark net of, stolen credentials and then to check if your credentials have been breached and then to tell you this password is out there in the wild. Yeah? And especially that user has been breached. So, it’s a good function that you wouldn’t know about until you actually, use that mechanism besides having a a high, you know, positive use impact. That’s why everybody will see this, they’ll get a warning, but the warning is important because it then, you know, starts, it should help, users to realize, oh, that system that has been used for my syncing, that is a critical system. It actually belongs to your tier zero, and it should not be some PC sitting under the desk, of an, you know, just any office worker or a server where just any, let’s say, lower level server admin can administer a server. It’s a tier zero system that shall only be administered by a tier zero admin, which is a domain admin. So that’s ways that intruders elevate their privileges through these type of systems. That’s why we keep that warning in there that people realize that and of course you want to know if somebody else has those permissions too. I’m not going to explain all of these in the same level of detail, but another good example is computer accounts or even user accounts with unconstrained delegation. It’s a Kerberos capability that allows the forwarding of, anybody’s token when there is think of malware, malware running on a PC or actually it made it to a server and then on that server, it just needs to wait, you know, for maybe a domain admin come by to log on, which they shouldn’t if it’s a lower level, system, but people do. Yeah. But if it’s not a tier zero system, you know, your app service or whatnot, file service, an intruder might have made it there. And now that server for reasons, for some applications that might need it, that might need Kerberos delegation, could be SQL systems, could be some web servers and whatnot. That system with this configuration allows an intruder to easily forward any credentials to any other system in the environment. That’s unconstrained delegation. The other option, to to use this and to configure it the right way is to at least use constrained delegation where you would only specify specific services and systems, target system that that token can be forwarded. Most, let’s say, less security where companies might just be too lazy to go through the effort to find all that out. It just works when when you have unconstrained delegation and that’s purely for the intruder and Purple Knight finds this. I should actually say, Jason, should add that Purple Knight of course runs as a normal user. You you don’t need to have a domain admin to figure this out. You’re gonna use your own office account, not the admin account because everybody by default has the permissions to read these permissions. And that’s why the, you know, the reconnaissance in AD is so easy because of those default permissions unless you lock them down. Yeah. Really interesting. Hardly anybody does. I’ll give you one more example because I’ve, we see this all the time and it’s just another easy one to misuse and to overlook. We’re looking at a domain controller here. The domain controller and, the owner of the domain controller object. Yeah. And if that is not a domain admin, like or the default administrator of the domain, again, just a synonym for a tier zero administrator, if that’s not one of them, what typically has happened is that the AD team needed a new server as a domain controller. Some other server management team provisioned it. Classic, you know, shared workload in companies like, shared responsibilities. They provisioned it, and then they hand over that server to a, to the domain admins. But they’ve already domain joined it through SCCM, through whatever mechanisms, even manually. And whoever joins it to the domain is the owner of that object. And then the domain admins aren’t aware of that. They promote it to a domain controller. That’s an act that you then do, and can only do as a domain admin. But the owner remains to be, that person that joined it to the domain. Yeah. So that’s something that we see all the time and again an easy bridge for an intruder to capture that one account and then get to the domain controller and then you are you are the domain controller. Once you have that permission as an owner, you can change the domain controller computer’s account’s password and log on as a domain controller. Easy. Yeah. So it’s, see it all over the place, and it’s easy fix, of course, because you can, you know, just, do this. And that’s what Purple Knight is about to help you understand that more better. Just very briefly here for Forest Druid, because I’m obviously aware of the time. Don’t want to talk too much. We’ve got some other, stuff to talk about. But, the Forest Druid tool is interactively helping you to analyze what are those relationships that maybe should be and you need to be aware of or shouldn’t be because, you know, maybe your desktop admins have been granted the permission to manage all group policies. And one of those group policies is targeting your, your domain admins. That’s, again, another bridge. Jason. So, we had a question, come in. It’s, around Purple Knight. And question is, is it possible to use Purple Knight if we lower the read permissions for authenticated users? Yeah. Absolutely. Well, the point is Purple Knight will then be able to read what, you can read or an intruder could read with those lower permissions. Yeah. And if you say, that’s cool. Now I know what an intruder can actually still see because that’s still an important, you know, learning. Then of course you can run it with an elevated account. It still only has read, actions of the tool and then can see the rest that that is not visible for a user with lower permissions. Yeah. So Purple Knight doesn’t get more permissions than you give it. Yeah. So, it still runs. Yeah. No problem. And you actually have the chance to see the impact of removing those permissions. So in a lab, absolutely do it. Yeah. And it’s easy fix, of course, to put that, authenticated users back into that, pre Windows 2000 compatible access group too. Yeah. So you can play around in a lab, but just don’t dig it too too quick in production. That does take some testing. And if written how to test it and, you know, how to sort of move yourself forward with this, process, you can do it, but it’s a chore. It’s much easier to do it, you know, at the beginning of a deployment, which most companies, you know, have done ten years ago or longer. Yeah. So there’s not that many new ADs being built these days. Yeah. So that’s why those permissions survive. Even in Windows 2025, if you were to deploy a new domain, that permission would be there. But if you, you know, people will do it in place upgrade and then they drag the permissions along they’ve had for years. Okay? Great. So I hope that answered the question. If it didn’t, let me know and we’ll, arrange a follow-up call. But as we can move to the next slide because Absolutely. Prepared a question, for this slide. Yes. So, Guido, how does because we’re talking about continuous monitoring here. Mhmm. So, you know, how does continuous security monitoring and automated red teaming, those red teaming exercises rather, help in preemptively identifying AD vulnerabilities weaknesses? I think the key aspect here is first of all, that you do it continuously because any of the tools as powerful as they are and, our clients love Purple Knight is, their point in time. Yeah. Even if you use other tools, a lot of them are point in time. You check something out now. Yeah. And then, and then, you get an answer of, what it is now. But the tools that monitored continuously, they can obviously not only tell you what’s changed, but they can alert you of changes. Yeah. And that’s a huge difference in, you know, how, it can can help you. That’s something that maybe was done legitimately by an admin, because he thought it was something that an application needed, that it’s a risk. Yeah? That’s why we are also saying that, you need to know your, your environment, that whatever changes in the environment because if it’s a malicious change or wanna change by an administrator, how do you know what was truly done? Active Directory doesn’t give you, in the logs all the information, especially if you are relying on literally just the audit logs. It’s very easy to hide from an Active Directory audit log. Mimikatz DC shadow is one of those attacks that’s been used by, you know, writing from a different system that behaves like a domain controller, but but, you know, not no audit, is visible because the domain controller only then writes an audit entry when the change of rich needs on itself. Yeah. Group policy changes. You have a simple log, but not what was changed in the g p o. Yeah. There’s plenty of things that can be done wrong and of course you can also wrongly configure your settings. That’s why we say it’s really good to scan your Active Directory continuously for unexpected changes. And, of course, there’s examples that I’m naming here on the slide. But the third one, the monitoring solution is, of course, our commercial, monitoring solution fills into that space. A Directory Services Protector from, Semperis scans the Active Directory on changes, not just relying on the audit logs. We do also read those, but we read, all changes at the replication layer. Yeah. So whatever domain controllers exchange, even if they don’t write stuff into the audit log because of the attacks that I’ve just mentioned, we capture and we can also undo for the company, in your environment. The key thing is often you don’t realize that a change was an attack until later, until you do a forensical work. And when you don’t have a trace of what was changed in your environment, how do you get trust back into your AD? And that’s what we give you. We show you all traces of what happened and can also revert them. Ideally, automatically, because, we of course have that too. But, honestly, the more important part is to even understand what’s happened to then act upon it. Of course, during an attack and we’re gonna briefly talk about that too. It’s important to, you know, lock down the environment and basically ensure that you have a chance to even do the cleanup. But if you don’t know what’s changed, it’s really tough to do a cleanup. And that’s where we’re at that next, let’s say layer that we wanna talk about last is that attack phase, which is like when it’s sorted to late. You’ve basically been been breached. You and then let’s be clear. Whatever tools you have, there’s new zero days all the time, and they might still get through. Your tools reduce the likelihood that they get through, but intruders might still make it and then wipe out your whole farms. Yeah. And AD is just part of one machine on your Myanmar farm now or, you know, multiple machines, but they’re all down and dusted. What then? Yeah. And, that’s the last piece that we’d, look at now. So how does this Semperis approach, to AD disaster recovery minimize downtime? And perhaps even more importantly, after the fact, ensure a clean recovery. Exactly. This is actually where we started with, you know, with, Active Directory Forest Recovery that was our initial capability. Because basically we realized that this is, you know, back, Semperis was founded 2013. Yeah. And, back 2014, 2015, clearly, actually even the few years before that, there was a rise of, of, attacks against companies with ransomware just being born. Yeah. And, the point is the probability of a company actually being hit to totally be down isn’t because somebody’s making a mistake, isn’t because of some, natural disaster. Yeah. Because, actually, that’s what Active Directory is well protected for because you have multiple machines. Yeah. But ransomware takes all of them down, encrypts everything, and doesn’t make hold on domain controllers, and you can’t really get your environment back if you don’t get your domain controllers back, if you don’t get your identities back. That’s why we, as a company, focused on that identity recovery and basically, want to help companies that have gotten to that prompt that you don’t want to see on any of your machines where this is actually modern version, you know, from the recent, Casiah breach, screenshot provided by Huntress who had helped, that analysis. And, I’m telling you, this is, this is screens that you don’t want to see. But the classic recovery path of Active Directory when companies do this. This is a visual representation of the Microsoft AD forest recovery guide. Plenty of steps that you need to take, and the classic backup tools help you with exactly that first one, the recovery of a server. And this is where we wanted to differentiate ourselves that we help you with all of those steps. We have fully automated all of those steps and the core element is that we don’t back up the operating system. We take your AD to a fresh new system because that’s the only thing that’ll help you after ransomware anyways. Your backups, your classic server backups may contain the ransom, the malware, not the ransom, the malware, that the ransomware guys have spread around your systems and you may easily re infect your environment and to get a quick understanding, we still have some time so that’s that’s good to talk about this for a moment. This is a quick overview of a real life incidence and I’ll lead you a little bit through this because this is an example of a company that had been completely breached. Yeah. So up here is the compromised Active Directory. Think of this as the starting point where we were brought into this incident response case and it was still running at the time. They were not completely wiped at that time. Yeah. So typically when you’re at that stage where intruders have completely compromised you, it’s just a matter of moments where they click a button and you’re done. Yeah. So because nobody knew if that was gonna be the same case here, we put in our ADF or backup system which is deployed within an hour. Yeah. On a fresh clean system and it only needs two ports to connect. We have an agent running on the domain controller to connect to that agent and then do the backup cleanly without taking the operating system. So we just take the AD data, Syshole, and everything that’s needed. Then we’re obviously able to put this, this backup into a clean isolated network and recover on new clean systems without bringing the malware along. Yeah, of course, at that time, the backup of AD itself still contained contaminated users. What I mean with that is the domain admins were compromised. Yeah. Your most important, accounts, yeah, were compromised. Of course, you can’t trust them anymore. You don’t just reset the password, you disable all of that. Yeah. But before we even continued, we performed a deep dive vulnerability analysis and we basically put the customer or the victim at this stage, they’re now a customer, but back then it was a partner of ours that brought us in and we basically told them, you basically have to go completely offline now immediately so that we have a chance to basically help you and clean that Active Directory up back to a working and trustworthy state. But they couldn’t because they were a telco, a company that said we have to be online until the weekend. And then we said, okay. What we can do is we can fix your Active Directory in the isolated environment, do all the hardening, you take the risk and you continue running in production if you want to take that risk. Because, you know, the guys if you don’t block the Internet and if you don’t block all those ports in parallel, they can do stuff. They’ve already stolen data. You don’t get it back. But, yes, they agreed and we fixed all of their, missing hardening in their Active Directory to make it hard, to make it, to implement a tiering model, to replace all privileged accounts and basically brought back a hardened AD after, of course, then shutting down all production systems, which I’m telling you was a moment of, you know, big blood pressure. Yeah. And, and anyways, that solved it. Yeah. We basically, we suck the air out of the attack and, basically regain control in parallel. Our partner was, of course, cutting down, shutting down all the command control systems which didn’t have, that effect earlier because, you know, once you’re in, you have multiple ways and you don’t even know how far if you have privileges. Yeah. And you couldn’t cut them out as fast as people believe it’s a quick thing, but a boat with a thousand holes, you gotta bring to a dry dock. Yeah. To fix it. You can’t fix everything at once. And so this is the key. Like I said, recovery is important and it’s important that it’s fast and malware free, but then there’s still work to be done to get back into safety and we do have tools to support that phase two. Yeah. So it’s not just the recovery part. That’s why we say when we talk about you know, capabilities in, Active Directory recovery, ensure that you have a tool that doesn’t back up to the malware. That means concentrate on the capability itself that can be covered to different target systems. That’s almost, an added benefit out of that first feature because you don’t bring along the hardware extraction layer. Yeah. You don’t bring along drivers. Yeah. It’s you just bring data, the AD data along, and then you can go from physical to virtual and whatnot. And, of course, ideally to be fully automated. And, yeah, you guessed it. That’s, of course, what we have. And, at last, I just want to add before we get to the last, Q&A, just don’t forget the basics. A lot of things tiering isn’t done much through technology and software. It’s done through processes and sticking to those processes. Well, Guido, thank you so much. I have more questions, but rather than me ask all of mine, does anyone have any other questions? We’ve got about through just over three minutes remaining. If we don’t, I’ll give you another couple of seconds. You just start typing. Okay. Well, let me let me ask you a couple of, questions then. Why are ransomware and wipe away considered the biggest threats? I know you covered that, but can you tell us why? Yeah. It’s, I think, we all have to realize that we’re living in a world where we’ve got two types of attackers. Those that just want to, get into your network and do reconnaissance, on your intellectual property and steal it. Yeah. They’re actually not after destruction. They’re more after data, and that’s what we’ve had here in the example. They could have easily taken down this client and then, you know, request a ransom. They didn’t, they were after data. Yeah. And then the other part and those are unfortunately also, you know, you can even categorize countries how they behave. The Chinese are more after data and, North Korea, Russia are more after money. Yeah. And they go, and, do these big ransomware attacks. Yeah. So it’s a big issue. Ransomware has had a rise. You know, numbers go up and down, but it’s certainly not pretty. Yeah. It’s still a big risk because if you’re down and you’re not prepared, people are inclined to pay a ransom and that’s not a good thing. So I always say, get prepared so that you don’t even get into the pressure of needing to pay. Have good backup plans. NAD is special from a recovery perspective. It’s totally complicated. So monitoring and recovery of Active Directory will also increase your cyber resilience capabilities that, you know, that then also reduce your risk, in the cloud. So it’s not just the on prem world that you protect this way. Yeah. Absolutely. I think a lot of people imagine a couple of teenagers in a back bedroom trying to do this stuff, but you’ve got nation states investing a lot of money to try and get a lot of money. Yeah. So there’s a lot so there’s a lot of resource behind this type of attack. Absolutely. Well, we’ve got some more questions coming in, but we we’re down to a minute and a half. So, we’ll answer those after the webinar, and thank you very much for sending those three. But just to close, just like to let everyone know, Guido said it right at the beginning, but I’ll just reiterate it. Well, you’ll receive a copy of the presentation and a link to the recording, after the fact. But it’s been a pleasure to have you, speaking today. Glad to be here. Thank you for your time. And, thanks everyone. Thanks to everyone for listening and, and watching. So, our contact details are on the screen now. I’m Jason Goode. You’re more than welcome to reach out to me if, if I don’t get back to you, if you have a question. But, equally, if you have a question, please feel free to, reach out to me. Okay. Well, thanks, very much, and we’ll give you thirty seconds back. Bye bye, everyone. Bye.