I'm Shawn Barker, product Manager at Quest Software. I'm going to show you three examples of how Quest's cybersecurity products work in tandem with BloodHound Enterprise from SpecterOps to identify your exposure to attacks and help secure your Active Directory environment. Over the years, many AD administrators have become accustomed to thinking of AD security in terms of lists of configuration settings, hardening the Directory and servers by going through a long checklist of configurations to lock down.
That's where adversaries have traditionally had an advantage because they think in graphs. An attacker's ultimate goal is to get hold of your organization's most valuable assets. If they are able to compromise an ordinary user account, they only need to find one path from that account to your critical assets.
Let's examine what an attack path looks like. This scenario starts with an ordinary user being phished, but through a series of group memberships, the attacker is able to gain access to a system where a privileged service account is logged in, and they're able to harvest its password. An attack path is a series of escalating privileges, and this is how an adversary can start with very little, and through a series of trivial steps, gain access to your critical assets.
We start with our initial user, David, who was phished. He clicked on a link that you know you shouldn't click on. So now the adversary has control over that account. David is a member of the help desk group. Because of security group delegation, members of a group get all the privileges that come with that group.
So any permission held by the help desk group is now granted to David. The desk group also belongs to another group called tier two support. So now we're dealing with group nesting, which is notoriously difficult to unravel. This is very, very common and can accidentally give a lot of privilege to our ordinary David user so that he gets all the privileges that go along with the second group. Then he's suddenly overprivileged.
That tier two support group grants local administrative rights over the PCI server 01 machine. The PCI server has a log on session from a service account. It's pretty trivial for an adversary to abuse that using the Windows token model and harvest those credentials. And so if the adversary gains access to the service account, then they have the Add Member privileged over the Domain Admins group, and they've completed our attack path.
SpecterOps BloodHound Enterprise levels the playing field and tips the scales in your favor by identifying all attack paths in your Active Directory environment. At the top of the graph are your most valuable assets. BloodHound Enterprise automatically adds most of your tier zero assets to this node, including domain controllers, privileged groups, and domain-level GPOs.
And you can add additional assets, such as the server that hosts your Active Directory backups. BloodHound Enterprise uses graph theory to calculate and visually identify all attack paths from ordinary user accounts and computers to your most critical assets. Since most environments will have thousands of attack paths, BloodHound Enterprise focuses on these choke points at the top, the last step in an attack path to the tier zero assets.
The reason for this is that by remediating the choke point, you are eliminating the hundreds or thousands of paths below that point. So if an attacker were to compromise one of the accounts or nodes underneath it, they can no longer escalate their privileges to the point of accessing your tier zero assets.
BloodHound Enterprise further prioritizes these choke points to help you focus on the ones that will most drastically reduce your exposure and improve your AD security posture. By clicking on the most critical choke point, the product shows me a path that is exposed to 99% of security principles in my network. On the right are all the vulnerabilities that can be exploited. If I select one of the critical exploits, logons from tier zero users, BloodHound identifies the accounts that are exposed by being used interactively.
It also gives me practical step-by-step guidance on how to remediate this vulnerability and eliminate the attack path. In all reality, though, chances are you're managing an Active Directory that is more than two decades old at this point. There are so many application dependencies on the Directory and years of configurations and misconfigurations to support various internal projects. In all likelihood, it will be weeks or months before you can investigate all those dependencies before you remediate and identify vulnerability to avoid it causing problems downstream.
This is where Quest on Demand Audit can help. On Demand Audit tracks all change activity in your on-premises AD as well as all user activity across Azure AD and Microsoft 365 services. On Demand Audit also tracks all authentications and logons to AD. So while I'm waiting for the change control process to remediate this attack path, I can define a search, which will alert my security team immediately when any of the security principles that BloodHound identified as part of this attack path are used to log into the Directory.
The search is showing all authentications in the last 24 hours. But if I turn this into an alert, I will be proactively notified by email of every future logon by these sensitive accounts. In addition, On Demand Audit monitors dozens of indicators of compromise to alert you when any of the attack paths in your environment are being exploited, including IOCs, such as domain-level GPO linking, DCShadow attacks, and unauthorized copying of the NTDS.dit file.
GPOs are arguably the most sensitive objects in ADs since they have the ability to apply configurations and create vulnerabilities across the entire environment. BloodHound includes domain-level GPOs in the list of tier zero assets by default, and you could add additional sensitive GPOs to the list.
As there will always be some low-risk attack paths in your environment,
08:34