I'm Shawn Barker, product Manager at Quest Software. I'm going to show you three examples of how Quest's cybersecurity products work in tandem with BloodHound Enterprise from SpecterOps to identify your exposure to attacks and help secure your Active Directory environment. Over the years, many AD administrators have become accustomed to thinking of AD security in terms of lists of configuration settings, hardening the Directory and servers by going through a long checklist of configurations to lock down.
That's where adversaries have traditionally had an advantage because they think in graphs. An attacker's ultimate goal is to get hold of your organization's most valuable assets. If they are able to compromise an ordinary user account, they only need to find one path from that account to your critical assets.
Let's examine what an attack path looks like. This scenario starts with an ordinary user being phished, but through a series of group memberships, the attacker is able to gain access to a system where a privileged service account is logged in, and they're able to harvest its password. An attack path is a series of escalating privileges, and this is how an adversary can start with very little, and through a series of trivial steps, gain access to your critical assets.
We start with our initial user, David, who was phished. He clicked on a link that you know you shouldn't click on. So now the adversary has control over that account. David is a member of the help desk group. Because of security group delegation, members of a group get all the privileges that come with that group.
So any permission held by the help desk group is now granted to David. The desk group also belongs to another group called tier two support. So now we're dealing with group nesting, which is notoriously difficult to unravel. This is very, very common and can accidentally give a lot of privilege to our ordinary David user so that he gets all the privileges that go along with the second group. Then he's suddenly overprivileged.
That tier two support group grants local administrative rights over the PCI server 01 machine. The PCI server has a log on session from a service account. It's pretty trivial for an adversary to abuse that using the Windows token model and harvest those credentials. And so if the adversary gains access to the service account, then they have the Add Member privileged over the Domain Admins group, and they've completed our attack path.
SpecterOps BloodHound Enterprise levels the playing field and tips the scales in your favor by identifying all attack paths in your Active Directory environment. At the top of the graph are your most valuable assets. BloodHound Enterprise automatically adds most of your tier zero assets to this node, including domain controllers, privileged groups, and domain-level GPOs.
And you can add additional assets, such as the server that hosts your Active Directory backups. BloodHound Enterprise uses graph theory to calculate and visually identify all attack paths from ordinary user accounts and computers to your most critical assets. Since most environments will have thousands of attack paths, BloodHound Enterprise focuses on these choke points at the top, the last step in an attack path to the tier zero assets.
The reason for this is that by remediating the choke point, you are eliminating the hundreds or thousands of paths below that point. So if an attacker were to compromise one of the accounts or nodes underneath it, they can no longer escalate their privileges to the point of accessing your tier zero assets.
BloodHound Enterprise further prioritizes these choke points to help you focus on the ones that will most drastically reduce your exposure and improve your AD security posture. By clicking on the most critical choke point, the product shows me a path that is exposed to 99% of security principles in my network. On the right are all the vulnerabilities that can be exploited. If I select one of the critical exploits, logons from tier zero users, BloodHound identifies the accounts that are exposed by being used interactively.
It also gives me practical step-by-step guidance on how to remediate this vulnerability and eliminate the attack path. In all reality, though, chances are you're managing an Active Directory that is more than two decades old at this point. There are so many application dependencies on the Directory and years of configurations and misconfigurations to support various internal projects. In all likelihood, it will be weeks or months before you can investigate all those dependencies before you remediate and identify vulnerability to avoid it causing problems downstream.
This is where Quest on Demand Audit can help. On Demand Audit tracks all change activity in your on-premises AD as well as all user activity across Azure AD and Microsoft 365 services. On Demand Audit also tracks all authentications and logons to AD. So while I'm waiting for the change control process to remediate this attack path, I can define a search, which will alert my security team immediately when any of the security principles that BloodHound identified as part of this attack path are used to log into the Directory.
The search is showing all authentications in the last 24 hours. But if I turn this into an alert, I will be proactively notified by email of every future logon by these sensitive accounts. In addition, On Demand Audit monitors dozens of indicators of compromise to alert you when any of the attack paths in your environment are being exploited, including IOCs, such as domain-level GPO linking, DCShadow attacks, and unauthorized copying of the NTDS.dit file.
GPOs are arguably the most sensitive objects in ADs since they have the ability to apply configurations and create vulnerabilities across the entire environment. BloodHound includes domain-level GPOs in the list of tier zero assets by default, and you could add additional sensitive GPOs to the list.
As there will always be some low-risk attack paths in your environment, it is crucial that an extra level of security exists around the modification and application of GPOs in your organization. Quest GPOAdmin enforces change control approval workflows to Group Policy Objects so that they cannot be easily exploited. GPOAdmin ensures that GPOs are continually validated through automated attestation. It enables you to quickly revert back to a working GPO in the case of an inadvertent change or exploitation by an adversary.
In addition, Quest on Demand Audit tracks every setting change that is made to your more critical GPOs and when new GPOs are linked to your domain root. Again, I can take the built in search and convert it into an email alert to be proactively notified when any change is made to sensitive GPOs. And with Quest Change Auditor, the on-premises auditing component of On Demand Audit, you can block new GPOs from being linked to your domain root, reducing the possible attack surface for an adversary.
As you remediate your exposure by eliminating attack paths that have been identified, BloodHound Enterprise tracks the improvement to your security posture over time. Since BloodHound helps you by prioritizing the choke points that will remove the most attack paths, it's easy to focus your remediation efforts where they will make the most impact. This is a top down view from your tier zero assets, showing dozens of attack paths.
BloodHound identifies the choke points, the final segments an attacker would use to access your most valuable assets. It prioritizes the choke points based on the percentage of accounts and nodes that the choke point exposes. For example, the choke point on the left is exposed to 92% of the network.
Therefore, remediating that critical choke point will eliminate a significant number of attack paths. Once that choke point is severed, the organization's exposure to attack improves from 92% down to 37%, as there are now significantly fewer attack paths that an adversary can leverage to compromise your AD.
This is what it looks like in BloodHound. The graph shows you how much of your environment, the percentage of user accounts and end nodes, that can be used to escalate and gain access to your critical tier zero assets. Most organizations start with an exposure between 70% and 100%. In my case, BloodHound shows a very high level of exposure, as was indicated by the critical attack path we reviewed earlier. The goal is to get below 20%, where only low-risk paths remain.
While you work towards eliminating AD attack paths in your network, Quest Recovery Manager for Active Directory can help you in two very important ways. First, Recovery Manager can restore any object configuration or permission in AD to a previous version, thereby giving you assurance that you can quickly roll back to a previous state if a remediation change you make has unexpected consequences.
Secondly, Recovery Manager Disaster Recovery Edition is able to recover your entire forest if an adversary is able to successfully attack and wreak havoc within your network, providing your organization with the essential insurance policy that you deserve. For more information about how Quest cybersecurity solutions and SpecterOps BloodHound Enterprise can help you secure your Active Directory from attack, please visit the URL shown on the screen.