Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Wednesday, August 30, 2017

How Someone Could Launch a Massive Denial-of-Service Attack and Bring Businesses that Operate on Microsoft Active Directory to a Halt in Seconds


This is a short post I'm penning upon the recommendation of several folks who read my last blog post. They felt that the sheer importance and impact of what was shared in that post may not have been be conveyed well enough by its title, thus this post.

How Someone Could Halt Business at Billion $ Organizations in Literally 1 Second -

Consider this. Its 9:00 am on a Monday morning at a multi-billion dollar organization. Thousands of employees show up to work, and proceed to log-on to their domain-joined Windows machines so that they can then go about their everyday work, email, etc.

There's only one little problem - no one is able to log on, and by 9:30 am its very clear that all fifty thousand (50,000) employees of this multi-billion $ organization cannot logon, and thus cannot go about their work!  In short, the business has come to a halt.

By the way, its not just employees who won't be able to logon; any and all IT services that may be running as Network Service / System on domain-joined machines and that rely on authorized access to other servers/services to work, will also stop working.

This was an especially important day for the company. It was the day they were going to announce and launch a new multi-billion $ product line, continue assisting millions of customers on a recent major issue, and announce their quarterly earnings.

Unfortunately, since no one can log on, not a leaf is
moving in the organization this Monday morning.

(Its a dark morning.)

By 12:00 noon, rumors of a "cyber breach" at the organization surface on Wall Street, and in minutes, its stock plunges 7%...

... the organization just lost a few Billion $ in market cap, and from the CEO to Shareholders everyone's shocked and worried.

By the time someone figures out what's wrong, its almost 12:30 pm. By the time the appropriate Active Directory admins are called in, and figure out what's going on and do what's needed to fix the problem, its almost 5:30 pm i.e. an entire day, lost.

Oh, and by the way, this assumes that the organization had an up-to-date backup of their foundational Active Directory. If the back-up happens to be days old or older, it could easily take many more days, if not weeks, before everything from accounts and group memberships to provisioned access etc. is effectively restored back to where it should be in their Active Directory.

So, What Happened?

By 2:30 pm, their Active Directory administrators had figured out that literally all that happened here was that ONE individual who was not even supposed to have sufficient effective permissions / effective access in their Active Directory to do so, had been able to DELETE the organization's top-level organizational unit (OU) in their Active Directory!

That's it?!

That's it!

In weeks to come, they would learn that a Junior IT Analyst who had recently become disgruntled over a petty issue with his manager, decided to prove a point, and he had been able to figure out that he had sufficient effective permissions in Active Directory so as to be able to perform a simple Delete-Tree operation on a top-level OU in the Active Directory.

So, that Monday morning, he arrived a bit early, and at 8:55 am he launched Active Directory Users and Computers, located the top-level OU in Active Directory, right-clicked and selected Delete, and within seconds over 50,000 domain user accounts, 75,000 domain computer accounts, 100,000 domain security groups etc., i.e. the entire contents of that OU, all got deleted!

So What Made This Possible?

Are you kidding me?! How could someone have caused SO much damage in literally one second, by clicking just one button?!

The answer (or rather the question's right here) - Who can Delete an Organizational Unit in Active Directory and its Impact?

Now, in light of the above, here's how thousands of organizations in the world, including Microsoft, can prevent this scenario from occurring in their IT infrastructures today - all they need to do is accurately identify (i.e. audit) who can enact this task in their Active Directory, and then proceed to revoke the access of anyone who is on that list but who should not be on that list.

The hardest part here is the former part i.e. accurately identify (i.e. audit) who can enact this task in their Active Directory, so here's trillion $ advice on how to correctly do so - How to Audit Who Can Delete an Organizational Unit in Active Directory

Alright, that'll do it for today. I just wanted to help folks worldwide, especially C-Suite folks, understand the real and profound consequences and impact to their business, of someone possessing excessive Active Directory effective permissions in their foundational Active Directory deployments. The above scenario is likely enactable at most organizations worldwide today.

Incidentally, I wouldn't even call this a "cyber breach", yet as illustrated above, its impact on business can be substantial.

Best wishes,

PS: If I'm shedding light on these (easily addressable) weaknesses in Active Directory (which is otherwise a highly robust and securable technology), it is only because even after 17 years of AD having shipped, organizations worldwide still remain vastly exposed to such risks, even though the probability of occurrence of such risks materializing has since increased dramatically.

PS2: If this scenario seems far-fetched, consider 3 alternatives (and I could share many more such alternatives with you):

  1. An entity hired hackers to breach the organization, who post-breach determined who had sufficient effective permissions to enact a top-OU-level deletion, then compromised the account of any one such individual to make this happen. They had also shorted the organization's stock over the past few days, and ended up making a $100 Million that morning.

  2. A lone-wolf intruder who controls at least one domain-joined machine figures out who has sufficient effective-permissions to delete a top-level OU, then uses various avenues such as using the archaic Pass-the-Hash technique to compromise one of these accounts, which then gives him/her the ability to delete this top-level OU, and then proceeds to do so. 

  3. An APT (e.g. a foreign government aided entity) writes malware designed to try and delete top-level OUs in Active Directory (whenever a user logs on to an infected machine) in the security context of whoever the currently logged-on (to an infected machine) domain-user account happens to be, and then proceeds to try and have as many computers in the target organization be infected with that specific malware. Should a sufficiently authorized individual end up logging on to their designated (but now infected) machine, the attempt will succeed.
In short, neither motive nor avenue matter as much as the need to identify and minimize who can do what in Active Directory ! (If you know that only 4 individuals in the organization can enact this privileged task, and the user accounts of these individuals are adequately protected, then irrespective of their motive or avenue, malicious entities won't be able to succeed in their efforts.)

PS3: If you have the time, you may enjoy the following which is a continuation of the above...

Who's to Blame?

In weeks to come, the organization set up a high-level committee to look into how this happened, to figure out who was to blame here, and to determine how to ensure that something like this could not ever happen again!

The #1 question that was raised was - "How did the organization's IT and Cyber Security leadership not know that this individual had sufficient access so as to be able to perform such a high-impact and privileged access operation i.e. delete a top-level OU in their Active Directory!"

Here's how the Q&A in that committee hearing went, led by the Committee's Chairman -

Chairman to CISO - "Were you aware that this individual possessed such elevated access in Active Directory?"

CISO to Chairman - "Sir, we care deeply about cyber security and this year alone, we've spent millions on cyber security. As to the security of our foundational Active Directory, I rely on our Active Directory Operations (Ops) Team to ensure its security, so perhaps I should defer the question to the Active Directory Ops Team."

Chairman to CISO - "Well, ultimately this falls under your umbrella, so and ultimately you're responsible, but okay, I will ask the Active Directory Operations Team."

Chairman to Active Directory Ops Team Director - "Were you aware of this individual having such access?"

Active Directory Ops Team Director to Chairman - "My role is managerial; I rely on our Enterprise Admins for this."

Chairman to Enterprise Admins - "Were you aware of this individual having such access?"

Enterprise Admins to Chairman - "Trying to find out who has what effective privileged access in Active Directory is very difficult. We've unsuccessfully tried do this for years. Recently, we had requested funds for the procurement of tooling that could greatly help in this vital regard, but our request was turned down due to 'lack of funds'."

A Domain Admin interjects - "Sir, actually for quite some time now, we actually didn't know that we were supposed to be determining "who has what effective permissions in Active Directory." All these years, we have been determining "who has what permissions in Active Directory" and apparently, that isn't how we're supposed to do this. We then attempted to accurately determine effective permissions in Active Directory, and realized that it is very very difficult, so we proceeded to identify tooling that could help us do so easily and accurately, thus the request to procure such tooling."

A 2nd Domain Admin interjects - "Sir, to be honest, we sort of knew we were operating in the dark, but we thought that at least we had a feature called 'Prevent object from accidental deletion' turned on, and we assumed that that would have been sufficient, but apparently not."

The Chairman, whose time is easily worth thousands of dollars per day, paused briefly, then continued...

Chairman to Enterprise Admins - "Gentlemen, how much did you need to procure such tooling that you believed could help you easily and accurately identify who has what privileged access in our foundational Active Directory for our multi-billion dollar publicly-held organization?"

Enterprise Admins to Chairman - "Sir, not much actually; I believe it was a few thousand dollars."

Chairman to Enterprise Admins - "Gentlemen, just so I understand this clearly, are you saying that if you had the appropriate tooling, you would have been able to identify that this individual had excessive privileged access, and thus could have taken steps to revoke such access, and thereby prevent this security incident from occurring?"

Enterprise Admins to Chairman - "That is correct Sir."

Chairman to Enterprise Admins (Shocked!)- "Gentlemen, do you realize that the lack of such vital cyber insight, which required only a few thousand dollars, has now cost us a few billion dollars of loss in our market cap?!"

Enterprise Admins to Chairman - <Silence>

Chairman to Enterprise Admins - "Who turned down this funding request?"

Enterprise Admins to Chairman - <Silence> (The Enterprise Admins turn to look at the AD Ops Team Director.)

Chairman to Active Directory Operations Team Director - "Who turned down this funding request?"

Active Directory Operations Team Director to Chairman- <Silence> (The Director turns to look at the CISO.)

Chairman to CISO - "Mr. CISO, Who turned down this funding request?"

CISO to Chairman - <Silence> ...

...and so it continued, and I'll let your imagination help you figure out how this all ended.

(Folks, this isn't Rocket Science. This is Cyber Security 101 and common sense, but I suppose, as they say, "Common sense isn't so common!" Even Microsoft does not seem to have fathomed the implications of possessing excessive privileged access in Active Directory, so how can we expect 1000s of organizations worldwide to know about what is likely their Achilles' Heel ?!)

No comments:

Post a Comment