Over the years, I've asked and answered some of the hardest questions in Active Directory Security, so today I'm only going to ask a question, with the hope that there is someone out there, and I mean anyone, who is the answer to this question!
Here's my Question -
Can Anyone in the World (i.e. any Cyber Security Company or Expert) Out There Help Thousands (1000s) of Microsoft's Organizational Customers Mitigate the Serious Cyber Security Risk Posed by Mimikatz DCSync?
Anyone?
There are 6,000,000,000+ people across 190+ countries worldwide, there are millions of IT personnel employed at 1000s of organizations, there are 1000s of cyber security experts and over a 1000 cyber security companies. I'm looking for just ONE.
By the way, by mitigate, I mean "render Mimikatz DCSync unusable in an AD environment" in that, say in an organization that had 10,000 employees and thus had 10,000 domain user accounts, and say 10 privileged users, even if every single one of these 10,000 accounts had been compromised by a perpetrator, he/she still couldn't use Mimikatz DCSync against their AD.
Also, I'm looking for an answer that's beyond the most obvious answer, which is to not grant anyone the required access. In other words, I'm looking for an answer that will work in every real, production Active Directory domain in the world, you know, wherein various default Active Directory security groups and users are already granted various permissions in Active Directory.
Here's what I've found thus far -
- This brilliant, gentle, highly-accomplished cyber security expert developed Mimikatz DCSync
- This AD security enthusiast educated the world about its usage, exploitation and detection (but not about its mitigation)
- This famous cyber security expert showed an example in action (; Oh my! ;-))
- This expert shared some guidance on how to detect it (; if you're detecting it, its likely too late)
- These cyber security experts don't seem to know that much about it, or about Active Directory Security
- These wonderful folks present an inaccurate script to help detect who can use Mimikatz DCSync
Not to mention the 1000+ cyber security companies, including some big names such as (mentioned in no particular order) Palantir, Gemalto, Tanium, Tripwire, CheckPoint, Palo Alto Networks, Symantec, McAfee, Cisco, Kaspersky Labs, CrowdStrike, SentinelOne, BAE Systems, Qualys, Sophos, Gemalto, CyberArk, ZScaler, Preempt, BeyondTrust, Quest, HP, etc. etc.!
Oh, here's the amusing part - in all likelihood, most of these cyber security companies too very likely run on Active Directory, and if I had to guess, I don't think even one of them, know how to, or possess the means to mitigate Mimikatz DCSync!
Funny haan? ;-)
Why Does this Matter?
By now, I shouldn't have to tell anyone involved in Active Directory or cyber security why this matters, but I will nonetheless -
Most simply put, should a perpetrator be able to successfully run Mimikatz DCSync against your foundational Active Directory domain, you're DONE, as it would be tantamount to a massive, systemic cyber security breach. The entirety of your user populace's credentials would have been compromised, and the perpetrator would have obtained control over your entire Active Directory forever. It would be time for everyone, including all Domain Admins, the CISO, the CIO and the CEO to find another job (assuming you can find one, considering your resume would highlight your previous employment, and since your previous employer (i.e. the one that was breached) would likely have been all over the news for quite some time, it may perhaps end up being a little difficult to find suitable employment.)
How about an Illustrative Scenario?
Sure, if you'd like one, here you go - A Massive Breach at a Company whilst it was Considering the Cloud.
A Request
We often come across Domain Admins, and every now and then CISOs, who have no idea what Mimikatz DCSync is, and that is scary. If you are such a Domain Admin / CISO, my earnest request to you would be to immediately learn about it, or, in the best interest of your employer's foundational cyber security, please let someone else take over your vital responsibilities.
Let Me Know
Very well then. If ANYONE in the world knows ANYONE who can help (and by that I mean possesses the capability to be able to help) thousands of organizations worldwide (easily and correctly) MITIGATE the serious risk posed by Mimikatz DCSync, please let me know. I'm all ears, and I think, so are thousands of organizations worldwide, including perhaps Microsoft too ;-).
In short, I'm looking for someone/thing that could render the extremely powerful and dangerous Mimikatz DCSync, unusable. With 6 billion people, millions of IT and cyber security pros, and a 1000+ cyber security companies worldwide, I'm hopeful.
So if you know of someone (and I mean, anyone) who can do so, please let me know by leaving a comment below.
If I don't get an answer by July 02, perhaps I'll take a shot at the answer, over at - www.cyber-security-blog.com.
Best wishes,
Sanjay
PS: On an unrelated note, when you use Windows Update
to update your Windows 10 PC every week, do you
EVER check to see just what got downloaded?
Perhaps you SHOULD, and here's why.
July 03 Update. Here's the answer > www.cyber-security-blog.com/2018/07/mimikatz-dcsync-mitigation.html