Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, February 24, 2020

Bloodhound for Active Directory : Bloody Inaccurate


As former Microsoft Program Manager for Active Directory Security, and today as CEO of Paramount Defenses, my time is EXTREMELY valuable, so I don't have too much time for blogging etc. but I wanted to make a very important point today.

Bloodhound for AD

There's a tool out there called Bloodhound for AD (Active Directory) and its designed to be able to analyze an organization's Active Directory security permissions and find privilege escalation paths leading to all-powerful privileged AD accounts.

Over the years, its gained a lot of attention, and from what I'm told, today hundreds of thousands, if not millions, of Red and Blue Teamers worldwide use Bloodhound to find privilege escalation paths in Active Directory deployments.

In fact, these days even $ 10 B cyber security companies like CrowdStrike write about Bloodhound, as can be seen here; sadly, when they do so, all they do is show the whole wide world just how little they too know about Active Directory Security.

Bloodhound for AD - Bloody Inaccurate 

Folks, please pardon my French but when someone can design a tool to exploit weaknesses in Active Directory deployments, which could then be used to harm organizations, and call it Bloodhound, then I hope its designers and the world won't mind it if I could accordingly use the word BLOODY in pointing out just how INACCURATE this tool actually is.

I've personally tested Bloodhound, and in less than two minutes, I was able to determine that it is not accurate. I spent fifteen more minutes testing several advanced factors involved in Active Directory security, and it seemed to fail virtually all of them.

In less than 15 minutes, I was able to factually (technically) determine that Bloodhound's results were far from being accurate.

Details and Proof

I've invested almost twenty years of life in being the best in the world at Active Directory Security, so I'm NOT about to provide FREE feedback to whoever built this tool to help them make it accurate, because conceptually this tool empowers bad guys to exploit weaknesses and take out good guys. I'd encourage them to work harder to learn more, and figure it out on their own.

I'll share the ESSENCE of what makes it bloody inaccurate - it does not take THIS one essential technicality into account.

That said, to anyone who may want proof that Bloodhound is inaccurate, all one has to do is compare its output on even just a few core test cases, with the output of the world's only accurate Active Directory privileged access audit tool, Gold Finger.

Gold Finger for AD - The GOLD Standard

Even after a decade, there's still just only one tool on planet Earth that can ACCURATELY determine privileged access in Active Directory, based on the accurate determination of effective permissions, and it is the world's ONLY accurate privileged access audit tool for Microsoft Active Directory - the Microsoft-endorsed Gold Finger.

Over the last decade, from the United States Department of Defense to the United States Treasury, the world's most powerful and important government and business organizations across six continents worldwide have used and trusted Gold Finger to make these paramount determinations in their foundational Active Directory deployments.

Gold Finger includes the world's best Active Directory ACL Analyzer, ACL Exporter, Permissions Analyzer, the world's only accurate Active Directory Effective Permissions Calculator, the world's only accurate Active Directory Effective Access Auditor, AND most importantly, the world's only accurate, fully-automated, domain-wide Privileged Access Auditor for Active Directory.

Now, unlike those who built Bloodhound and made it available for free, we do NOT license Gold Finger to individuals ; we only license it to legitimate organizations, and only for use in their own Active Directory deployments, for a very simple reason.

The reason very simply is that the information that Gold Finger can uniquely determine and reveal can ACTUALLY be used to either protect and lock down or compromise and take down entire $ Billion/Trillion companies, all within a matter of minutes.

A Much Bigger Problem

From a technical standpoint, its hard to have an issue with its concept, as it seems to be a penetration testing tool that seeks to identify exploitable privilege escalation paths leading to Domain-Admin equivalent privileged accounts in Active Directory.

What amazes me and should amaze everyone is that even with its limited accuracy, based on its ability to take basic factors into account, those using it can still easily find so very many privilege escalation paths in almost any Active Directory deployment.

There's a MUCH bigger problem here, which is that even today, 99% of organizations operating on Active Directory, either do not know enough about Active Directory Security to care to lock it down, or that they do not know how to correctly audit and lockdown privileged access in their Active Directory, as a result of which they all remain massively vulnerable.

That is a far more concerning problem than a tool like this, because this is merely one tool. Proficient hackers could easily write their own tools to identify and exploit such privilege escalation paths in Active Directory, AND until organizations accurately identify and lockdown privileged access in their Active Directory, they will remain substantially exposed to compromise.

Time's Up

That's it. That's all the time I had for this. I'll end on this - just because millions of people use something doesn't mean it is either accurate ; it just means that these millions of people TOO may not yet know enough (or at all) about Active Directory Security.

Best wishes,

PS: If you want to learn Active Directory Security, reading the contents of the list in this 1 post alone is a good place to start.

No comments:

Post a Comment