Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label A Trillion $. Show all posts
Showing posts with label A Trillion $. Show all posts

Tuesday, January 7, 2020

A Simple Question for all Self-Proclaimed Active Directory Security Experts

Folks,

As former Microsoft Program Manager for Active Directory Security, I find it amusing every time I come across some Active Directory vendor's or self-proclaimed AD security expert's website that claims that they know Active Directory Security well.

(You see, not one of these Active Directory Security vendors or self-proclaimed Active Directory security experts seem to have a CLUE as to the most important Active Directory Security Capability in the world, let alone possessing that paramount capability.)

So, I thought I'd  pose a very simple Active Directory Security question to all Active Directory Security vendors and experts -


Question: Do you know the answer to this ONE simple question?


Specifically, in that question, I have shared a simple non-default string, and I have indicated that is a cause for great concern.

What I would like to know is what it represents and why is it a great cause of concern for 85% of organizations worldwide?


On a scale of 1 to 10, 1 being easy and 10 being difficult, I'd rate this question as a 3, so if you're truly an Active Directory expert, this should be easy for you, and shouldn't take you a minute. You can leave your answer in a comment below.


Here's your chance to impress me (and the whole world.) Oh, and Microsoft employees too may feel free to take a shot ;-)

Best wishes,
Sanjay.
No comments:
Labels: , , , , ,

Monday, January 6, 2020

What is Active Directory, and Why Is it Important?

Folks,

Today is January 06, 2020, and as promised, here I am getting back to sharing thoughts on Active Directory Security.


Back to the Basics (Cyber Security 101)

I'd like to kick off this blog this year/decade by asking and answering a very simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The reason is very simple -  if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and of course, since "who really cares about a phone book" it is this shallow view that leads so many organizations to greatly diminish the value of Active Directory to the point of sheer negligence!

In fact, for years now, this has been the predominant view held by most CISOs and organizations worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.



 Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -


An organization's Active Directory deployment is quite simply its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

You see, the entirety of an organization's building blocks of cyber security i.e. all organizational user accounts and passwords used to authenticate their people, all security groups used to authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computing devices (laptops, desktops, servers etc.) are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all sensitive/privileged actions on them are audited in it.

In other words, should an organization's foundational Active Directory, or even a single Active Directory privileged user account, be compromised, the very foundation of the organization's cyber security, and thus the entire organization could be exposed to the risk of complete, swift and colossal compromise.



Active Directory Security Must Be Organizational Cyber Security Priority #1

Ensuring the highest protection of an organization's foundational Active Directory deployment must, without a doubt, be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.


Here's why - A deeper, detailed look into What is Active Directory ?


For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)


In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO, from IT Managers to Auditors and from Domain Admins to employees, everyone should know this fact.

Best wishes,
Sanjay.
No comments:
Labels: , , , , ,

Sunday, October 28, 2018

How Massive Could the Impact of an Active Directory Security Breach Be?

Folks,

Today I'd like to ask a simple but paramount question, the answer to which impacts not just trillions of dollars of organizational and investor wealth worldwide, but also likely the national security of over one hundred and fifty countries worldwide.

Here it is -
Q: How Massive Could the Impact of an Active Directory Security Breach Be?
      Specifically, exactly what could happen if the foundational Active Directory of an organization were breached
Active Directory is the Foundation of Cyber Security Worldwide 

If you need me to paint you a picture, consider the potential impact of an Active Directory security breach at virtually any organization that impacts your life - from the world's biggest IT (Cloud, Operating Systems, Phones, Computers, Networking, Internet, Social Media etc.) companies to the world's biggest cyber security companies, or for that matter from virtually every financial institution on Wall Street, to just about every company traded on any stock exchange in any country in the world, or any one of thousands of government agencies/departments in over 150 countries worldwide.

The reason I am publicly asking this question, is because its 2018 today, not 2004, and this is possibly the most important cyber security question that Executive Management, Cyber Security and IT leadership at thousands of organizations worldwide should be asking themselves today, but most likely are not.

In fact, at most organizations, this isn't even on their radar, let alone rightly being their top (#1) cyber security priority.

Thus, I felt the need to ask this paramount question.

Also, for once, I am NOT going to answer a question that I have asked, but instead let organizations worldwide ponder over it. Over the years, I've already asked and answered many of the world's most vital Active Directory / cyber security questions.

I'll only say this much - Any organization whose CEO and CISO do not know the answer to this question is not secure today.

Sicnerely,
Sanjay
No comments:
Labels: , , , , ,

Sunday, December 31, 2017

Looking Back at 2017 - An Eventful Year for Active Directory Security

Folks,

As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!


I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



 Top-10 Notable Active Directory Security Events of 2017

Here are the Top-10 most notable events in Active Directory Security this year -


  1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

  2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

  3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

  4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

  5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

  6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

  7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

  8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

  9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

  10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.
Helping Defend Microsoft's Global Customer Base
( i.e. 85% of Business and Govt. Organizations Worldwide )

Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...


 ...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

This year, I ( / we) ...

  1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

    Introduction, How Well Does Microsoft Understand Cyber Security, The Importance of Active Directory Security, The Impact of an Active Directory Security Breach, The Active Directory Attack Surface, The Top-5 Security Risks to Active Directory, Active Directory Privilege Escalation, An Ocean of Access Privileges, AdminSDHolder, Active Directory ACLs - Attack and Defense (Actual),  Active Directory Effective Permissions, and so many more ...


  2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

  3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

  4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

  5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

  6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

  7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

  8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

  9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

  10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security


In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





 Summary

All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

In 2017, attackers, pen-testers and defenders finally seem to have realized the importance of Active Directory Security.


Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

Best wishes,
Sanjay.

PS: Why I do, What I do.

No comments:
Labels: , , , , , ,

Wednesday, October 11, 2017

A Paramount Question for Microsoft Azure CTO : he said 'Ask me anything'


Dear Mark,

You Sir, are Mark Russinovich, Chief Technology Officer (CTO) of Microsoft Azure, and for you I have the greatest of respect.

A few days ago at Microsoft Ignite, you said - "Ask me anything!" -


By the way, I must compliment you for doing so, because when you do so, you really have to be ready for any/every question!

So, I'd like to ask 1 Question

Mark, on behalf of 1000s of Microsoft's organizational customers, I'd like to most respectfully ask you just one simple question -

Question: How can/should organizations find out exactly who actually has what privileged access in their Active Directory ?


Specifically, how can organizations determine exactly who can do what on the 1000s of domain user accounts, domain computer accounts, domain security groups, containers, OUs, SCPs etc., including of course all their privileged and executive domain user accounts and groups that reside in their foundational Active Directory?


I only ask this question because as you too will likely agree, this 1 simple question directly impacts and thus is paramount to the foundational cyber security of over 85% of all organizations worldwide, all of whom operate on Microsoft Active Directory.


I really do hope that on behalf of Microsoft, you'll answer this question, for organizations worldwide look forward to the answer.

Most respectfully,
Sanjay

CEO, Paramount Defenses


PS: Sir, if you've ever heard of AccessChk.exe and know what it does,
(and I believe you have), then you know the answer to this question.

PS2: As former Microsoft Program Manager for Active Directory Security, I'd like to offer a hint. The answer to this question is also the (premise for, and thus the same as the) key to the ten questions below, and in essence it involves just two words -
1. What Constitutes a Privileged User in Active Directory?

2. How to Correctly Audit Privileged Users/Access in Active Directory?

3. How to Render Mimikatz DCSync Useless in an Active Directory Environment?

4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory?

5. How to Easily Solve The Difficult Problem of Active Directory Botnets?

6. Why are the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless?

7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?

8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory?

9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory?

10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory deployment?

In short, the answer is (something like) this -
Ans: To do so, all that organizations need to do is to accurately and adequately determine e******** p**********/a***** on their Active Directory objects. That's it.

No comments:
Labels: , , , , , , ,

Wednesday, September 6, 2017

A Trillion $ Question to Microsoft regarding Domain Security Groups


Dear Microsoft,

Today is Day-15 of our Active Directory Security School for you. Since you may still be trying to grasp and comprehend the depth and complexity of what I shared with you on Day 14, I'll keep today's post/lesson really simple, short and to the point.



 Domain Security Groups:  An All-Access Pass to 1000s of IT Resources

As you know, at the foundation of cyber security of most IT networks powered by Windows Server lies Active Directory.

As you may also know, in all such IT networks/infrastructures powered by Active Directory, one building block of cyber security in particular is extensively used to provision access to almost all IT resources in the network. Do you know which block it is?


Of course you do! In most IT networks powered by Active Directory, it is Domain Security Groups that are used to provision access to most organizational IT resources such as files, folders, SharePoint portals, Intranet sites etc. across the network!


In fact, in almost every Active Directory deployment in the world, today there exist 1000s of domain security groups within Active Directory that are used to provision secure access to almost the entirety of the organization's IT resources!



For anyone living on Mars, here are a few examples of such domain security groups -

  1. Domain Admins - A small but all-powerful group of privileged user that possess system-wide administrative access.

  2. All Employees - A large membership security group whose members include all organizational employees' accounts.

  3. Contractors - A medium-sized security group whose members may include the accounts of all existing contractors.

  4. Executives - A small security group whose members include all organizational executives' (e.g. C*Os) user accounts.

  5. <Resource-specific> Group - One of thousands of domain security groups that may be used to provision access on various IT resources for various business purposes. For example, Legal Team, R&D Team, Product X Group, etc.

In fact, today Active Directory domain security groups are used to aggregate (group) organizational users for the purpose of facilitating secure access to just about everything in a Microsoft Windows Server based network powered by Active Directory.

And by just about everything, I do mean just about everything - computers, files, folders, documents, emails, SharePoint portals, intranet sites, line-of-business applications, data, databases, VPN, remote access, web access ... <the list goes on and on.>

Thus, it is after all Active Directory domain security groups that help secure the entirety of the organization's IT resources!
Further, often a domain security group in Active Directory gates access to either a large or a highly-sensitive set of IT resources.

It thus logically follows that possibly the easiest way to obtain access to a specific IT resource (or 1000s thereof) that is(/are) protected by an Active Directory domain security group might be to literally just be a member of that domain security group!

Which Begs A Question

If by virtue of being a member of the a specific domain security group, one could instantly and automatically get access to all IT resources protected by the domain security group, then one cannot help but ask the simplest of cyber security questions i.e. -


Who can change the membership of a domain security group in Active Directory?

After all, if someone could modify the membership of a specific domain security group, such as All Employees, or Executives, or Secret Project "X" Staff , Project "Stratosphere" Source-Code Access Group etc., he/she could instantly obtain access to literally everything (i.e. all IT resources) that specific domain security group currently has access to, across the entire network!



A Simple Example

Perhaps this is best understood with a simple example, so here's a very simple one.

Consider that its Friday evening, and that a multi-billion dollar organization is going to announce their quarterly earnings on Monday at the close of the market. Further consider that this sensitive and highly confidential information (i.e. their Earnings) resides in a simple Microsoft Excel file titled Q3 2017 P&L, the only copy of which resides on a highly-protected server that's both physically located in their ultra secure data-center, and to which (server) all suspicious network access is monitored -


Now, consider that an intruder (funded by a wealthy nefarious entity) has been able to breach their perimeter and compromise a domain-joined machine and further has been able to ascertain that this specific file contains the information this entity has an interest in acquiring prior to Monday afternoon, because if they could access this information, they could possibly make $100M.

The intruder may not be able to obtain physical access to the server on which it resides, and he/she may not want to attempt trying to breach the security of the server over the network since all suspicious network activity is being monitored, (and for all Mimikatz fans, sadly no Domain Admin either has or is going to logon to the one machine you've compromised and now 0wn), so might there be an easier way for him/her to obtain access to this file?

Consider this! He/she may not be able to access the contents of the file but he/she can view its ACL, and thus he/she can see (as shown in the snapshot above) that the domain security group Executives has Full Control over this file. So, if he/she could somehow become a member of this domain security group (or compromise the user account of an existing member of this domain security group), he/she will be able to instantly (and in fact as far as the "System" is concerned, legitimately) access the contents of this high-value confidential file without any suspicion being raised anywhere or a single alarm going off anywhere!

In effect, his/her challenge has now been reduced to finding out exactly who can change the membership of the Executives domain security group, because if he/she can compromise the account of any one such individual, he/she would literally be a minute away from being able to change the membership of that group, and thus consequently obtaining access to that file!

In other words, the entire focus of attack just shifted from a highly secured IT resource to a single Active Directory object!

(In the interest of brevity, I'm not going to into further detail, but for those skilled in the art, the rest should be obvious.)


So, Microsoft, What's the Answer?

Dear Microsoft, you are a $550 Billion company today and one of the most important and valuable organizations in the world.


(You can take that as a compliment from the CEO of the most important and valuable cyber security company in the world.)


As you'll hopefully agree, since domain security groups help protect trillions of dollars in wealth worldwide today, the discussion and example above lead us back to and prompt one of the most simple and fundamental questions in cyber security -

Question: Who can change the membership of a domain security group in  Active Directory ? ( and ideally that of each domain security group in each one of 1000s of Active Directory domains of business and govt. organizations worldwide? )


Microsoft, you have now had 17+ years to demonstrate your deep expertise and thought leadership to the World in the vital Active Directory Security, Windows Security and the Cyber Security spaces, and you've spent Billions on it, so I ask you -

"Do YOU think this (i.e. the one above) is an important question for organizations to know the answer to, 
  and if so, can YOU please (at least) tell them HOW they can/should answer this question?!"



Oh, and since you're Microsoft, I have just one more question for you
(i.e. an opportunity for you to earn a few bonus points ;-) ) -

"Can YOU help them answer this question?"



That's it for today. The answer tomorrow on Day 16.

Best,
Sanjay


PS: See, I told you that today's would be a much simpler question than the previous one i.e. this one. Besides, if you've been attending your school regularly, by now you know that this is a rhetorical question that I've already answered many times over!


PS2: Microsoft, I may be a bit hard on you, but please know that I care deeply for you, and that you enjoy my goodwill. By the way, if I'm hard on you, its only because I feel that you had 17 years to educate your customers about this / this, yet you didn't, and likely as a result 1000s of organizations worldwide are blissfully operating in the dark, minutes away from compromise :-(


No comments:
Labels: , , , , , ,

Monday, July 31, 2017

A Trillion $ Question to Microsoft regarding "Identities" and Cyber Security


Dear Microsoft,

Today is Day-11 of our advanced Active Directory Security School for you, and today I'd like to ask you a very simple question that concerns the most elemental and fundamental aspect of cyber security in Windows-based networks worldwide - Identities.

Identity is fundamental to Cyber Security

Identity is an elemental and fundamental aspect of cyber security, as each one of the 3-As of cyber security i.e. Authentication, Authorization and Auditing, require the ability to be able to uniquely identify entities i.e. people, computers, service accts etc.

The importance of identities is evidenced by that fact that an entire field of IT security is devoted to it, i.e. Identity Management, and that numerous multi-million $ companies such as Ping Identity, Centrify etc. exist only to help make identities more secure.

So, ...



Identities in Windows Environments

Now, as you know, at the foundation of over 90% of all business and government organizations worldwide lies Active Directory, and in these organizations, the Identities of their employees, contractors, executives, privileged users and other stakeholders are all represented by ...

A Domain User Account in Active Directory
... none other than their  unique  Active Directory domain user accounts !

(For completeness, it must be mentioned that computers have identities too represented by their domain computer accounts, and that strictly/technically speaking, it is a domain account's Security Identifier (i.e. SID) that uniquely represents its identity.)


 That's right. In Active Directory based IT infrastructures, it is domain (i.e. Active Directory) accounts that represent identities.

 In fact, at thousands of organizations worldwide, it is Active Directory domain user accounts that represent corporate identities, and in Active Directory deployments worldwide, today hundreds of millions of identities are represented by these accounts.





Uniqueness Is Imperative

 Now, of vital note here is that, as you know, the keyword above is unique, because the entire premise of cyber security in Active Directory based networks rests on each user having a single, irrefutably uniquely identifiable domain user account!




After all, you likely don't have two domain user accounts at Microsoft for say, Satya Nadella, right? Yes I know that to address certain needs, some users like privileged users have multiple (e.g. alt) accounts, but they are always explicitly labeled as such.

In fact, here's why it is so important that users have only (one identity, i.e.) one domain user account -
  1. Security - Uniqueness is required to eliminate ambiguity. Ensuring secure access to securable resources in a network requires that resource owners be able to uniquely identify the entities/individuals for whom access is to be specified.

  2. Accountability - Accountability necessitates uniqueness. Should a user be able to authenticate him/herself using an account other than one assigned to him/her, he/she could engage in malicious activity, such as obtaining unauthorized access to, divulging and/or destroying various IT resources, that could not be irrefutably tied/traced back to him/her.

In fact, ensuring security requires that, ideally speaking, no user (except for a known few explicitly authorized administrative personnel) must ever be in a position that provides him/her access to more than one uniquely authenticatable domain account.

Now there are generally only two ways in which one could obtain access to an additional account - 1) a user could create a new domain user account in Active Directory, or 2) a user could reset the password of an existing domain user account in Active Directory. For now, let's assume that the second way is not that important (although it is), and lets just focus on the first one.

It turns out that the seemingly simple and mundane task of being able to create domain user accounts in Active Directory is actually very important to cyber security, because, as explained above, if someone could create a domain user account in Active Directory, he/she could instantly obtain and be in possession of an additional, separate uniquely authenticable identity.

Incidentally, the very least one could do with an additional domain user account is use it to scour the entire IT network for vulnerabilities, perform network logons on to most computers, and access anything and everything (e.g. files on servers, databases, SharePoint portals, ) to which Domain Users and Authenticated Users have read access (and you would be surprised to know as to just how much these two well-knowns (-RID and -SID) have access to in most organizations today.)

Of course, a proficient individual (intruder/perpetrator) could use an alternate domain account to engage in all sorts of nefarious activities, and the smartest ones could possibly find and exploit privilege escalation paths to take over the entire network.

In fact, if you consider even just the recent critical vulnerability that you just patched i.e. CVE-2017-8563 (Windows Elevation of Privilege), note that its exploit vector too involved/required that the perpetrator create a domain user account in Active Directory!

A Simple Trillion Dollar Question -

So, in light of the above, as you'll hopefully agree, it is absolutely imperative that organizations know at all times as to exactly who can create new identities in their environment, i.e. who can create new domain user accounts in their Active Directory?!


So, and speaking of which, here's yet another a very simple Trillion dollar question for you, Microsoft -

Exactly how do/should organizations find out exactly who can create domain user accounts in their Active Directory? (and ideally also, where they can do so & how)

[ My apologies for harping on "exactly" ; it is just that when it comes to cyber security, accuracy is paramount. ] 


 Make no mistake about it - organizations that do not know the answer to this most fundamental of cyber security questions concerning identity management in Windows based networks cannot be considered secure from a cyber perspective.


Now, in case this seems like a simple question, consider what it might take to accurately answer this question at an organization that may have numerous (say even 20+, if not 100s of) organizational units and containers in their Active Directory domain(s).

Here's a hint - In all likelihood, even you*, the $ 550+ Billion Microsoft, that may be spending billions to so convince the world to get on its recent Cloud offering, don't possess the ability to help organizations answer this simplest of cyber security questions.


(In light of which, this might now 
make sense, esp. paragraph 7.)


I, and the whole world, look forward to your answer.  (Also, since you're likely not going to answer it, I'll answer it on Day-12.)

Best wishes,
Sanjay


* Not just you, not a single one of dozens of multi-million/billion $ IT, cyber security, tech and defense companies focused on identity management and cyber security can help organizations answer this simple cyber security question. Well, except one.

PS: August 05, 2017 Update - I've answered the question here.

No comments:
Labels: , , , , , , , , , , ,

Friday, June 2, 2017

Active Directory Security is Paramount to Global Security Today (Day 2)

Folks,

Today is Day 2 of advanced Active Directory Security school for Microsoft. Today's post, albeit short and non-technical, is also very important, because the world needs to understand just how important Active Directory Security is to global security today.

From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.


In other words, the foundational security of thousands of government and business organizations depends on Active Directory.

To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Microsoft Active Directory.

Now imagine a scenario wherein someone is able to write and unleash malware designed to target and exploit weaknesses in and compromise foundational Active Directory deployments worldwide. Just how much damage do you think that could do?

 If that's a stretch for your imagination, consider this and a much simpler scenario, wherein a perpetrator (e.g. a hacker, an APT, an insider) specifically targets and is able to compromise the Active Directory of even just a few of the world's top organizations.

Hopefully you can now see why Active Directory Security is paramount to global security today. What could be more important?


Now consider this - in almost every Active Directory deployment in the world, there exist thousands of exploitable unauthorized effective access grants, yet neither do most organizations seem to know this, nor do they possess the means to identify them.

Considering the above, one would think Microsoft would be aware of this problem, and if so, have a solution for it, for the world. Sadly, neither Microsoft nor any cyber security company on the planet has a(ny) solution to help these organizations adequately i.e. accurately and swiftly identify and eliminate the billions of unauthorized effective access grants that endanger foundational Active Directory deployments worldwide. Well, except one.

In light of the above, you may want to read Day 1's entry (a few times over, if needed) again - here.

That's all for today.

Good night,
Sanjay


PS: Responsible disclosure/picture-painting: I wouldn't have shed light on this if there was no solution. There is a solution today, and it can help the entire world address and eliminate this problem very quickly, but we can't help these organizations until they themselves first recognize, understand and acknowledge the problem, comprehend its magnitude, & then seek our assistance.
No comments:
Labels: , , , , , , , ,

Thursday, June 1, 2017

How Well Does Microsoft Really Understand Cyber Security? (Day-1)

Dear Microsoft,

Today is Day-1 of Advanced Active Directory School for you. Today onwards, for the next 30-days, I am going to help you better understand Active Directory Security, so that you in turn can help organizations worldwide better understand the same.


As I have already said, I am only doing this because today almost the entire world operates on Active Directory and based on what we're seeing, thousands of your organizational customers, many of whom are globally prominent multi-billion dollar companies, may be minutes away from being completely compromised, and they don't even seem to have a clue!


So, (oh and I don't care who you are at Microsoft, or what it is you're working on, because most likely nothing is more important than what you're going to learn here so) you may want to take a break from whatever you're working on and listen to what I've to say intently, because by the end of these 30 days, what's being communicated in these 2 videos is going to sound like a joke -
[ Note - These videos were mysteriously removed from LinkedIn shortly after I wrote this post. ]


Kool-aid sounds wow in marketing videos!  Here's what Mr. Nadella ended this talk with - "When we talk about empowering every person and every organization on the planet, it becomes even more paramount, to build trust into the core of computing."

BTW, a quick side-note: saying "even more paramount" is grammatically incorrect. "Paramount" is a superlative to begin with.

Oh, and here's what your built-to-impress Microsoft Cloud commercial ends with - "When it comes to the cloud, trust and security are paramount. We're building what we've learnt back into the cloud to make people and organizations safer."

Well, after what I'm going to share with you over the next 30-days, you may not only find these videos to be rather humorous, you'll also find that you still have much to learn and a long way to go before you can truly make people and organizations safer.

Oh, and is it just me, or have you too noticed that y'all have started using the word "paramount" a lot lately? It was a decade ago that I had realized that in years to come, cyber security would become mission-critical to business, and that nothing would be more important than defending the very foundation of cyber security worldwide, and thus the name - Paramount Defenses.


But I digress, and alright, enough boring talk. Let's get down to some real technical stuff, shall we?



 An Ocean of Vulnerabilities in Microsoft Active Directory Deployments Worldwide

Microsoft, do you know what this string represents, and why even a tiny bit of it is profoundly important to global security today?:
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

I promise to fill you in on the details in days to come, so I'll just give you a hint today - Who needs WMDs Today?

Okay, I'll speak to it just a little bit today. This is a Windows security descriptor on one single specific Active Directory object, and were this exact security descriptor, or even a very small specific portion thereof to exist in an Active Directory deployment today, that Active Directory deployment could be completely compromised in a matter of minutes, and none of these kiddish band-aids will be able to prevent that from happening.

And this is merely the tip of the TIP of the Iceberg!


In most Active Directory deployments there are thousands if not hundreds of thousands of such security descriptors protecting an ocean of mission-critical Active Directory content, yet no one seems to have a clue as to how to even begin to analyze them, let alone how to correctly analyze them, or for that matter lock them down, and as a result, today the vast amount of unauthorized access they allow, and that thus exists in most Active Directory deployments worldwide is simply UNBELIEVABLE!

Close your eyes and imagine for a moment what it must be like to stare at thousands of such security descriptors to try and make any reasonable sense of them i.e. trying to determine precisely what access they end up granting, and to whom, and you'll get a sense of what your customers, (and if I may add, only those who understand a bit of this stuff,) have to deal with!

In case you're wondering why on earth someone might want to make sense of them, its because organizations need to make these determinations to attain and maintain least-privileged access (LPA) in their foundational Active Directory deployments.

Oh, and if a malicious entity (e.g. an intruder, a rogue insider, an APT etc.) could do so, and do so accurately, he/she/they could instantly proverbially play God, because he/she/they would be instantly privy to extremely valuable intel, such as exactly -

1. Who can replicate secrets from Active Directory to compromise everyone's credentials?
2. Who can change the membership of any one of various Domain-Admin equivalent groups to gain root access?
3. Who can reset the password of any Domain-Admin equivalent privileged user account to gain root access?
4. Who can link a rogue GPO to the domain-root, a site, or an OU to compromise all domain-joined hosts?
5. Who can modify the membership of any of the thousands of security groups to gain system-wide access?

6. Who can reset the password of any employee (e.g. the CEOs) in the organization to login as him/her?
7. Who can modify a mission-critical application's service connection points to prevent it from functioning?
8. Who can delete an entire OU with thousands of objects in it to launch a crippling denial-of-service attack?
9. Who can modify a single attribute in the Configuration partition to disrupt the Active Directory itself? 
   etc. etc.  .... you get the drift?

I think most reasonable IT and cyber security professionals will agree that knowing who can enact these tasks is not only vital to organizational cyber security today, it is in fact essential to operating a trustworthy Active Directory based IT infrastructure.

Yet, because no one really knows how to make any reasonable sense of the thousands of these security descriptors in Active Directory, let alone how to do it correctly and/or efficiently, most organizations worldwide are operating in the proverbial dark.

In fact, and here's the most shocking part - based on our vast global insight, I can tell you that at so many organizations worldwide, IT departments don't even have this on their radar, let alone knowing the paramount importance of this stuff!

In other words, most Active Directory deployments today may be sitting ducks for any proficient perpetrator who understands Active Directory ACLs well enough to know how to translate what seems like gibberish to the uninitiated, into extremely valuable cyber security intel that can then be effortlessly leveraged to instantly gain root access and swiftly inflict colossal damage.

Oh, and now imagine if someone could automate this extremely difficult process, such that he/she could quickly and of course accurately translate thousands of Active Directory security descriptors into extremely valuable privileged access entitlement insight in any Active Directory deployment in the world. (You know, something like this.) You can complete the sentence...

But I digress.
How Well Does Microsoft Really Understand Cyber Security?

Over the last ten years, Domain-Admin equivalent IT personnel from thousands of organizations from across 150+ countries worldwide have knocked at our doors, completely unsolicited, so we've had a chance to talk to them, and you might fall off your chair if I told you just how much (or should I say how little) most of them know about this stuff, and that to us is unbelievable!

So, Microsoft, do you know why so many organizations are operating in the dark today vis-à-vis this stuff?


The only plausible explanation I could come up with is that its because you, the $550B Microsoft Corporation, seem to have provided virtually NO guidance to your customers, over an entire decade, neither on why it is so important (and in fact as you may soon hopefully agree, paramount) to determine effective access in Active Directory, nor on how to do so correctly!

Which leads me to wonder, why not?

The only plausible explanation I could come up with is that its because most likely, you, the $550B Microsoft Corporation, who built Active Directory, yourself do not seem to have figured out just how important being able to do this, is for cyber security!

If you have any other explanation to offer, not just me, the entire world is all ears by now!

If you don't, then hopefully you can see how the videos above seem to some of us to be humorous, in that most likely you don't even seem to possess the ability to make such paramount determinations in your own Active Directory deployments, let alone being in a position to help organizations worldwide address such a paramount cyber security need.

By the way, if you think little toys like dsacls, acldiag, LDP, your Effective Permissions Tab, or any PowerShell script anywhere, or any "Active Directory Permissions Audit" solution from over a dozen or so vendors can solve this problem, then let me tell you that neither you nor they (i.e. these clueless vendors) have any idea how to solve this problem correctly!

Oh and speaking of which, not only are these wonderful folks way off mark as well, their infantile wares are technically deeply flawed, so their excitement may be premature - there's a mountain the size of Mount Everest to be scaled before anyone can solve this problem. (See, since you've never shed light on what it takes to correctly do this, even such flawed stuff makes the bar for the famed Black Hat Conference! Incidentally, last year I personally discovered how little they too know about this!)

That's coming from someone who had the will and the grit to spend 20,000+ hours solving this one problem for the world - here.

That's it for today. Today, I just wanted the lay the foundation. Tomorrow onwards, we'll start getting deeper into technicals and over the next 30 days, I'll help you understand this stuff a little better, so you can help you customers understand it better.

Good night,
Sanjay


PS: Simply acquiring a puny start-up and offering their nascent technology as ATA is by no means enough to demonstrate the degree to which one expects Microsoft to go to, as claimed in those two videos above! As I have said earlier as well, Microsoft ATA is basically a detection measure. In the list of protection measures, detection comes third. The first is prevention (best accomplished by attack surface reduction), the second is avoidance. If detection is the best you can offer, you're conceding that you don't have the ability to provide the first two measures. And the world expects better than that from a $550 Billion company, especially one courting the world to embrace and trust its Cloud offering (; see 2 videos above :-))

PS2: We're happy to help your customers, but we need (you to help) them to understand this to a certain degree before seeking our assistance; we simply cannot individually teach 1000s of organizations what Active Directory effective permissions are!
No comments:
Labels: , ,

Monday, May 22, 2017

A Trillion $ Letter to Microsoft concerning Cyber Security Worldwide

[This is a letter to all my esteemed former colleagues at Microsoft Corporation, for whom I have the greatest of respect. This is Day-0 of Active Directory Security School so you may want to read it as well as the PS section below.]


Dear Microsoft,

Let me begin by saying that you're one of the world's most high-impact companies, and that I love and respect Microsoft.


 I may have spent only a few years at Microsoft, but when you're working 16 hour days, so immersed and in love with what it is you do, driven by the satisfaction and adrenalin of knowing that your work impacts billions of people worldwide, it truly is an incredibly satisfying and gratifying feeling. For me, working at Microsoft was a truly memorable and incredible experience.

If I might add, as Program Manager for Active Directory Security, I was at the epicenter of cyber security in Microsoft's Windows ecosystem, and when your work directly impacts the foundational cyber security of thousands of organizations worldwide, and you get to work with and earn the respect of some of the best security folks on the planet, John Lambert, David Cross, Michael Howard, Stuart Kwan, Paul Leach, Steve Riley, Ben Smith, Scott Charney and so many others, its an indelible experience.



But this isn't about me. This is about the thousands of organizations that we (you and us) have the opportunity to impact (, and in turn the billions of people whose lives they impact,) and the responsibility to do so in a positive manner that betters their lives.



As you know, Active Directory plays a foundational and in fact a monumental role in IT and cyber security across the world, or as I like to put it - "not a leaf moves in the organizational IT and cyber security world without Active Directory being involved."


As former Microsoft Program Manager for Active Directory Security, i.e. someone who spent years on this ocean of an esoteric subject, after having moved on from Microsoft in 2005, upon taking time to reflect back, it became clear to me a decade ago that as solid as Active Directory is, it unfortunately lacks one fundamental capability, the absence of which could likely pose a huge security risk for thousands of (y)our organizational customers worldwide, in years to come.

Thus in the late 2000s, I several times dutifully brought this deficiency in Active Directory to the attention of several individuals at several levels within Microsoft. Unfortunately, for reasons know best to them, no one seemed to want to do much about it.


It is because I knew just how critical this capability would be for the world to have in years to come, that I was convinced that it had to be built. Of course, back then, I was merely an ex-Microsoftie with the mere meagre resources of an average citizen, so I knocked the doors of some of the world's biggest venture capital (VC) firms, who all were kind enough to give me an audience.
(They were Kleiner Perkins Caufield and Byers (KPCB), Greylock Partners, Sequoia Capital, and a few others in Menlo Park.)

Unfortunately [for me then :-( , and for them now :-)] they too didn't " get it ", so they respectfully passed, and wished me luck.

Speaking of luck, there's an old saying - "Luck is the residue of diligence." They (i.e. those VC firms) may not have realized that they not only turned down a former Microsoft cyber security expert, but more importantly, they turned down someone who cares deeply about doing the right thing. Perhaps they may have underestimated the power of human will.


Undeterred, I decided to do something about it myself, within my own meagre financial means. I'll spare you the details of my journey, but in short I worked four years (1,460 days) straight without earning a penny, and when I was done, I had architected and developed one of the most important cyber security capabilities and amongst the most innovative patented intellectual property on the planet, which is today formidably backed and embodied into some of the world's most innovative solutions by some of the world's most professional developers (our employees), and can today do at a button's touch, what no one else can.


As a completely unintended consequence, I ended up creating possibly the most important, relevant and valuable cyber security company on the planet, and today, not all the financial resources at the disposal of all the venture capital companies combined, could possibly compete with us. (You may not yet understand why I say so, but you'll hopefully understand it by the end of this.)


(You see, there are 100s of cyber security companies in the world today, most of whom also run on Active Directory, but not a single one of them can help accurately determine effective permissions in Active Directory. If you can find even one that can do so, on even just one Active Directory object, let alone on an entire domain comprised of 100s of 1000s of objects, let me know.

Now, in case you're wondering why being able to do so is a BIG deal, its because he/she who can accurately and efficiently determine effective permissions on the thousands of objects that reside in each Active Directory domain worldwide, ultimately holds the keys to global security ; don't worry if you don't understand this now, for you will by the time we're done with school.)

Incidentally, given the nature of what it is we so uniquely do, today we are formidably backed by an entity who understands the strategic  importance of our endeavor to the business and national security interests of the United States AND its allies.
But again, this isn't about me. This is about applying the best one is capable of, towards solving one of the most important cyber security challenges on the planet for our customers, the thousands of business and government organizations worldwide that operate Active Directory, to help them stay safe and secure. In other words, this is about you and (y)our customers worldwide.



You're not going to believe this, but imagine our surprise when after having solved arguably the biggest cyber security challenge facing Microsoft's organizational customers today, we found that hardly any of your customers seem to understand this problem!


Thus, last year, we had to bring this to the attention of the executive leadership of the Top-200 organizations worldwide, and to this day we continue to help thousands of your organizational customers understand this, for they all seem to be in the dark.

It appears that the reason most of them are in the dark is perhaps because while you were busy making a paradigm shift, you may have (completely) forgotten to provide them sufficient guidance on one of the most vital aspects of Windows Security.

I believe that it is not our burden to educate your customers about this profoundly important challenge; that's yours to do; we've done the hardest part, which is to solve it; you can do the rest. However, it appears that even you do not seem to understand it.

So, in the best interest of the foundational security of thousands of organizations worldwide, who are (y)our customers, in days to come, I'm going to most respectfully help you understand this profoundly important yet esoteric cyber security challenge.

(Also, I'm sorry if I may have been a little hard on you recently - one, two. That was only because I care deeply about everyone ; as they say, along with great power comes great responsibility, and I felt that you may inadvertently have not been living up to that. When we play such a vital & foundational role in global security, we have an obligation to do so as responsibly as we can.)

Please know that the only reason I'm doing so is so that you can help your customers understand this problem, because we worry greatly that if they don't understand this soon, the not-so-good folks out there could seriously endanger their security.

In fact, considering that 100% of all major recent cyber security breaches involved the compromise and misuse of a single Active Directory privileged user account, organizations that ignore The Paramount Brief may be doing so at their own peril.

(Also and most pertinently, as credential-theft attacks (e.g. Pass-the-Hash, Kerberos Golden Tickets etc.) become harder to enact, perpetrators are shifting their efforts towards directly attacking Active Directory, a fact concretely evidenced by Mimikatz DCSync, which leverages unauthorized / excessive effective permissions in Active Directory to compromise all credentials.)

Thus, I hope that once you understand this risk, you'll see why you need to help organizations worldwide understand it ASAP.


In conclusion, I've been one of you; I represent what every responsible, hard-working individual who passionately believes in solving a problem for the world is capable of, and once you understand this esoteric challenge, you'll realize that I (and today we) have done more to help safeguard the cyber security of Microsoft's global organizational customer base than any other entity (individual or company) on the planet, and that the world needs our combined help and guidance, so in your own (ecosystem's) interest, I hope you'll listen most intently and respectfully to what I have to say in days to come.

Thank you very much.

Most Respectfully,
Sanjay


 PS: Active Directory Security School: Today was supposed to be Day-1 of Active Directory Security School, but I decided to make June 2017 Active Directory Security Awareness Month, so I figured it might be best to hold school from June 01 to June 30, 2017. So, the official Day-1 of School will start right here on June 01, 2017.  Until then, you may want to read this.
No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)