Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including the World's Top Cyber Security Risk, Advanced Persistent Threats (APT), Cyber Warfare, Corporate Espionage, Insider Threats and other topics.


Gold Finger The Paramount Brief Gold Finger Mini World Peace

Thursday, December 1, 2016

Six Degrees of Domain Admin

Folks,

I recently came across an interesting presentation on Active Directory Security and Active Directory Privilege Escalation titled Six Degrees of Domain Admin. Since I happen to know a thing or two about the subject, thought I'd share a few thoughts.


Its nice to see folks apply graph theory towards determining privilege escalation paths. Its also nice to see folks quote my former colleague and good friend, John Lambert, General Manager for the Microsoft Threat Intelligence Center at Microsoft.

By the way, I must mention that John's a great guy, one of Microsoft's finest. He also really likes graphs, and as you may know, is famous for his quote - "Defenders think in lists, attackers think in graphs"; In fact, way back in 2007, when I was visiting MSFT, I remember him suggesting that we consider using graphs with Gold Finger when I showed him its sheer power. By the way, at Paramount Defenses, as defenders, we've always thought in graphs.

Anyway, after seeing that pres, I'd only like to say that those who are still relying on trying to find privilege escalation paths in Windows networks based on where privileged users may have logged on so they can find hosts on which they could employ archaic pass the hash and Kerberos ticket meddling techniques, may still be operating in the Stone Age of cyber security.

For all folks starting out in and/or interested in Active Directory Security and Active Directory Privilege Escalation etc., here's ONE simple helpful resource to ramp up their knowledge - Defending Active Directory Against CyberAttacks -

Defending Active Directory Against Cyberattacks

If you really know Active Directory Security, then you know that with the right tooling (e.g. one, two, three) you can easily and instantly find 1000s of instantly exploitable privilege escalation paths in a Windows network right within the Active Directory itself, and thus you'll never even have the need to or any interest in finding out who logs on to / logged on which computer to use archaic pass-the-hash / Kerberos ticket meddling techniques. (That stuff's for novices.)

By the way, we know just how powerful such tooling is, so we will not make it available for free in the public domain. In fact, we only license our tooling to the good guys (organizational IT personnel) and only for use in/against their own Active Directory.

For folks who're still into using archaic pass-the-hash / Kerberos ticket meddling techniques, you'll want to read and absorb this blog entry like a sponge absorbs water -  A Letter to Benjamin Delpy regarding Mimikatz and Active Directory Security.

Also, if you're trying to find the shortest path to DA (Domain Admins), you may want to consider learning about this; its only about 1000 times more powerful than anything else out there. Incidentally, this can find 1000s of privilege escalation paths in Active Directory in less time that it would take someone to go through this.

All in all, its nice to see other folks out there finally getting into Active Directory Security. Frankly, having done it for 15+ years now (first at Microsoft, and then at Paramount Defenses), and being a million miles ahead is getting to be a tad boring. That said, one of the perks (the fun part) of my job is that I get to build stuff that even James Bond and Ethan Hunt don't have yet - 007G.

Best wishes,
Sanjay

Wednesday, November 23, 2016

The World's Biggest Cyber Security Breach (Yet) & Role of Cyber Weapons

Folks,

I'll keep this very short. The recent U.S. Elections, possibly the world's most important global event, are now over, and one of the biggest takeaways from it would undoubtedly have to be the sheer impact that a cyber security breach can have today.


In fact, professionally speaking, if one were to consider the impact of a cyber security breach, the recent breaches of the DNC and Mr. Podesta's Gmail account, albeit so amateurwould have to be possibly the world's biggest cyber security breach yet.

Why?  Because these simple breaches resulted in the compromise of the confidentiality of vast amounts of an entity's sensitive private data (i.e. 1000s of emails of the DNC and Mr. John Podesta), the public disclosure of which is widely believed to have influenced the outcome of arguably the most important event on the planet, the election of the President of the United States.

In fact, the Director of the NSA, Admiral Michael Rogers recently said that there shouldn't be "any doubt in anyone's mind" that there was "a conscious effort made by a nation state" to sway the result of the 2016 presidential election.

If you can impact the most powerful office in the world, you can potentially impact the future of mankind as well as the planet. Since these cyber security breaches impacted the most powerful office in the world, they'd have to be the world's biggest yet.

In light of these breaches, there's been talk about the need for and role of cyber weapons to bolster America's cyber defenses.



[ (If I may digress for a bit.)  Begin Digression] 

Speaking of Cyber Security Weapons

Given cyber security's paramount importance in today's world, and the growing role that cyber warfare plays in modern warfare, the need for and the importance of cyber security weapons is becoming clearer. Reportedly, recently the U.S. Government may have been signaling more emphasis on developing cyber weapons to deter attacks, punish intruders and tackle adversaries.


Speaking of cyber security weapons, interestingly, unlike military weapons (e.g. conventional and nuclear weapons) which have traditionally and primarily been in the hands of and controlled by governments, since the development and deployment of cyber security weapons only requires technical cyber security expertise (, not massive infrastructures (e.g. materials, factories, bases, launch pads, personnel, deployment vehicles, satellites etc.)), they could actually be moderately easily developed as well as controlled by non-government entities (e.g. $B corporations) and potentially be used by not just governments (nations) to aid, assist and gain superiority in modern (and cyber) warfare and diplomacy, but also by business organizations alike to influence business and political outcomes, such as to influence elections in other nation states (e.g. Russia.)

Given today's super highly digitally connected world, cyber security weapons are likely to play a prominent role in global affairs.

(By the way, I only happen to know a thing or two about cyber security weapons since we recently built one, primarily to serve as a deterrent, and to demonstrate the sheer technical superiority (defensive and offensive capabilities) in the cyber security space that exists today for the protection of the business and national security interests of the United States and its allies.)

[End of Digression]



Of all the major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM etc.), in terms of impact, the recent breaches of the DNC & Mr. Podesta's Gmail account may possibly have been the biggest cyber security breach(es) yet.

Oh and I say yet because today it is entirely possible to develop powerful cyber security payloads/weapons that could possibly automate the compromise/destruction of a specific organization or a vast number thereof, in a specific nation, or many thereof.

We care deeply about cyber security.

Best wishes,
Sanjay

Friday, November 4, 2016

Does Anyone Really Care? (Speaking of Cyber Security, Microsoft & Trust)

Folks,

This is important so if you care about cyber security, you'll want to take a few moments to earnestly read this in its entirety.


Microsoft (, Google, the U.S. Elections, the Russians) and an Unpatched Critical Zero-Day Vulnerability

On Oct 21, 2016, Google's Threat Analysis Group reported 2 critical zero-day (i.e. previously unknown) vulnerabilities, one to Adobe and to Microsoft. Adobe acted swiftly and patched the vulnerability in its Flash software on Oct 26, i.e. within 5 days.


On Oct 28, 2016, after 7 days of having reported it to the appropriate vendors, per its published policy for actively exploited critical vulnerabilities, Google publicly disclosed this vulnerability. As of Oct 28, Microsoft had not yet patched this vulnerability.

Publicly disclosing a critical unpatched vulnerability in Windows (versions 7,8,8.1 and 10*), especially one that is being actively exploited, could potentially impact security globally, and just 10 days before the world's most important election, i.e. the U.S election, also possibly impact the future of mankind. (But wait, don't arrive at any conclusions yet; please read this entire post.)
* Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.
If there's one thing the world has learnt this year, it is that in today's world, hacking and its impact can undoubtedly influence an election. The second thing the world has learnt this year is the ease with which purportedly Russian hackers have been able to engage in political hacking to compromise the cyber security of various U.S. entities including the DNC and Mr. John Podesta.

With just days left before the election, publicly disclosing a critical unpatched vulnerability in Windows could potentially empower many more malicious entities, including those widely believed to have already done so, to engage in further hacking in their attempt to further influence the election. If by any chance, U.S voting booth machines happen to be running an impacted version of Windows, and hackers are able to compromise them by exploiting this unpatched vulnerability, __ <you can fill in the blanks.>

By the same token, so could Microsoft not doing everything it can to immediately patch this critical vulnerability. In other words, in light of the possibilities shared above, like Adobe did, ideally Microsoft should have patched this without any delay.

It appears Google felt that it should be patched immediately. It appears the $ 500B Microsoft did not. You can be the judge.

(Instead of patching this immediately, what does Microsoft do and say?! Its astonishing, so please keep reading...)




Microsoft, are you Serious ?

Since Google probably took Microsoft by surprise by, per its published policy for actively exploited critical vulnerabilities, publicly disclosing this vulnerability 7 days after reporting it to Microsoft, Microsoft was likely left with no choice but to public defend itself and issue a statement, and instead of patching it immediately, it did a most astonishing thing (; see "But it was.." part below.)


On Nov 01, in a short blog post paradoxically titled Our commitment to our customers’ security, written by an Executive Vice President in the Windows and Devices group, it in effect said that an activity group called STRONTIUM conducted a low-volume spear phishing campaign to target a specific set of customers by leveraging this unpatched vulnerability, and that Microsoft is coordinating with Google and Adobe to investigate the campaign and create a patch, which they plan to release on Nov 08.

Excuse me Microsoft, but by then the election would have been over, and by not releasing a patch immediately, you left a 7-day window (no pun intended) of opportunity that who knows how many malicious entities, including those widely believed to have already done so, could use to engage in further hacking in their attempts to possibly further influence this historic U.S. election.

But it was the very next sentence in the blog post that was unbelievably astonishing and I quote - "To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack."

Microsoft, are you kidding us?

This could potentially further impact the most important election in mankind's history, and instead of the $ 500 Billion Microsoft Corp immediately fixing the critical zero-day vulnerability, which they themselves are saying may have been used by purported Russian hackers in enacting the recent political hacks (, and which they should have ideally found before the STRONTIUMs of the world do/did so in the first place), they're using (even) this to pitch the latest version of Windows!   That's just unbelievable!

Oh, and by the way, in that same blog entry, Microsoft goes on to say, and I quote "Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016." Er, here's a simple question for Microsoft - "How come STRONTIUM is able to find so many 0-day exploits, and if so, how come you, a $ 500 Billion company are not able to find and patch them before STRONTIUM or for that matter anyone else can?" Perhaps Microsoft could take a petty $ Billion from its Cloud marketing budget and use it to assemble a team dedicated to finding and fixing such vulnerabilities in their foundational Windows software.




Speaking of Trust  (Actions Speak Louder Than Words)

Microsoft if you are truly committed to your customers' security and to Trustworthy Computing, and I believe you are, please back your words with appropriate and responsible actions because to your customers your actions speak louder than words.


I believe that not immediately releasing a patch for a serious unpatched vulnerability in Windows that is currently being exploited to inflict great harm, especially days before the world's most important election that has already been influenced by the impact of such hacks, was not responsible. Further, ill-using this situation to pitch your latest version of Windows to customers was not responsible. Neither was not educating customers for 16 years about something so vital to their security (; context in next para.)

Just last week, I had to publicly take Microsoft to Active Directory Security School, because over the last 16 years, across the entirety of security guidance (whitepapers, blogs, videos etc.) they have released on Active Directory Security, they have not once mentioned the most important and cardinal aspect of Active Directory security - Active Directory Effective Permissions.

In my professional opinion, in not having done so, even if unknowingly, they may have left over 85% of the world to deal with a massive cyber security challenge, a prime example of which is the sheer lethal power of Mimikatz DCSync made possible by a certain talented Mr. Benjamin Delpy, and for which Microsoft has no solution to offer to the world today. (None whatsoever.)

In fairness to them, they might say that they don't have to have a solution to every problem, because they have a huge partner ecosystem that helps address many such problems. They may be right, but they don't even seem to know that this problem is so difficult to solve that out of thousands of partners in their ecosystem, not one of them has a solution to this Trillion $ problem (; except one, and that's only because behind it, is one of their own i.e. a passionate former Microsoft cyber security expert.)


Microsoft is spending billions of dollars to become a dominant player in the Cloud, and to persuade IT executives at the world's biggest public and private organizations to move to their Cloud. However, they need to understand that if they want the world to move large parts of their IT infrastructures and IT assets into their cloud, especially the Keys to these Kingdoms (i.e. Domain Controllers), they're going to have to demonstrate trustworthiness and EARN trust, and that's done by actions, not mere words.

By the way, the "mere talk is cheap" saying applies to everyone, including us; behind my talking is decade of industrious action.

I.e., this is coming from someone who loves Microsoft, cares deeply about cyber security and who's persevered for a decade to solve arguably the world's most difficult cyber security problem for Microsoft and the world, and whose work today uniquely helps secure and defend the foundational cyber security of so many prominent organizations across six continents worldwide, including the United States Government.

Along with great power, comes great responsibility.

Best wishes,
Sanjay

PS: Satya, in August I said someday I'll tell you what the most valuable thing in life is. It's Trustfollowed by love, faith & time.

Tuesday, November 1, 2016

Election Influencing Podesta/DNC Email Hacks, Cyber Attacks and Russia

Folks,

There is no doubt that the recent email hacks of John Podesta and the DNC will have influenced the U.S. presidential election.



Given my background, I am often privately asked about my thoughts on the Podesta / DNC Email hacks purportedly carried out by Russia. Due to paucity of time, instead of having to respond to this so many times, I figured I'd publicly share a few thoughts.

But first I do wish to make it unequivocally clear that as (the CEO of) not just America's, but possibly the world's most relevant cyber security company today, we are professional, completely unbiased and objective, and this is only a professional opinion.

Disclaimer: My thoughts below are based on a cursory assessment of how Mr. Podesta's email was hacked. It is believed that at the time the DNC was hacked, they too may have been using Gmail, and thus may have been hacked in a similar fashion.



Simple Hacks, Huge Impact

Brass tacks, the Podesta/DNC email hack is simply a case wherein an entity that was engaging in high-value communications using a relatively low-assurance system (i.e. a free/low-cost email service) and insufficient security controls (i.e. not requiring two-factor authentication for password changes/resets) was compromised using simple social engineering involving very basic technical means by a 2nd entity, who in turn purportedly passed the compromised data to a 3rd entity that disclosed it publicly.

The 1st entity was John Podesta / the DNC, purportedly the 2nd entity was Russian hackers, and the 3rd entity was WikiLeaks.

When I say relatively, I mean that compared to (say) an in-house deployed, managed and controlled Active Directory integrated Microsoft Exchange Server based communications infrastructure that also requires 2-factor authentication (i.e. Smartcards), a free/low-cost email service is a relatively low-assurance system, especially when being used for high-value communications.

For those may not know, Mr. Podesta was using a Gmail account; he apparently received a phished email and clicked on a link.

In fairness to Mr. Podesta, apparently his assistant did ask their IT staff about the legitimacy of that phished email, and was told that it seemed legitimate and was okay to click on. In addition, at that point in time, apparently someone did ask as to whether or not two-factor authentication was enabled on his account, and if not, suggested that it be immediately enabled.

All said and done, apparently Mr. Podesta did end up clicking that link and at that very moment his account was compromised.


The rest i.e. the huge impact of the public disclosure of this sensitive data on the U.S. presidential election, is all over the news.


Now, strictly speaking, the only thing that makes this a huge deal is that in this case the compromised data happened to be vast amounts of high-value sensitive, private email conversations of one of two parties contesting an election in a specific country. The actual technical means involved in compromising security here were basic, a 2.5 on a scale of 1 to 10, 1 being very easy.

You see, usually perpetrators begin by trying to phish a target just to gain a foothold inside the organization's network perimeter. However, in a case where emails may be all they're after, and the target's already using a free/low-cost email service, merely step 1, i.e. being able to successfully phish that free/low-cost email service account will get them to mission-accomplished, because once they have compromised that email account, right then and there they have access to all of the account's emails.

Thus, using relatively easily targetable and compromisable free/low-cost email accounts likely increased their risk exposure.


From a professional cyber security standpoint, one of the most fundamental principles of security, the Principle of Adequate Protection, states that "an asset must be protected to a degree consistent with its value". In line with it, ideally entities engaging in high-value communications should be using sufficiently high-assurance systems and employing adequate security controls.   In light of this, in this case, the use of a free/low-cost email service to engage in high-value communications seems perplexing.

If you have high-value/sensitive communications to engage in, please do not use low-assurance / inadequately-secure systems to engage in them. If you must absolutely have to use a low-assurance/free email service such as Gmail for high-value/sensitive communications, at least do enable 2-factor authentication for password changes/resets to protect against phishing attacks.

At the end of the day, it matters not so much as to who compromised you, as it does that someone was able to compromise you. Once you've been compromised, the impact of that breach is purely a function of the perpetrator's motives and actions.



Speaking of Massive Cyber Attacks

Sorry for a brief digression. As a mature cyber security practioner, what I find more amusing than comical write-ups such as this and this is that the recent DoS attacks to hit the U.S. east coast were being referred to as a massive/huge cyber attack.

Don't get me wrong. Those attacks may have been massive/huge in terms of the number of websites they momentarily DOS'ed out, but if you consider the technical mechanics involved, brass tacks, its still just a (large) bunch of old-fashioned basic TCP/IP SYN flooding, using compromised IoT devices. Its fancy, but its still simple stuff with relatively low moment-in-time impact.


To put things in perspective, a massive cyber security attack would be one wherein a proficient adversary such as an advanced persistent threat could gain control over large parts of a country's power-grid, government, security and financial infrastructures. These are the kinds of cyber attacks we (know of and) worry about. In fairness, most cyber security companies aren't there yet.



Speaking of Russia

It is widely suspected that Russia carried out the DNC and Podesta email hacks. No one likely knows the facts, neither do I, so in regards to Russia, I'll share what I do know.


This so-called "hack" was so simple, that possibly even a smart freshman from anywhere in the world could have carried it out.

That said, speaking of Russia and its purported cyber attacks on U.S entities, what should be more concerning (and we know this based on publicly available info) is that most likely, code that was likely either written in Russia or is still being supported / updated from inside Russia, may likely be running in highly privileged security contexts in various parts of the U.S. Government.

(Responsible disclosure: Strictly speaking, there's nothing to disclose here since this info has been publicly available for years, yet out of an abundance of caution, earlier this year we did bring this to the attention of several top U.S. Government officials.)

The Russians are considered to be adept at hacking, so if it was them, I'm surprised that they would resort to using such basic attack vectors (i.e. phishing a Gmail account); I suppose it must be their starting point, and it appears they got lucky at step 1 itself. Now, if their target was a specific Gmail account to begin with, then of course that is exactly where they would start.



An Important Concluding Point

I'd like to make one very simple and important point - it matters not as to who is trying to hack you, because as long as you have digital assets of value to someone, there could be (and likely already are) many entities wanting to hack you, driven by various motives; what matters is that you need to protect yourself from being hacked by anyone in the first place.

In this specific case, although any logical mind can easily see why Russia might stand to gain a lot from the outcome of the U.S. election, one could similarly reason that many other countries in the world could stand to gain much from its outcome as well. In fact, not just countries, many corporations worldwide could stand to gain or lose much based on the outcome of this election.

The point again being that it matters not as to who is trying to hack you (or why), it matters that you protect yourself from being hacked by anyone. Mature entities consider it a norm to assume that they are always operating in a hostile environment with numerous adversaries trying to hack them 365-24-7. That is the unfortunate reality of engaging in business in a digital world.

By the way, I prefer not to use the word hack, because there's a connotation of casualness to it. It would be nice to see the media use professional terms like breach, compromise, security incident etc. as they rightfully have a serious connotation.

As I conclude, I'd like to request all organizations (including of course, all media companies and all cyber security companies) worldwide to look  within and if required, consider bolstering their cyber security defenses and enhancing their security posture.

Best wishes,
Sanjay

Friday, October 21, 2016

Defending Active Directory Against CyberAttacks

Folks,

One week ago I had announced that I will be respectfully taking Microsoft to Active Directory Security School. I had also posed a Trillion $ question to Microsoft. As promised, today, in this post, I will do so. Sometimes less is more, so today I'll keep it short.

It is my privilege to share with you a presentation on Active Directory Security that I built for Microsoft and the world -

Defending Active Directory Against Active Directory Attacks


Here is a snapshot of a few sections from this 90+ slide deck -

Active Directory Security Presentation


I suggest that Microsoft and organizations worldwide, go through this deck, and absorb it like a sponge absorbs water, because in this deck lies the key to organizational cyber security worldwide and the answer to the Trillion $ question I posed to Microsoft.


If you find yourself wondering "What's the big deal?", please go through the entire deck, then consider the following:

       Here are the top 3 sources of guidance from Microsoft on the paramount subject of Active Directory Security -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

       If you can find even one mention of the Trillion $ phrase "Effective Permissions" in any of the above, let me know.


We've found that due to a complete decade+ lack of guidance from Microsoft on the most important technical aspect of Active Directory Security i.e. "Effective Permissions", 99% of the 1000s of IT personnel (Domain Admins, IT Auditors, IT Managers, CISOs etc.) from 1000s of organizations that have knocked at our doors do not even know what "Effective Permissions" are !


I'll let the $ 500 Billion Microsoft, and organizations worldwide, reflect on and absorb a) this fact, b) these questions and c) this deck, for a week, then continue sharing thoughts starting Nov 01, both on this blog and at - www.paramountdefenses.com/blog/.

Best wishes,
Sanjay

Wednesday, October 19, 2016

10 Essential Cyber Security Questions for All Organizations Worldwide

Folks,

Today, I'd like to share 10 elemental, essential and in fact paramount cyber security questions that every organization in the world should have answers to. They are directly related to the Trillion $ question I posed to Microsoft earlier this week.

(Quick Note: As I indicated last week, sometime this week, I will be respectfully taking Microsoft to Active Directory Security School. This post is not the one that takes them to school. Along the lines of yesterday's Trillion $ Q post, this post also helps set the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and will be out this week.)


Here they are -
1. Exactly who has the Replication Get Changes All extended right effectively granted in the domain root's ACL?

2. Exactly who can change the security permissions in the ACL on the domain root object?

3. Exactly who can reset the password* of all default and custom administrative (privileged) user accounts?

4. Exactly who can modify the membership of all default and custom administrative (privileged) security groups?

5. Exactly who can manage the contents of the Systems container and the Configuration and Schema partitions?

6. Exactly who can change the security permissions in the ACL of the AdminSDHolder object?

7. Exactly who can modify the default Domain Controllers Policy or link a GPO to the Domain Controllers OU?

8. Exactly who can establish and/or manage cross forest trusts, or trusts to external domains?

9. Exactly who can reset the password* of all executive accounts (e.g. Chairman, CEO, CIO, CFO, CISO etc.)?

10. Exactly who can create, control (i.e. manage and/or delegate management of) and delete vital Active Directory       content, such as all (valuable) domain user and computer accounts, security groups, organizational units etc.?

      * If Smart cards are in use, exactly who can disable the use of Smart cards on these domain user accounts?

Not only are these 10 elemental cyber security questions directly related to Active Directory security, they directly impact and are imperative to foundational cyber security of 1000s of business and government organizations in 150+ countries worldwide.

They are imperative to foundational cyber security because anyone who can enact these tasks could instantly gain command and control over the entire organization's security. For details, after Nov 01, please visit - www.paramountdefenses.com/blog/

Incidentally, to be able to answer any and each of these 10 elemental and essential cyber security 101 questions, organizations require the ability to perform just one technical process. So, here's another trillion $ question - What is that one process?

The answer to this trillion question is coming soon, right here on this blog, later this week. (Stay tuned.)

Oh, and if any cyber security company on the planet (including but not limited to Microsoft, Amazon, IBM, Google, Cisco, EMC, Dell, Centrify, Palo Alto Networks, FireEye, CyberArk, BeyondTrust, Leiberman Software, Checkpoint Software, CrowdStrike, Palantir Technologies, Kasperky Labs, Tripwire, HP, EY, PwC, DarkTrace, Lockheed Martin, BAE Systems, Tanium, BAH etc. etc.) has a clue as to the answer AND can help the world accurately answer these 10 basic, essential questions, let me know.

Organizations that do NOT have answers to these basic 10 cyber security 101 questions CANNOT be considered secure today.

Best wishes,
Sanjay



Monday, October 17, 2016

A Simple Trillion $ Cyber Security Question for Microsoft (MSFT) regarding Defending Active Directory Against Cyberattacks

Folks,

Ask any good security practioner or hacker and they'll tell you that security is in the details so this is a slightly detailed post.  This blog post is also worth a proverbial Trillion $, so if you're into cyber security, you'll want to read it in its entirety.

First things first - As I indicated last week, sometime this week, I will be respectfully and publicly taking Microsoft to Active Directory Security School. This post is not the one that takes them to school; this post is merely a curtain raiser and sets the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and it will be sometime this week.

Today I respectfully pose a simple trillion $ cyber security question to Microsoft regarding the contents of the following video that Microsoft released in May 2016 -  



(Please click the Play button to view the video. If it does not play, you can see it on Microsoft's website here.)


First, the context -
  • In May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft developed and released a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it, which can be found here.

Next, the summary of the video above titled "Defending the Directory", quoted verbatim -
  • "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence and escalation of privilege."

Then, a few quick thoughts -
  • I'd like to publicly commend Microsoft for producing this video series on Active Directory Security. It was high time that Microsoft voiced and stressed the importance and urgency of defending Active Directory deployments.
  • I strongly encourage IT personnel at all organizations to watch the above video. It is a 29 minute video, but its worth your time, because it concerns a lesser known but highly potent attack vector that most organizations are likely not aware about, and wherein the attack surface is the size of the Atlantic ocean, and one that could easily grant an intruder or an insider complete command and control of the organization's foundational Active Directory in minutes.

Finally, before I pose the question, for those who may not have the time to view it, some important quotes from this video -
  1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 
  2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"
  3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"
  4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"
  5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."
  6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"
  7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy. That is why you want to keep a clean directory."
  8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"
  9. "Somebody, either possibly legitimately, or illegitimately, was granted rights that gave them a lot of power. They could grab the hash of any account, and become that account, simply by having been delegated the Get Replication Changes All rights on that object"
  10. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"
  11. "So effectively that is a means of escalation!"
  12. "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" (See corrections below.)
  13. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "
  14. "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory"


Oh, and a few relevant (i.e. not all) corrections  -
  • "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" is technically incorrect. It should have been "If a group or account has been granted RESET password on an account, and that account is privileged, I can RESET the password on that account, and now I own it!" It is incorrect because in order to change a user's password, you need to know his/her existing password. Details here or here.
  • "You can use the Get-ACL cmdlet in PowerShell with Active Directory and you can view who has the rights on the object that I am looking at, what rights they have." Who has what rights/permissions granted in the ACL of an Active Directory object is NOT the same as who actually has what rights in Active Directory! There's a world of a difference.
  • "If I have that permission, I can link that GPO" should be "If I effectively have that permission, then I can link that GPO." Having the permission listed in the ACL is by no means sufficient. Similarly, simply viewing the ACL to see who has Get Replication Changes All is neither sufficient nor the accurate way to find out who can actually replicate secrets from Active Directory. (You need to know who effectively has that permission granted.) More on that later this week.


The Trillion $ Question

Finally, the Trillion $ Question is -

  • The Context

    Microsoft, its 2016 and you're (only) a $500 Billion company today because virtually the entire world is your customer. Today, across your global organizational customer base, from the Fortune 1000 to entire federal, state and local governments, there exist billions of Active Directory security permissions (aka access privileges) protecting hundreds of millions of Active Directory objects across thousands of Active Directory deployments worldwide.

    Its 2016, and so it is 16 years after Active Directory shipped (and so interestingly coincidentally, just 2 months after we, Paramount Defenses, declassified the Paramount Brief) that you're just now and finally stressing the paramount importance of Active Directory Security to your customers, and you finally and rightly tell the world (and I quote from the video above titled "Defending the Directory") - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"   BUT when you do so, you completely forget to tell them the one most important technical fact about how to correctly assess who has actually been delegated what privileges in Active Directory i.e. the one technical fact that governs the actual resulting access and delegations in Active Directory.

    This, even though it was right in front of the presenter's eyes during one of the methods demonstrated in the video!

    (By the way, in the video, the methods demonstrated by the presenter on how to assess these rights/permissions and delegations are substantially inadequate and incorrect. However, the presenter is not to blame because he is merely presenting what has consistently been (inaccurate) official guidance from Microsoft in its whitepapers etc.)


    The Question

     In light of the context above, my simple question to you is - Can you please tell the world WHAT is the one cardinal (paramount) technical fact that governs the determination of who can actually do what in Active Directory?

    By the way, HOW in the world could you forget to cover it, when you know that in all likelihood, millions of IT folks from 1000s of organizations across 150+ countries worldwide are going to view these videos and based on the guidance presented, enact measures to enhance the foundational cyber security of their organizations?!


Make not mistake about it. In the answer to this question lies the key to organizational cyber security globally. It's that simple.

Here's why - If organizations do not swiftly and correctly identify and eliminate the ocean of unauthorized access privileges that exists in their Active Directory deployments today, it is only a matter of time before intruders or insiders exploit this ocean of vulnerabilities to obtain complete command and control over foundational Active Directory deployments worldwide.

Oh, and, by the way, no cyber security company on the planet (neither the McAfees nor the CyberArks of the world, neither the FireEyes nor the CrowdStrikes of the world, neither the Centrifys nor the BeyondTrusts of the world) seems to have a clue as to the answer, or for that matter seems to know how to help organizations correctly identify the ocean of unauthorized access privileges that exist in 1000s of Active Directory deployments worldwide, just waiting to be found and exploited.



Substantiating the Trillion $

In case you're wondering why I say its a Trillion $ cyber security question, that's because if you were to add up the market cap of the 20,000+ organizations across 150+ countries, not to mention or include the 1000s of local, state and federal/national governments at whose very foundation lies Microsoft Active Directory, you'll find the sum will handily be in the trillions of $.

Also, in case you find yourself wondering as to how this 1 simple question could possibly impact organizational cyber security globally, for now just consider the colossal impact of even a single (i.e. just one) successful execution of mimikatz DCSync in an organization's network, i.e. the colossal damage a proficient adversary could subsequently, swiftly inflict - it'd be Game Over.

Oh, and by the way, mimikatz DCSync is just the Tip of the Iceberg.  (More (i.e. an ocean to be precise) on that later this week.)



Looking Forward to an Answer

So, to my incredibly talented, hard-working and respected colleagues and friends at Microsoft, I (and the world) look forward to your answer. Also, in case you don't really like that this question is being asked publicly, my sincerest apologies. It is 2016 after all, not 2006, and as you too likely know 100% of all major recent cyber security breaches (e.g. Snowden (at NSA), Target, JP Morgan, Sony, Anthem, OPM) have involved the compromise and misuse of just one Active Directory privileged user account.

If for any reason, you can't answer this question, no worries, I'll answer it for you, later this week, right here on this blog.

Best wishes,
Sanjay


PS: This blog is read by 1000s of prominent folks (CEOs, CIOs, CISOs,  IT Directors, Domain Admins, Security Analysts and Pen Testers at Fortune 100 and 1000 companies, institutional and individual shareholders, cyber security personnel and leadership at 3-letter government agencies worldwide, nation states (e.g. UK, the EU, Australia, Russia, China etc.) and it being a public blog, unfortunately even folks on the dark side) from 150+ countries worldwide. In other words, everyone's tuned in.

Friday, October 14, 2016

Time to Respectfully Take Microsoft to Active Directory Security School

Folks,

My apologies for the month-long absence. About a month ago, something was brought to my attention and it made me realize that in the interest of the foundational organizational cyber security of organizations worldwide, we need to help Microsoft better understand Active Directory Security. I've thus been at work building something, and I think its time we share it with the world.


So, in the coming week, i.e. sometime between Monday, Oct 17, 2016 and Friday, Oct 21, 2016 I will be most respectfully and publicly taking Microsoft to Active Directory Security school, right here on this cyber blog, in a blog post befittingly titled "Defending Active Directory against Cyberattacks"


Please know that it is only in the interest of organizational cyber security worldwide that we'll be doing so publicly i.e. so that 20,000+ organizations across 150+ countries worldwide can also instantly have access to valuable, effective and immediately actionable Active Directory security insight and guidance, which is the need of the proverbial hour.

Please also know that as a deeply passionate ex-Microsoftie, I have great respect for Microsoft, and in fact have spent the last 15 years working to help make 1000s of Microsoft's customers across the world more secure, so it is only in Microsoft's best interest and in the best interest of 1000s of the world's biggest organizations that today operate on Microsoft Active Directory, that I have decided to do so.

If you're familiar with my background and some of my previous blog entries, then you'll want to tune in right here on Monday morning.

Best wishes,
Sanjay


PS: October 21, 2016 update - Here's the post Defending Active Directory Against CyberAttacks

Thursday, August 4, 2016

Satya Nadella on the Most Valuable Thing in Life

Folks,

After a few days of sharing thoughts on heavy stuff, such as this, this and this, I though it might be nice to take a break and talk about lighter things too. Today's post is about a headline I came across this morning that made me wonder why it's a headline.

That interesting headline "Microsoft CEO Satya Nadella talks about the most valuable thing in life" can be found here.

He was talking about Time.

Aha! I could see how it could make a headline in a world where most business leaders are focused on valuing and pursuing the creation of Wealth, even if for their shareholders. In fairness to them, it's what their jobs require & what they're incentivized for.

Time

Unfortunately, sometimes when you're at the helm of gigantic financial ships that are headed full-steam in the pursuit of Wealth, you can often end up not having enough Time. Perhaps that's when you realize that Time may be the most valuable thing in life.

Satya, Time is actually the 2nd most valuable thing in life. The 1st one's a little deeper; perhaps I'll tell you about it someday.

You were close though. Well said!

Best,
Sanjay


PS: As someone who profoundly values time, I've spent a decade solving arguably one of the biggest cyber security challenges facing the world & Microsoft today. Interestingly, Microsoft may not yet realize the magnitude of this problem. They may, in time.

PS2: Well said, Satya - keep up the good work! BTW, if I may offer some unsolicited advice - "Its always better for a company to give the world (i.e. their customers) what they (the customers) want, or at least a choice, in contrast to (border-line) imposing a paradigm shift on them just because it might be better for its own bottom-line. And while its great to focus on the promise of Cloud Computing, it might also be worth letting them know about the risks (for your customers that is) associated with it."


Nov 04, 16 Update: Satya, re the most valuable thing in life, see PS section of - Speaking of Cyber Security, Microsoft & Trust.

Monday, August 1, 2016

How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync

Folks,

I'm going to keep this post short, because some brilliant folks feel that my blog posts are longer than their source code.


This is Very Important

On a (very) serious note, today, thanks to the DCSync feature of Mimikatz, the creation of the brilliant Mr. Benjamin Delpy, we have a situation wherein organizational security worldwide boils down to this - if you assume a breached network, then your foundational Active Directory is only as secure as the number of individuals that have the Get Replication Changes All extended right effectively granted in the access control list (ACL) that protects the domain's root object.

A perpetrator using Mimikatz DCSync feature to obtain the credentials of all domain accounts in Active Directory
 
Here's why - if the perpetrator can compromise the account of even a single user who has the Get Replication Changes All extended right effectively granted on the domain root, he/she could login as using that account, request and obtain secrets from Active Directory, and use Mimikatz to in effect determine the credentials of the entirety of your user populace, within minutes!




This is Preventable -  Deny them the Access they Need

As serious as this is, it is easily preventable. You can deny perpetrators the access they need to leverage the DCSync feature.

Thus, in your own best interest, you'll want to immediately minimize (i.e. reduce down to a bare absolute minimum) the number of users who effectively have this right granted, and from that point on not only afford those accounts the highest protection, but also verify and ensure that at all times (365-24-7), not a single individual more than is absolutely required to have this extended right, has this extended right effectively granted to him/her.


The only ability you need to deny perpetrators the access they need to use the DCSync feature of Mimikatz is the ability to accurately determine effective permissions in Active Directory, so that you can accurately assess, audit and verify exactly who has the Get Replication Changes All extended right effectively granted on the domain root object at all times.

Here's how you can lockdown Active Directory in 5 simple steps, to deny perpetrators the opportunity they need to leverage the DCSync feature of Mimikatz -
1. Identify all users who currently have the Get Replication Changes All extended right granted today on the domain root by determining effective permissions on the domain root. 
2. Analyze this list of users to identify all users who should not be on this list.
3. For every user that should not be on this list, identify how he/she is being entitled to this effective permission.
4. For each such user, based on the above identification, proceed to lockdown the identified security permissions, such as by restricting access or modifying a group membership etc.
5. Finally, determine effective permissions on the domain root object again to verify the lockdown, and ensure that only authorized individuals effectively possess this right.

Using these steps, organizations worldwide can quickly lockdown Active Directory to deny perpetrators the opportunity required to leverage the DCSync Feature of Mimikatz to engage in domain-wide credential theft, thus thwarting its use.




Required Tooling

In order to enact the 5 steps outlined above, you can use any Active Directory effective permissions tool that can help you -
1. Accurately determine effective permissions in Active Directory
2. Identify all users that have a specific effective permission granted on an Active Directory object
3. Identify how a specific user has a specific effective permission granted on that Active Directory object

Here's why - Accuracy is essential. We need to identify all such users, and we need to know the how to lockdown their access.

One tool that I know of that meets these criteria is this one. I know so because I architected it. In fact, so many of the world's top business and government organizations worldwide use it to audit privileged access in Active Directory. However, I do NOT want my advice to sound biased so you do NOT have to take my word. Please feel free to do your own research. I will only say this much, and you can validate it yourself - stay away from this tool and scripts on TechNet, as they are dangerously inaccurate.

In the interest of fairness and objectivity, I will repeat this again - you can use any Active Directory effective permissions tool you want that can help you fulfill the above 3 essential needs. I've also provided the reasons as to why these 3 needs are essential.




One

It is critical to ensure that only the absolutely minimum possible number (0/1) of users have this right effectively granted to them.


If even one additional user is effectively granted this critical right, and the perpetrators can identify them and compromise their account(s) (credentials), then they will simply be minutes away from being able to steal the credentials of every user in the Active Directory domain, including all privileged users such as all Domain Admins, Enterprise Admins, Built-in Admins etc.

So, in a way, today, the security of an entire Active Directory domain (and thus forest) depends on exactly who effectively has sufficient enough rights to be able to replicate secrets out of Active Directory!

In other words, to put it simply, if this security grant is not fully locked down at all times, it could be Game Over very quickly.

Finally, to demonstrate just how deeply we care about cyber security globally, any* organization that wishes to find out exactly how many individuals effectively have this right granted today, can now do so completely free (i.e. via the free Try Now option.)




Complete Details

I wanted to keep this post short but perhaps you want more details. Complete details, including an example/illustration of the above 5 steps provided above, as well as the deficiencies in Microsoft's Effective Permissions Tab, and other relevant details can be found on my second blog at - http://www.active-directory-security.com. Here's the url to the post that has the details -
How to Prevent a Perpetrator from Using Mimikatz DCSync feature to perform Credential Theft from Active Directory


In your own organization's best interest, it is imperative to understand just how important this is to Active Directory security.

Best wishes,
Sanjay


PS: Ideally, I could have conveyed this in one sentence - "Simply minimize the number of individuals who effectively possess the Get Replication Changes All on the domain root. Done!"   The keyword here is "effectively" i.e. "effective permissions"

PS2: By the way, detection (see PS3 of this post) isn't sufficient, because by the time you detect and respond to an intruder replicating secrets out, it will have been too late because they will already have been replicated out. As such, when you can easily prevent something bad from happening, why merely rely on being able to detect it, especially when this is so critical?

PS3: By the way, where is Microsoft when it comes to providing some thought-leadership, as well as real-world advice and help on such critical cyber security issues? Also, what if solutions to such fundamental cyber security challenges didn't exist today?

Wednesday, July 27, 2016

A Simple $100B Active Directory Security Question for Alex Simons at Microsoft


Dear Mr. Simons,

I believe you are the Active Directory Czar at Microsoft these days, so I have a simple but very important question for you.


Incidentally, do you know who came up with that ludicrous title, Czar? (By the way, that's not the question I wanted to ask.)


The Question -

With the introduction of the DCSync feature in Mimikatz, the security of an entire Active Directory deployment boils down to this:
Anyone who effectively has the Get Replication Changes All extended right granted to them in the access control list (ACL) protecting the domain root object can now easily compromise the credentials of all Active Directory domain accounts, including those of all Active Directory privileged user accounts!
Although by default, only administrative personnel have this right effectively granted, since most Active Directory deployments have been around for many years, in almost all of them, the ACL protecting the domain root may have been modified several times, and as a consequence the default access may have changed substantially, resulting in a situation wherein no one may really know exactly who effectively has the Get Replication Changes All extended right granted to whom today.

Thus today it is imperative and in fact paramount for every organization in the world to know exactly who effectively has the Get Replication Changes All extended right granted in the ACL of their domain root object, and how they have it. (The need to know how is essential for being able to lock-down access for all those who currently have this critical access, but should not have it.)

So the simple $100B question is -
"Precisely what does Microsoft recommend that customers do to make this paramount determination in their foundational Active Directory deployments?"  i.e. how do they find out exactly who effectively has the Get Replication Changes All extended right granted in the ACL of their domain root object, and how they have it?

Microsoft may or may not realize this but thanks to the technical brilliance of a certain Mr. Benjamin Delpy, this is the 2nd most important Active Directory Security question facing organizations worldwide today. (In a few days, I'll let you know the 1st one.)

I (and the world) look forward to your answer.  (We hope you have one.)

Most respectfully,
Sanjay



PS 1: I imagine it shouldn't be too hard for the $450 Billion Microsoft to answer this simple question.

PS 2: Here's some Q&A that I can envisage happening, between Microsoft and its customers -
Answer: We recommend that organizations use the Effective Permissions Tab provided in our native Active Directory management tools, or our acldiag tool, to find out exactly who effectively has this right granted.

Follow-up Question (from customers): Thank you. We tried that recommendation. These tools don't seem to be very accurate and it appears can only determine effective permissions one user at a time. We have 1000s of users in our Active Directory. Do you expect our IT personnel to enter 1000s of names one-by-one manually?!
Answer: <Silence>

Follow-up Question 2 (from customers) a few weeks later: We (somehow) were able to figure out the identities of everyone who has this right effectively granted in the ACL of the domain root object. Its a long list i.e. much longer than it should be. We need to lock-down it down. Can you recommend how we could go about locking it down?
Answer: We recommend that organizations determine how these individuals have this right effectively granted to them, then use that information to tweak the underlying security permissions or modify involved security groups.

Follow-up Question 2 (from customers): Okay, but how do we determine how these individuals have this right effectively granted to them?
Answer: <Silence>


PS 3:  I sincerely hope your answer isn't one of the following, including why (because there is an easy answer to this question) -
Poor Answer 1: "We recommend that our customers use Microsoft ATA to monitor such activity.
Reason: Microsoft ATA is basically a detection measure. In the list of protection measures, detection comes third. The first is prevention, the second is avoidance. By suggesting detection, you're conceding that you don't have the ability to provide the first two measures. And the world expects better than that from a $450 Billion company. 

Poor Answer 2: "We encourage our customers to transition to Microsoft Azure.
Reason: It seems like Microsoft will do almost anything (including conceding defeat) to get their customers on its Cloud. I hope you realize that the degree to which you can help protect customers that are not in the Cloud, and the thought leadership (or lack thereof) Microsoft may have displayed thus far in cyber security, are a few factors that organizations consider when deciding on whether or not to bet (the security of) their business on your Cloud.  
(Besides, thousands of organizations still run Active Directory on-premises and may not want to get on the Cloud. As such, billions have been spent worldwide integrating so many applications with Active Directory and its ACLs.)



PS 4:  If you're wondering who I am, just ask Microsoft's top cyber security brass. (I'm a former blue-badger who cares deeply about the foundational cyber security of Microsoft's ecosystem.) If you're wondering why I am asking this question publicly, its because its 2016, not 2006, and we the world simply cannot afford to not have adequate solutions to address such fundamental cyber security challenges. Today foundational cyber security is a matter of paramount defenses. Before you respond, kindly also do consider a what-if scenario wherein such critical cyber security challenges, and the threats they pose, would still exist, but adequate solutions to address them did not. (Fortunately, they do exist today, and they are paramount to global security.)


PS 5:  Oct 21, 2016 update: Here's a Trillion $ Question for Microsoft, and here's some valuable security guidance for Microsoft.