Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including the World's Top Cyber Security Risk, Advanced Persistent Threats (APT), Cyber Warfare, Corporate Espionage, Insider Threats and other topics.


Gold Finger The Paramount Brief Gold Finger Mini World Peace

Friday, September 13, 2013

The World's #1 Cyber Security Risk - Active Directory Privilege Escalation

Folks,

The #1 cyber security risk to organizations worldwide i.e. one that today critically impacts 1000s of business and government organizations in almost every country, is Active Directory Privilege Escalation (downloadable Executive Summary below), as evidenced here.


It is SO powerful that one who knows how to exploit it can, with the help of appropriate tooling, use it to instantly take over virtually any Microsoft Windows Server based IT infrastructure in the world.

With sufficient effort, it can also be used to develop an exploit that can then be packaged into a malicious payload that can automate the disruption / destruction of any Active Directory deployment of choice within hours to days, making StuxNet look like child's play, considering the fact that 85% of the world's organizations are powered by Active Directory.



Executive Summary

The following Executive Summary describes this risk. To access it, simply click on the image below -
 
Active Directory Privilege Escalation based on Exploitation of Unauthorized Grants in Active Directory

Why Did We Declassify This?

Strictly speaking, there's nothing to declassify here, because this is common sense. However, in our experience, we have found that hardly any organizations are aware of this. More about that later.

The reason we have declassified it is that we have reason to believe that at least one advanced persistent threat may have figured this out, and given their abundant resources, could potentially, easily build a payload to exploit this threat worldwide.


By the way, the Chinese aren't the only ones who may have potentially figured this out. There are numerous Active Directory and Windows Security Experts in countries like Russia, who are highly capable of figuring this out (, and some of them, of potentially exploiting it as well.)

(If you don't believe that the Russians are good at Active Directory Security, just ask Quest Software (now a part of Dell) how many Project Managers and Software Developers it has in Russia, where I'm told it builds/supports some of its flagship identity and access management solutions, which today are also deployed at departments in the U.S. Government. But I digress.)

One would ordinarily expect organizations to have figured this out on their own, but in our vast experience of having dealt with 1000s of organizations over the last 7 years, we have found that very few organizations in the world actually have any clue about this. (Most of them are still merely looking for how they can enumerate stale accounts in their Active Directory deployments.)

Then, when we saw Microsoft IT release a whopping 328 page white paper on Active Directory Security, and barely even touch upon this subject, it was clear to us that, apparently even Microsoft IT did not understand just how serious this risk was to Active Directory deployments worldwide.

We care deeply about Microsoft's ecosystem, so we decided to shed light on this risk. We decided to share it in the public domain because it would have been too much to try to individually reach out to 20,000+ organizations worldwide.

(By the way, we have been giving hints for a very long time from all the way back in 2006, (here's an example - Who needs WMDs today?) but I suppose these hints were not enough, and until something is said most plainly, it isn't clearly understood.)

That said, I'll now address the technicalities of this risk, and provide some commentary.


Technical Summary

From a pure risk management/assessment standpoint, here is a technical summary of this risk -
  • Asset at Risk – Administrative Delegations, Admin Accounts and Groups
  • Threat Source – Malicious Entity (Could be Outsider or Insider)
  • Attack Surface – Vast (All Active Directory Content)
  • Exploitation Procedure – Detect and exploit unauthorized access grants in Active Directory using freely available tools like dsacls and acldiag. Malicious use of advanced tools like an Active Directory Permissions Analyzer or an Active Directory Password Reset Analysis Tool can speed up the detection process. The free availability of Active Directory management tools like ADUC can be used to enact the exploitations (e.g. perform a password reset to escalate privilege, etc.)
  • Difficulty – Minimal (Authenticated Users have read access by default.)
    Unlike the Pass-The-Hash (PTH) technique, this technique does not require admin access on a server, or the requirement for an admin to logon to that server. It only requires read access to Active Directory (AD) content (which Authenticated Users have by default), the ability to analyze AD ACLs to find excessive rights (which can be easily done using available tools), and the ability to enact administrative tasks (which can be easily done using any Active Directory management tool, such as Microsoft Active Directory Users and Computers.)
  • Impact – Very high (Once gained, administrative access can be used to very quickly cause widespread damage across the IT infrastructure.)

 Risk Overview

There are 3 main components that make this risk critical -





  1. There exist large numbers (1000s) of excessive / unauthorized access grants in most Active Directory deployments worldwide, which effectively grant numerous individuals (that should not technically be provisioned) powerful administrative access.
  1. The identities of these individuals and the excessive access they currently have (, unbeknownst to them, or to the IT groups,) can, be determined by anyone with a domain user account. Once determined, this information can be easily used to perform single/multi step privilege escalations and ultimately gain varying levels of, and usually complete, administrative access within minutes, and performing these privilege escalations only requires enacting simple admin tasks (e.g. Password Resets) for which tooling is freely available.
  1. The attack surface is vast, and the prize is the coveted "keys to the kingdom". The attack surface is vast because it consists of the entirety of all IT resources stored in the Active Directory, and virtually any authenticated user, can with minimal/moderate Active Directory expertise, find these excessive access grants and identify privilege escalation paths which can then be exploited to gain complete administrative control over the Active Directory.

The need for any Active Directory expertise is eliminated if sufficient tooling (e.g. an Active Directory Permissions Analyzer or an Active Directory Password Reset Analysis Tool) exists that makes it possible for someone to make such determinations without requiring any subject matter expertise.


What makes this Risk Possible?

This risk is made possible by the fact that in any Active Directory deployment, at any given moment, there are 1000s of security permissions that specify varying levels of access for various individuals and groups, and that together control who has what effective access to which IT resources in the Active Directory, BUT that are very difficult to correctly assess/verify/audit, because there are numerous factors involved in how the system determines effective access, as a result of which there is no easy way to know who has what effective access at any point in time in Active Directory.


In fact, today, in most organizations worldwide, no one really knows who exactly who can do what in Active Directory.

In regards to these permissions, they control vital administrative actions like who can create user accounts, modify security group memberships, link/unlink GPOs from OUs, delete accounts, groups or entire OUs, as well as perform numerous other administrative tasks on the most vital of IT resources, i.e. user accounts, computer accounts, security groups and GPOs, which are the very building blocks of security in any IT infrastructure.

In regards to the factors that influence effective access, there are numerous factors, such as and not limited to inheritance of permissions, precedence orders, applicability of permissions, individuals and blanket permissions, general and special permissions, group membership evaluations, nested group membership evaluations, circular group membership detection, well-known group memberships, multiple permissions influencing an action, permissions on multiple permissions influencing an action, etc.

As you can imagine, given the complexity involved, and the scale of the problem (i.e. entire Active Directory content), as well as the dynamic (frequently changing) nature of access, it is almost impossible to find out who has what effective access on a single object, let alone an entire OU or domain of objects.

Consequently, without being able to accurately assess who has what effective access, IT personnel have no way of knowing exactly who currently has what effective access, so they continue to provision access (to fulfill dynamic business requirements) based on intentions and approximations, but they have no way to know for sure whether they in fact provisioned access based on the principle of least privilege, or whether they accidentally / inadvertently might have ended up granting access to more individuals than they should have.

As a result, in most Active Directory deployments in the world, there are 1000s of excessive permissions granted, and there is no easy way to find out who really has what effective access in these deployments.


What does it take to Mitigate this Risk?

Objectively speaking, in order to mitigate this risk, 3 abilities are essential -


  1. Minimially, the ability to be able to easily and reliably determine accurate effective access on individual Active Directory objects
  1. Ideally, the ability to do so on a large number of objects in a reasonable amount of time, as well as
  1. The ability to determine HOW someone is getting provisioned specific effective access, so corrective action can be taken.

Finding out Who has what Permissions is NOT the answer

Over the last few years, we have seen 1000s of organizations looking for ways to find out "Who has what permissions in Active Directory" because they believe that in order to solve this problem, they need to find out who has what permissions.

These organizations are not alone. There are also numerous prominent audit organizations (i.e. whose auditors certify companies for compliance of various sorts) that demand that companies furnish reports of who has what permissions in their Active Directory on various objects, such as the CEOs account and that of all Domain Admins.

With all due respect to all of them, knowing who has what permissions in Active Directory is NOT going to help them solve any useful problem, and certainly not help mitigate this risk.

Here's why -

Consider this ACL protecting the CEO's user account. Just because a group such as Help Desk Tier I is granted a specific permission such as Reset Password in the ACL of an object does not mean that all members of that group effectively have that permission on that object.



For instance, just because John Doe is a member of the group Help Desk Tier I and this group has the Allow Reset Password permission on the CEO's user account, does not mean that John Doe can in fact reset the CEO's password.

That's because there could be a Deny permission denying the Outsourced Password Reset Admins group overlapping permissions such as Full Control or Reset Password on the same object, and if John Doe were a member of that group, whether directly, or via a deeply nested group membership, he wouldn't effectively have the ability to reset the CEO's password.

To complicate things, if the Deny permission was inherited and the Allow was Explicit, he would be allowed access. By the same token, there could be numerous other permissions specified in various other ACEs in the ACL of that object that could influence, whether directly or indirectly, what permissions he/she had on the CEO's account.

So you see, finding out Who has what Permissions in Active Directory is not what is needed to solve this problem, or make any meaningful assessment upon which any reliable security action can be taken.

What is needed is the ability to determine who has what Effective Permissions in Active Directory, because that is the only piece of data that would instantly and accurately reveal exactly what access John Doe actually has on a given object, or on any set of objects in the Active Directory.

I'll say this again - the only way to determine who really has what access in Active Directory is to find out who has what (true) effective permissions / effective access in Active Directory.


The Attack Vector

Now getting back to the risk, in case you're wondering what the attack vector is, it is very simple.

All a malicious entity has to do is analyze the ocean of security permissions in Active Directory to find weaknesses that can be exploited, and then exploit them to gain administrative access in Active Directory.

Let me give you an example -

The two easiest ways of becoming a Domain Admin are a) reset a Domain Admin's password and b) modify the membership of the Domain Admins group to add your own account, or that of another user, to the group.




(The PtH attack vector is not the easiest by any means because it REQUIRES that you have Admin level access on a host ON TO WHICH a Domain Admin LOGS ON. If a Domain Admin NEVER logs to your machine, you can sit there and get old, and yet not gain anything (malicious.))

With this attack vector, all a malicious entity has to do is apply some basic knowledge of Active Directory Security to try to determine effective permissions on either a Domain Admin's user account, or the Domain Admins group membership, and figure out a) exactly who can effectively reset the Domain Admin's password, and/or b) figure out who can effectively change the Domain Admins group membership.

Once that's done, you now have a list of lesser protected targets that if compromised can be used to become a Domain Admin.

For example, if the Domain Admins only sit in the Data Centers and never get out of there or logon to any machine other than theirs, the PtH attack vector is completely useless.

However, if John Doe is a delegated admin who sits in a cubicle down the hall from you, and you have been able to figure out that he/she can effecitvely reset a Domain Admin's password, or change the Domain Admin's group membership, all you have to do is compromise the account of the delegated admin John Doe, and you're a minute away from logging on as him and resetting a Domain Admin's password, or adding your own account to the Domain Admin's group membership.

Now, if you have unrestricted physical access to this delegated admin's machine (desktop/laptop), its super easy. There are a gazillion (proverbial) ways to own a machine with unrestricted physical access. In fact you could even use the PtH attack vector in combination to lure this delegated admin to your machine using Social Engineering, and once you have compromised his account, you're a minute away from owning the kingdom.

This approach can also be iterated, meaning you can find who can reset the password of a delegated admin who can reset the password of another delegated admin who can reset the password of a Domain Admin etc. etc..

Please UNDERSTAND that performing the analysis of who has what effective access ONLY involves READ ACCESS to Active Directory, which a) everyone with a Domain user account already has and b) is not/cannot be realistically "audited" because if you started auditing read access to Active Directory, your logs would be rolling over every 30 minutes.

As a consequence, an attacker could take his/her sweet time (hours/weeks/months) to quietly determine effective access on one or more of your Active Directory objects, and eventually determine numerous privilege escalation paths, which could, at a time of his choice, be used within minutes to perform single/multi-step privilege escalations in Active Directory.

Once an attacker has gained Domain Admin access in your environment, he could do whatever he/she wants. Of course the first thing a smart attacker would do is disable all other admin accounts so no one can stop him, then he would disable auditing, and then he could obtain access to, tamper, destroy or divulge whatever IT resource he/she wants. (A devious attacker could also use Group Policy to destroy the entire IT infrastructure within minutes, but I'm not about to talk about that.)

I'll say this again - technically ANYONE with a Domain User account could take HOURS/DAYS/WEEKS to determine effective access in your environment, and find privilege escalation paths, and when he has, at a time of his choice, he could make his move i.e. WITHIN MINUTES, exploit the identified privilege escalation paths to take over the entire IT infrastructure.

(With appropriate tooling, the amount of time involved for the attacker to determine effective access in Active Directory could be reduced down to minutes from hours/days/weeks.)


A Vast Attack Surface

Now let me speak to another very important aspect of this risk; its attack surface is VAST.

By attack surface, we can refer to two things here - one is the set of assets that are at risk, and the second is the set of all entities that can potentially carry out a related attack.

In terms of the assets that are at risk, every user account, every computer account, every security group, every GPO and every OU is at risk. The attacker could select any asset of his choice and determine who has what effective acccess on that object to find weaknesses, then exploit those weaknesses to compromise security.

For example, let's assume that a highly confidential document was residing on a file server, and that a malicious individual wished to gain access to it. The easiest way to access it is not to try to compromise that highly protected file server, but merely examine the ACL of that document to determine which Active Directory domain security group is being used to protect that document. Once you have figured that out, all you need to do is determine effective access on that security group's object in Active Directory, and find out who can change the membership of that group.

That's the weakest link. If you iterate, you can then find out who can reset the password of the individual who can modify the group membership, to find an even easier target to compromise. Once that's done, all you have to do is compromise any one account in the chain, then perform a few password resets (which take 30 seconds) and you can then add your  account to that group. Once you're a member of the group, you can just access that file without compromising any security control on that file server.

Similarly, a malicious user could find out who can delete an entire OU full of resources to instantly cause an internal DOS attack that would take days (and a proverbial $ million) to recover from.

By the same token, if you wanted to disrupt a line-of-business (LOB) application whose clients rely on querying Active Directory for service connection points whose keywords are used to locate specific instances of the service, all you have to do is modify the keyword on the service connection point, and in effect you could DOS that service. In order to modify the keyword, you only need to determine effective permissions on the service connection point to find and exploit weaknesses.

So you see, virtually every IT resource in the Active Directory is a potential target.

Lastly, in regards to the second aspect of the attack surface, virtually anyone with a domain user account has complete and unrestricted read access to the Active Directory, so virtually everyone can examine all the permissions protecting all the IT resources stored in Active Directory.

In other words, literally everyone can examine your Active Directory and look for unauthorized access grants, whenever they want, form whichever computer they want, and on whichever resource they want.


Active Directory Effective Access/Permissions - A Trillion Dollar Phrase

At the heart of this risk lies a single trillion dollar phrase - Active Directory Effective Access/Permissions. If I might add, the correct phrase actually is Accurate Active Directory Effective Access/Permissions.

You see, effective access/permissions are so important to Active Directory Security that along with Auditing, there's an entire Tab for Effective Permissions on the Advanced Security Settings dialog box, which can be accessed by the Active Directory Users and Computers Snap-In as well as Administrative Center -



One unfortunate problem is that this Active Directory Effective Permissions Tab is not accurate and thus is not reliable, and thus is virtually of no practical use.

Furthermore, strictly speaking, even if it were accurate, it's neither user-friendly nor can it assess effective access on more than one object at a time. If your Active Directory has a 1000 objects, even if it were accurate, you'd end up spending months to just determine effective access on those 1000 objects.

What is strictly needed to solve this problem is the ability to determine effective access, not just on a single object, but on entire trees of Active Directory objects at a time, quickly, reliably and ideally in a single shot, as well as having the information delivered in a meaningful way that can be acted upon to identify and lock down unauthorized access grants, and for which, of course, the need to know HOW someone currently has specific effective access is also essential.

For example, something like this.

And by the way, the reason I say this is a TRILLION dollar phrase is because if you take into account the net worth of even the top 1% of organizations that may be exposed to this risk, it'll handily cross a $ Trillion.



So you can imagine my surprise when there was not a SINGLE mention of the phrase "Effective Permissions" in the 300+ page Active Directory Security Guide that Microsoft IT recently released! (Yes, you're welcome to verify this fact; you can download that guide from here.)


IS this Risk Mitigatable?

Absolutely. Like most technical risks, this risk too can be mitigated. The most important thing needed to mitigate this risk, is the will to do so, because the process is (relatively) simple.

Objectively speaking, all that is needed to mitigate this risk is the ability to swiftly and reliably perform an audit of  effective delegated/provisioned access in Active Directory.

Once that is done, organizations should instantly know who currently has what effective access and can review the findings to determine all policy violations i.e. the list of all individuals who should not be able to perform a specific task, but who can today, and HOW.




Then the HOW part can be used to identify the underlying permissions that are causing the excessive / unauthorized access to exist, and this information can be used to determine which security permissions and/or group memberships need to be tweaked to eliminate the unintended access grants from being in the system.

When performed with sufficient diligence, such a process can result in 99% risk reduction in a matter of days to weeks, depending on the resources allocated to the project. The hardest part is to accurately identify the ocean of unauthorized grants across the Active Directory (because fixing them is relatively easy.)

In this regard, the biggest challenge is posed by the effort involved in swiftly and reliably performing an audit of effective delegated / provisioned access in Active Directory. While it is possible to do so manually, doing so could take months. Automation can help reduce the amount of time taken to do this down to hours or days, thereby making the process substantially faster and more economical.

In short, the hardest part to fixing this problem is correctly finding the unauthorized access, not fixing it. Once you know what to fix, fixing it is relatively easy. Its the finding part that's very difficult.


How about a little help from Active Directory Security Solution Vendors?

There are many 3rd party vendors today that offer a host of valuable Active Directory security solutions ranging from valuable professional services to valuable auditing solutions, such as -
  1. Hewlett Packard
  2. Quest Software (now Dell)
  3. Centrify
  4. ManageEngine
  5. Beyond Trust
  6. Netwrix
  7. SolarWinds
  8. Net IQ
  9. Varonis
  10. etc.

Based on my professional opinion as former Microsoft Program Manager for Active Directory Security, I am not aware of any solution from any of the above listed respectable vendors that can solve this specific problem.

(Please don't get me wrong. I'm sure they're all good at what they do, predominantly Auditing (which relatively speaking, is a much simpler problem to solve, because it only (again, relatively speaking) involves collecting and rolling up audit events from DCs into a single database and onward to a dashboard. But I digress again.))

That's because this is a VERY difficult problem to solve.

Let me give you just ONE example -

Let's assume you needed to find out who can effectively delete an OU? (Yes, just a single small OU with a 100 objects in it.)



Here's what it takes to correctly make this effective access determination -

You need to determine who has what effective delete access on the OU which involves considering the influence of the Standard Delete, Delete Child and Delete Tree permissions on the OU, and if the OU is not empty, you further need to determine who all can delete ALL the children in that OU, either by virtue of Standard Delete permissions or Delete Child permissions or Delete Tree permissions, as only he/she who has sufficient effective rights to delete all the children in the OU as well, can delete the OU. (Now, if one had Delete Tree on the OU, it would be sufficient, but if not, then you'd have to evaluate effective access on all the child objects as well.)

If ANYONE in the world, can write a script or make a tool that can accurately determine just this much, on a single non-empty OU (with say just a 100 objects in it,) correctly, taking into account all the factors involved, let alone doing so across an entire Active Directory domain consisting of 100s of 1000s of objects, in a single shot, I'll bow to this individual/entity.

Now, getting back to the risk.


Where's the Proof?

So, if this is so difficult that it virtually impossible to do, why should one worry about this being a threat, and where's the proof that something like this can be automated, such that it could give someone the ability to instantly find out who can reset whose passwords, or for that matter instantly find out who has what effective access across an entire Active Directory?

Here you go -

If you can touch a button, you can use this to instantly find out exactly how many people can reset your password as well as that of any colleague, and of course, of your CEO as well.



(The choices of fictitous names and their fictitous designations in the snapshot above are intentional.)

NOW, we only designed this for use by authorized organizational IT personnel, but the point is that if we can do it (with less than 100 full-time developers, testers and engineers), imagine what a foreign government can do with 1000s of personnel devoted to building something like this, especially if you consider what is at stake, and what can be had.

Besides, there are enough people out there who know enough about Active Directory Security, who can use simplistic tools like this, to figure out a rough approximation of effective access on a single object in about 20 minutes per object. (Keep in mind that all it takes is read access, so you can't detect them doing it.) That particularly tool cannot accurately determine effective permissions, but it can be used to view and analyze AD ACLs instantly.

By the way, if this isn't enough proof, here's some more - if you can touch a button, you can use this to instantly find out who has what effective access across an entire Active Directory, within minutes, at the touch of a button.


Getting to a Bullet Proof State

If you have an Active Directory wherein access grants are always (verifiably and provably) provisioned based on the principle of least privilege, you have no reason to worry.



That's because even if the entire user population were to determine effective access on your Active Directory, all they would find is tightly least-privileged basis provisioned access, wherein only authorized individuals are granted the access they need, so there would be 0 escalation paths for them to exploit.

Is this doable? Absolutely. Our Active Directory deployment is bullet-proof in that regard.

What does it take to do it? More than anything else, it takes the support of executive management (C*Os), and a proficient team of Active Directory Security professionals who are equipped with the resources they need to maintain a solid and secure Active Directory.


How about a Proxy Solution? (Tread with care)

There are some organizations that use a proxy solution to facilitate the delegation of administration in their environments. While there are some benefits to it, generally, there is also an accompanying risk you undertake when you deploy any such solution, because that solution basically has complete and unrestricted access to your Active Directory, and thus a single vulnerability in it, whether accidental or malicious, could instantly jeopardize the security of your entire Active Directory.

The other downside of a proxy solution is that it becomes a very attractive target for malicious entities because if they know that the compromise of that one solution can be used to instantly gain complete and unrestricted administrative access, their efforts to compromise such a solution will substantially increase because there's only one layer to peel there, and a single point of failure.

In contrast, thanks to the multi-mastered nature of Active Directory, i.e. no single point of failure, most attacks can be controlled, if you know how to do so. (Hint: multiple-DCs and replication to the rescue.)

Anyway, AFAIK, there aren't many such solutions, and I'm not sure if they're even built/supported from within the United States. I'm told that at least one (a popular one) is built in/supported from Russia.

I don't know about you, but if I were responsible for leading an IT department in the U.S. Government, or that of a Fortune 500 Company I'm not so sure I'd be inclined to (or even be allowed to) deploy anything built in/supported from Russia, especially in light of the recent Edward Snowden affair. (But that's just me.)

The only other thing I will add is that even if one were to use a proxy solution, the problem still remains, because you'll always have the computer objects representing all the domain-joined machines in the Active Directory, and there will undoubtedly be a need for access to be provisioned on them as well, whether to control aspects like the Trusted for Delegation bit or to allow services running on those computers to modify the service connection points published under the computer objects, etc.

Finally, there are so many Active Directory integrated applications these days, and most of them rely on direct access to the Active Directory, whether it be read access or modify access. In cases where modify access is required, it will still be direct access, and not via the proxy, and so the need to be able to audit and control such direct access will always exist.

In essence, irrespective of whether you're using a proxy solution, the risk described above remains.


About The Chinese

Let me address one penultimate issue.

As you may know, a little company called Mandiant recently because famous because its CEO published a report that essentially showed the extent to which the Chinese were engaging in cyber security compromises.

One of the salient aspects of that report involved a description of HOW the Chinese were doing this, and if you see this Wikipedia page, you'll find, in the APT life cycle section, that the defining act that helped the intruders to gain administrative access was in fact Privilege of Escalation.

Specifically, if you scroll down the Wikipedia page on Advanced Persistent Threats to the APT life cycle section, you'll find the following excerpt: "In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle:
  1. Initial compromise — performed by ...
  2. Establish Foothold — plant ...
  3. Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
  4. Internal Reconnaissance — collect ...
  5. Move Laterally — expand ...
  6. Complete Mission — exfiltrate stolen data from victim's network."
The 3rd step, Escalate Privileges is the defining step that gives a perpetrator administrative access in target IT infrastructures, by virtue of which substantial willful damage can be inflicted.

Thus far intruders have been using age-old techniques like password guessing, but our cyber intelligence data indicates that the Chinese have been actively researching Active Directory Privilege Escalation involving password resets, which is why I chose to declassify this today.

So you see, nothing I have stated here is far fetched at all.


Oh, and this too is VERY important.

Do you know what is one of the easiest ways for the Chinese, or the Russians, or others to deliver a malicious payload into an organization?

Allow me to tell you. Craft and offer a malicious payload as a a Free Active Directory Reporting Tool online, and you will be surprised at just how many 1000s of personnel will download it and execute it. We recently conducted an experiment to test this, (and it is still online) and we were shocked to see the results. (Of course the dummy tool was digitally self-signed and harmless, but you get the point.)

It takes just ONE execution of ONE malicious payload, especially when done in the context of an Active Directory Admin, to potentially automate the compromise/disruption/destruction of an entire Active Directory deployment.

Just ONE.

And we have seen SO many organization search for Free Active Directory Reporting Tools, including organizations, whose names, if I was to reveal to you, you would be shocked!

So, in your best interest, PLEASE do NOT download and run anything FREE from the Internet, UNLESS you have sufficient reason to believe that it is TRUSTWORTHY. Not even ONCE.


A Word about Auditing

This discussion would not have been complete without the mention of auditing.

Auditing is helpful, because it can help detect the occurrence of this attack, but its use is largely limited to just that - detection. It is vastly more important to be able to prevent the occurrence of such an attack, than it is to try and detect it, and then try and stop it, because in all likelihood, if you're up against an advanced perpetrator, he will not give you the opportunity to stop him, and by the time you try to react, he may already have disabled all your domain admin accounts.

So, auditing is good to have, but is not going to help you mitigate this risk. Detect, yes, Mitigate no.



Not Just Domain Admin Accounts, All Active Directory Content is At Risk of Compromise

By the way, lest you be under the impression that only Domain Admin accounts are at risk, if you haven't gotten the drift yet, let me state it clearly - every delegated administrative account and group, as well as every domain security group that is being used to protect access anywhere across the forest, every OU, every GPO and every SCP is a potential target and at risk of compromise.


If you haven't figured out the serious impact of this yet (i.e. not just Domain Admin accounts but virtually all Active Directory content is at a potential risk of instant and wsift compromise), I doubt anything else I say will drive home the point any better.

The point about Domain Admins was just made to convey the mechanics of this risk.



Responsibly Declassified this Risk

As you will hopefully agree, it would be highly irresponsible to shed light on any risk without there also being an adequate risk mitigation measure to mitigate this risk. We have known about this for years now (evidence) but it is today, after 7 years of knowing about this, that we have finally shed light on this risk, only because today there are solutions that can adequately mitigate this risk.

So I hope you'll agree that we have responsibly declassified this critical risk to Active Directory deployments. (Also, perhaps in light of this, this old blog post from 2006 will make some sense.)

By the way, if you were expecting that I will be declassifying a bug/code vulnerability in Active Directory, I'm sorry to have disappointed you. You see, if that was the case, I would have reported it to Microsoft, and not blogged about it. This risk does not stem from any such bug/code vulnerability, but in fact it stems from a capability deficiency in a product, and I had already informed Microsoft about this way back in 2007 (; yes, they were the first to know.)


But We don't worry about Insider Threats

This also happens to be the #1 insider threat to organizations worldwide. Here's why.

Organizations that do not worry about insider threats need only be reminded of one name - Edward Snowden, the classic Trusted Insider, who may not only have caused monumental damage, but also great embarrassment, to arguably the world's most powerful and clandestine national security agency, the U.S. NSA.


In Summary

I know I've touched upon quite a few points today, and I hopefully didn't distract you from the core risk here, which is real, imminent and very serious. If addressed in time and properly, it can easily be mitigated and in a reasonable time-frame.

Unaddressed though, it is a ticking time-bomb...  

... because a malicious entity only needs to find and exploit ONE privilege escalation path to potentially completely compromise an organization's entire Active Directory deployment.

Just ONE.

Best wishes,
Sanjay


PS: What I am also almost certain of is that the Symantecs, McAfees, EMCs, RSAs, TripWires, Mandiants and Booz Allen Hamiltons of the world most certainly have neither a clue about this risk, nor the ability to help organizations worldwide mitigate it.