Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.

November 13, 2014

In acquiring Israeli startup Aorato for US $ 200 M did Microsoft dodge a bullet for chump change?


It’s a very interesting world.

Microsoft, a $400B company is a name that needs no introduction. Unless you live on another planet, you know that virtually everything in the world runs on Microsoft Windows (client and server.)

On the server side, over 85% of the world’s organizations operate on Microsoft’s Windows Server platform, at the foundation of which lies a single technology – Active Directory.

Active Directory is one of the world’s most ubiquitous, entrenched and mission-critical technologies in the world – it is the bedrock of security across the whole wide world.

In fact, at work, from the moment you logon in the morning to the moment you logoff in the evening, everything you do is powered and enabled by Active Directory.  This is so because to simplify distributed security, 15 years ago Microsoft integrated its entire distributed authentication and authorization infrastructure with Active Directory.

For the most part, Active Directory is a highly robust, secure and reliable technology, designed by the some of the world’s best security engineers and architects. It had better be so, because the entire world's running on it.

(The only deficiency in Active Directory itself is the inability to help IT personnel accurately identify who is effectively delegated/provisioned what level of privileged/administrative access in Active Directory.)

For 15 years, barring and despite this deficiency, the world has been running just fine on Active Directory, and continues to do so today (, at least for now, although the Russians and the Chinese have gotten a wind of this glaring deficiency.)

This is a testament to just how secure, sound, robust and trustworthy Active Directory is as a technology.


15 years into Active Directory’s existence, a fledgling company, Aorato, shows up and proclaims to the world in its MISSION STATEMENT that –

         “At the core of its founding is the acknowledgement that Active Directory is exposed – by default and by design.

(Generally, only those who know a lot or very little about Active Directory can make such statements.)
If you want to know how much (or perhaps how little) Aorato knows about Active Directory (or knew just a few years ago), you may want to see this video. Quoting... "and then I realized that everyone has access to Active Directory"  (If you know the first thing about Active Directory, you know that a leaf doesn't move in Microsoft's ecosystem without the Active Directory being involved. You don't have to realize it while conducting a pen test.)

Turns out Aorato is in the business of developing and selling a (beta version) of a directory application firewall (DAF) that can theoretically detect suspicious activities such as PtH attacks. It has a handful of customers, few may have heard of.

What Aorato has going for it is that the second most powerful privilege escalation attack vector called Pass-the-Hash, has now been used multiple times in famous breaches, for e.g. the Target Breach.

( In case you’re wondering what the world’s most powerful privilege escalation attack vector is, its calledActive Directory Privilege Escalation” and it is based on the deficiency alluded to above. )

To its credit, perhaps in an effort to demonstrate the value of its firewall, Aorato continues to look for other attack vectors i.e. above and beyond the PtH, and finds a way to demonstrate an attack vector that was until now only theoretical. (I wouldn't expect Aorato to know much about the #1 vector mentioned above.)

Having done so, it decides to makes a little noise by proclaiming to have uncovered a CRITICAL Microsoft Active Directory Vulnerability. Apparently, Aorato also privately shows the proof-of-concept to Microsoft.

Turns out the vulnerability has nothing to do with Active Directory per-se and everything to do Microsoft’s integration of Kerberos with Active Directory. Nonetheless, journalists who don’t seem to know better, run with it.

On the other hand, hackers continue to use the second most powerful privilege escalation attack vector (Pass-the-Hash) to do damage, and in the latest case apparently, they seem to have used it at Home Depot too.

Home Depot scrambles to buy a few Macbooks for its execs, supposedly to protect them from the PtH attack vector, and a journalist runs a story titled “Home Depot reportedly drops Microsoft for Apple after data hack.”

Most people don’t read the entire story, but if you read it, all that was reported was “an IT employee bought two dozen new, secure iPhones and MacBooks for senior executives”. That’s a tactical shift-the-blame move and/or a tactical security incident response 101 move.

Nonetheless, such headlines can have the effect of making Microsoft look bad, worry its customers and create a need for Microsoft to provide some reassuring response to its global Windows Server customer base.

With Aorato, in all likelihood, Microsoft’s real worry would in all likelihood have been to prevent Aorato from releasing its proof-of-concept tool into the public domain because doing so would have worsened the situation.

The most efficient way for Microsoft to have eliminated that worry would have been to buy Aorato out, so it offered US $ 200M to Aorato, and a deal seems to have been made. $200M is the average expected cost to an organization of a major Active Directory targeted security incident, assuming it survives the incident. With over 85% of the world running on Active Directory, $200M is chump change for what Microsoft acquired i.e having prevented Aorato from releasing its proof-of-concept tool in the public domain.

If indeed Domain Admin accounts were compromised in the Target/Home Depot security incidents, then I have to say that the hackers were either really dumb, or very focused on merely getting a bunch of credit card numbers, because if they wanted, they could have shut these organizations down, within minutes. That's what I mean by "if you survive the incident".

Anyway, I digress.

What Microsoft seems to have got as a bonus now, is the ability to claim that it is indeed doing something to help its customers defend themselves from Windows-focused PtH like escalation attacks.

Not bad. For chump change, not only did Microsoft get the opportunity to show that it is doing something to help, but more importantly it dodged a bullet (prevented Aorato from putting the proof-of-concept tool in the public domain.)

All said and done, Congratulations Aorato!

As for the #1 risk to Active Directory deployments worldwide, Active Directory Privilege Escalation (the risk that would let a perpetrator completely 0wn any Active Directory deployment within minutes WITHOUT requiring anyone else to logon to any machine, let alone one 0wned by the perpetrator), we have it covered.


PS: Interestingly, Aorato has discretely and completely removed the zany claim “At the core of its founding is the acknowledgement that Active Directory is exposed – by default and by design.” from its mission statement on its website. The updated mission statement can be viewed here. If you wish to see the original, checkout Google’s cached version here.

PS2: If you liked this, you may also like my 2c on the OPM Data Breach