It’s a very interesting world.
Microsoft, a $400B company is a name that needs no introduction. Unless you live on another planet, you know that virtually everything in the world runs on Microsoft Windows (client and server.)
On the server side, over 85% of the world’s organizations operate on Microsoft’s Windows Server platform, at the foundation of which lies a single technology – Active Directory.
Active Directory is one of the world’s most ubiquitous,
entrenched and mission-critical technologies in the world – it is the bedrock
of security across the whole wide world.
In fact, at work, from the moment you logon in the morning to the moment you logoff in the evening, everything you do is powered and enabled by Active Directory. This is so because to simplify distributed security, 15 years ago Microsoft integrated its entire distributed authentication and authorization infrastructure with Active Directory.
In fact, at work, from the moment you logon in the morning to the moment you logoff in the evening, everything you do is powered and enabled by Active Directory. This is so because to simplify distributed security, 15 years ago Microsoft integrated its entire distributed authentication and authorization infrastructure with Active Directory.
For the most part, Active Directory is a highly robust,
secure and reliable technology, designed by the some of the world’s best
security engineers and architects. It had better be so, because the entire world's running on it.
(The only deficiency in Active Directory itself is the
inability to help IT personnel accurately identify who is effectively delegated/provisioned what level of privileged/administrative
access in Active Directory.)
For 15 years, barring and despite this deficiency,
the world has been running just fine on Active Directory, and continues to do
so today (, at least for now, although the Russians and the Chinese have gotten a wind of this glaring deficiency.)
This is a testament to just how secure, sound, robust and
trustworthy Active Directory is as a technology.
15 years into Active Directory’s existence, a fledgling company, Aorato, shows up and proclaims to the world in its MISSION STATEMENT that –
“At the core of its founding is the acknowledgement that
Active Directory is exposed – by default and by design.”
(Generally, only those who know a lot or very little about Active Directory can make such statements.)
If you want to know how much (or perhaps how little) Aorato knows about Active Directory (or knew just a few years ago), you may want to see this video. Quoting... "and then I realized that everyone has access to Active Directory" (If you know the first thing about Active Directory, you know that a leaf doesn't move in Microsoft's ecosystem without the Active Directory being involved. You don't have to realize it while conducting a pen test.)
Turns out Aorato is in the business of developing and selling a (beta version) of a directory application firewall (DAF) that can theoretically detect suspicious activities such as PtH attacks. It has a handful of customers, few may have heard of.
Turns out Aorato is in the business of developing and selling a (beta version) of a directory application firewall (DAF) that can theoretically detect suspicious activities such as PtH attacks. It has a handful of customers, few may have heard of.
What Aorato has going for it is that the second most
powerful privilege escalation attack vector called Pass-the-Hash, has now been
used multiple times in famous breaches, for e.g. the Target Breach.
( In case you’re wondering what the world’s most powerful
privilege escalation attack vector is, its called “Active Directory Privilege Escalation” and it is based on the deficiency alluded to above. )
To its credit, perhaps in an effort to demonstrate the value
of its firewall, Aorato continues to look for other attack vectors i.e. above and beyond the PtH, and finds a
way to demonstrate an attack vector that was until now only theoretical. (I wouldn't expect Aorato to know much about the #1 vector mentioned above.)
Having done so, it decides to makes a little noise by proclaiming to have uncovered a CRITICAL Microsoft Active Directory Vulnerability. Apparently,
Aorato also privately shows the proof-of-concept to Microsoft.
Turns out the vulnerability has nothing to do with Active Directory per-se and everything to do Microsoft’s integration of Kerberos with
Active Directory. Nonetheless, journalists who don’t seem to know better, run
with it.
On the other hand, hackers continue to use the second most
powerful privilege escalation attack vector (Pass-the-Hash) to do damage, and
in the latest case apparently, they seem to have used it at Home Depot too.
Home Depot scrambles to buy a few Macbooks for its execs, supposedly
to protect them from the PtH attack vector, and a journalist runs a story
titled “Home Depot reportedly drops Microsoft for Apple after data hack.”
Most people
don’t read the entire story, but if you read it, all that was reported was “an
IT employee bought two dozen new, secure iPhones and MacBooks for senior
executives”. That’s a tactical shift-the-blame move and/or a tactical security incident response 101 move.
Nonetheless,
such headlines can have the effect of making Microsoft look bad, worry its
customers and create a need for Microsoft to provide some reassuring response
to its global Windows Server customer base.
With Aorato,
in all likelihood, Microsoft’s real worry would in all likelihood have been to prevent Aorato
from releasing its proof-of-concept tool into the public domain because doing so would
have worsened the situation.
The most
efficient way for Microsoft to have eliminated that worry would have been to
buy Aorato out, so it offered US $ 200M to Aorato, and a deal seems to have
been made. $200M is the average expected cost to an organization of a major Active Directory targeted security incident, assuming it survives the incident. With over 85% of the world running on Active Directory, $200M is chump change for what Microsoft acquired i.e having prevented Aorato from releasing its proof-of-concept tool in the public domain.If indeed Domain Admin accounts were compromised in the Target/Home Depot security incidents, then I have to say that the hackers were either really dumb, or very focused on merely getting a bunch of credit card numbers, because if they wanted, they could have shut these organizations down, within minutes. That's what I mean by "if you survive the incident".
Anyway, I digress.
What
Microsoft seems to have got as a bonus now, is the ability to claim that it is
indeed doing something to help its customers defend themselves from
Windows-focused PtH like escalation attacks.
Here’s the PR - Microsoft acquires Aorato to give enterprise customers better defense against digital intruders in a hybrid cloud world.
Not bad. For chump change, not only did Microsoft get the
opportunity to show that it is doing something to help, but more importantly it
dodged a bullet (prevented Aorato from putting the proof-of-concept tool in the
public domain.)
All said and done, Congratulations Aorato!
All said and done, Congratulations Aorato!
As for the #1 risk to Active Directory deployments worldwide, Active Directory Privilege Escalation (the risk that would let a perpetrator completely 0wn any Active Directory deployment within minutes WITHOUT requiring anyone else to logon to any machine, let alone one 0wned by the perpetrator), we have it covered.
Best,
PS: Interestingly, Aorato has discretely and completely removed the
zany claim “At the core of its founding is the acknowledgement that Active
Directory is exposed – by default and by design.”
from its mission statement on its website. The updated mission statement can be viewed here. If you wish to see the original, checkout Google’s cached
version here.
PS2: If you liked this, you may also like my 2c on the OPM Data Breach
PS2: If you liked this, you may also like my 2c on the OPM Data Breach