In the security interest of thousands of organizations that operate on Microsoft Active Directory worldwide, as well that of their stakeholders (shareholders, customers, employees, partners, etc.) on
January 04, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief by Four Weeks, Appoints Former FBI Cyber Division Unit Chief Liaison to DHS to its Advisory Board.
February 01, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief One Final Time.
The Paramount Brief documents a serious and potentially imminent cyber security risk to most organizations worldwide, one that could potentially be exploited by any insider, and within minutes, potentially result in a massive cyber security breach.
I will elaborate just a bit -
- It is very serious because it could potentially grant the perpetrator complete, unrestricted, system-wide access within minutes, irrespective of whether or not security controls like 2-factor authentication, auditing etc. are in place.
- It is potentially IMMINENT because i) the attack surface is vast, ii) literally anyone in the organization could enact the threat , and iii) the tooling required to identify the weaknesses and easily enact the threat is freely available today.
- Literally any insider, i.e. anyone who has an Active Directory domain user account, or is in possession of a domain-joined computer, already has sufficient access to be able to identify the weaknesses and potentially exploit them.
Professional Courtesy
As a professional courtesy, last week, we shared a copy of the Paramount Brief with the top executives of some of the world's top business organizations across 6 continents worldwide. As cyber security professionals, we also asked them not to take our word for it, but to have the brief substantiated within their own IT environments and arrive at their own conclusions.
(I've received Thank you notes from the CEOs of many of the world's top companies, including that of Fortune 10 companies.)
Substantiation
Organizations that have received an advanced copy of the Paramount Brief should have it internally substantiated and arrive at their own conclusions as to its applicability to them. Please do not take our word for it, but do get it objectively substantiated.
In most organizations, the substantiation part will be passed down from the CEO's office to the CIO's office to the CISO's office, and possibly down to a Director's level, who may eventually end up asking an Active Directory Admin to substantiate its validity.
5 Helpful Pointers -
Since so many Active Directory admins today do not understand the subtle yet profound difference between "Who has what permissions" and "Who has what Effective Permissions", here are a few pointers to help them objectively substantiate the risk -
- The Basics - The Risk, Attack Surface and Attack Vectors at Privileged Access Insight
- The difference between Permissions and Effective Permissions
- What is an Effective Privileged Access Audit?
- Why auditing is insufficient (read #12, "The $ Billion Difference between Audit and Auditing" section here)
- Why 2-factor authentication is insufficient (read #10, the "A Caveat when using Two-Factor Authentication for Active Directory Accounts" section of this blog post on the OPM Breach.)
5 Simple Questions -
To make it really easy for them, they may want to consider whether the answer to even 1 of the 5 questions below is NO -
- Do we know exactly how many privileged (unrestricted and delegated) user accounts there exist in our Active Directory?
- Do we know exactly how many individuals can reset the passwords of all of our accounts?
- Do we know exactly how many individuals can change the membership of all of our security groups?
- Do we know exactly how many individuals can set the "Trusted for Unconstrained Delegation" bit on computer accounts?
- Do we know exactly how many individuals can create, delete and manage user accounts, security groups, Organizational Units (OUs) and computer accounts in our Active Directory, as well as modify critical Active Directory configuration settings (e.g. make a Schema change, make a Replication change, transfer a FSMO role, promo a DC etc. ) ?
(By the way, here's the associated impact of compromise.)
If the answer to even 1 of these questions is NO, you will have substantiated the applicability of the brief to your organization.
Since 100% of all major recent cyber security breaches involved the compromise of just 1 Active Directory privileged user account, exactness is paramount and approximations could likely mean the difference between security and compromise.
Sole Objective
Please know that our sole objective in having shared this brief with some organizations, and in declassifying it weeks from now, is to educate organizations worldwide about an esoteric attack vector that today provides perpetrators a vast attack surface and an extremely easy route to potentially very quickly and easily gain unrestricted administrative access within their environments.
I must reiterate that it is imperative that it be unequivocally understood that we are not declassifying this with the intention of furthering business.
(If we have so many customers today, it is only because over the last 7 years, over 7000 organizations from over 150 countries have knocked at our doors, completely unsolicited, to seek our help in addressing a very important cyber security challenge.)
In fact, for any organization that wishes to determine exactly how many individuals have what level of privileged access in their foundational Active Directory deployments today, we will be glad to make our solutions available for them at no cost to them.
Also A Matter of Corporate Governance
This is also almost equally a matter of Corporate Governance today, as it is a matter of IT and cyber security risk management.
If we reached out to the executive leadership of certain organizations, it is only because when the potential of damage from even a single cyber security breach associated with this attack vector is so high that it could impact the entire organization (and in all likelihood, many of its stakeholders), it is imperative that the organization's leadership have first-hand knowledge about it.
Our cyber security intelligence indicates that in most organizations worldwide, this esoteric yet important matter is not even on the radar of their organization's IT and cyber security leadership, let alone being on the radar their executive leadership.
Today, in the event of a cyber security breach, it is the executive leadership that will be held accountable by the organization's stakeholders (shareholders, customers, employees etc.) and thus we felt that this must be brought to their direct attention.
Today, there must be a clear chain of accountability from the very top to the very bottom (e.g.: CEO > CIO > CISO > Director, Directory Services /Identity and Access Management > Enterprise Admins) because without it, security is almost impossible.
This is thus almost equally a matter of Corporate Governance today, as it is a matter of IT and cyber security risk management.
Microsoft was Informed
Please know that as early as 2008, the Paramount Brief was delivered to several senior/important individuals at Microsoft.
It appears that, for whatever reason, Microsoft chose not to act upon it.
Since thousands of organizations continue to be at risk, and continue to be oblivious to this highly potent attack vector, in light of the fact that 100% of all major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account, we felt that we had no choice but to publicly declassify this.
By the way, this is not even rocket science; it is common sense. But I suppose, as they say, common sense is not so common.
Onward to
Best wishes,
Sanjay
PS: You're welcome to contact us, but before you do, please familiarize yourself with this.
> December 11, 2015 Update - Paramount Defenses to declassify the Paramount Brief.
>> January 04, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief by Four Weeks, Appoints Former FBI Cyber Division Unit Chief Liaison to DHS to its Advisory Board.
February 01, 2016 Update - Paramount Defenses Postpones Declassification of The Paramount Brief One Final Time.
February 29, 2016 - The Paramount Brief Declassified
All content is copyrighted and all photos are licensed. Microsoft Building picture courtesy: @ iStock.com/JasonDoiy