Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


October 21, 2016

Defending Active Directory Against CyberAttacks

Folks,

One week ago I had announced that I will be respectfully taking Microsoft to Active Directory Security School. I had also posed a Trillion $ question to Microsoft. As promised, today, in this post, I will do so. Sometimes less is more, so today I'll keep it short.

It is my privilege to share with you a presentation on Active Directory Security that I built for Microsoft and the world -

Defending Active Directory Against Active Directory Attacks


Here is a snapshot of a few sections from this 90+ slide deck -

Active Directory Security Presentation


I suggest that Microsoft and organizations worldwide, go through this deck, and absorb it like a sponge absorbs water, because in this deck lies the key to organizational cyber security worldwide and the answer to the Trillion $ question I posed to Microsoft.


If you find yourself wondering "What's the big deal?", please go through the entire deck, then consider the following:

       Here are the top 3 sources of guidance from Microsoft on the paramount subject of Active Directory Security -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

       If you can find even one mention of the Trillion $ phrase "Effective Permissions" in any of the above, let me know.


We've found that due to a complete decade+ lack of guidance from Microsoft on the most important technical aspect of Active Directory Security i.e. "Effective Permissions", 99% of the 1000s of IT personnel (Domain Admins, IT Auditors, IT Managers, CISOs etc.) from 1000s of organizations that have knocked at our doors do not even know what "Effective Permissions" are !


I'll let the $ 500 Billion Microsoft, and organizations worldwide, reflect on and absorb a) this fact, b) these questions and c) this deck, for a week, then continue sharing thoughts starting Nov 01, both on this blog and at - www.paramountdefenses.com/blog/.

Best wishes,
Sanjay

October 19, 2016

10 Essential Cyber Security Questions for All Organizations Worldwide

Folks,

Today, I'd like to share 10 elemental, essential and in fact paramount cyber security questions that every organization in the world should have answers to. They are directly related to the Trillion $ question I posed to Microsoft earlier this week.

(Quick Note: As I indicated last week, sometime this week, I will be respectfully taking Microsoft to Active Directory Security School. This post is not the one that takes them to school. Along the lines of yesterday's Trillion $ Q post, this post also helps set the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and will be out this week.)


Here they are -
1. Exactly who has the Replication Get Changes All extended right effectively granted in the domain root's ACL?

2. Exactly who can change the security permissions in the ACL on the domain root object?

3. Exactly who can reset the password* of all default and custom administrative (privileged) user accounts?

4. Exactly who can modify the membership of all default and custom administrative (privileged) security groups?

5. Exactly who can manage the contents of the Systems container and the Configuration and Schema partitions?

6. Exactly who can change the security permissions in the ACL of the AdminSDHolder object?

7. Exactly who can modify the default Domain Controllers Policy or link a GPO to the Domain Controllers OU?

8. Exactly who can establish and/or manage cross forest trusts, or trusts to external domains?

9. Exactly who can reset the password* of all executive accounts (e.g. Chairman, CEO, CIO, CFO, CISO etc.)?

10. Exactly who can create, control (i.e. manage and/or delegate management of) and delete vital Active Directory       content, such as all (valuable) domain user and computer accounts, security groups, organizational units etc.?

      * If Smart cards are in use, exactly who can disable the use of Smart cards on these domain user accounts?

Not only are these 10 elemental cyber security questions directly related to Active Directory security, they directly impact and are imperative to foundational cyber security of 1000s of business and government organizations in 150+ countries worldwide.

They are imperative to foundational cyber security because anyone who can enact these tasks could instantly gain command and control over the entire organization's security. For details, after Nov 01, please visit - www.paramountdefenses.com/blog/

Incidentally, to be able to answer any and each of these 10 elemental and essential cyber security 101 questions, organizations require the ability to perform just one technical process. So, here's another trillion $ question - What is that one process?

The answer to this trillion question is coming soon, right here on this blog, later this week. (Stay tuned.)

Oh, and if any cyber security company on the planet (including but not limited to Microsoft, Amazon, IBM, Google, Cisco, EMC, Dell, Centrify, Palo Alto Networks, FireEye, CyberArk, BeyondTrust, Leiberman Software, Checkpoint Software, CrowdStrike, Palantir Technologies, Kasperky Labs, Tripwire, HP, EY, PwC, DarkTrace, Lockheed Martin, BAE Systems, Tanium, BAH etc. etc.) has a clue as to the answer AND can help the world accurately answer these 10 basic, essential questions, let me know.

Organizations that do NOT have answers to these basic 10 cyber security 101 questions CANNOT be considered secure today.

Best wishes,
Sanjay



October 17, 2016

A Simple Trillion $ Cyber Security Question for Microsoft (MSFT) regarding Defending Active Directory Against Cyberattacks

Folks,

Ask any good security practioner or hacker and they'll tell you that security is in the details so this is a slightly detailed post.  This blog post is also worth a proverbial Trillion $, so if you're into cyber security, you'll want to read it in its entirety.

First things first - As I indicated last week, sometime this week, I will be respectfully and publicly taking Microsoft to Active Directory Security School. This post is not the one that takes them to school; this post is merely a curtain raiser and sets the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and it will be sometime this week.

Today I respectfully pose a simple trillion $ cyber security question to Microsoft regarding the contents of the following video that Microsoft released in May 2016 -  



(Please click the Play button to view the video. If it does not play, you can see it on Microsoft's website here.)


First, the context -
  • In May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft developed and released a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it, which can be found here.

Next, the summary of the video above titled "Defending the Directory", quoted verbatim -
  • "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence and escalation of privilege."

Then, a few quick thoughts -
  • I'd like to publicly commend Microsoft for producing this video series on Active Directory Security. It was high time that Microsoft voiced and stressed the importance and urgency of defending Active Directory deployments.
  • I strongly encourage IT personnel at all organizations to watch the above video. It is a 29 minute video, but its worth your time, because it concerns a lesser known but highly potent attack vector that most organizations are likely not aware about, and wherein the attack surface is the size of the Atlantic ocean, and one that could easily grant an intruder or an insider complete command and control of the organization's foundational Active Directory in minutes.

Finally, before I pose the question, for those who may not have the time to view it, some important quotes from this video -
  1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 
  2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"
  3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"
  4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"
  5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."
  6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"
  7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy. That is why you want to keep a clean directory."
  8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"
  9. "Somebody, either possibly legitimately, or illegitimately, was granted rights that gave them a lot of power. They could grab the hash of any account, and become that account, simply by having been delegated the Get Replication Changes All rights on that object"
  10. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"
  11. "So effectively that is a means of escalation!"
  12. "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" (See corrections below.)
  13. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "
  14. "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory"


Oh, and a few relevant (i.e. not all) corrections  -
  • "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" is technically incorrect. It should have been "If a group or account has been granted RESET password on an account, and that account is privileged, I can RESET the password on that account, and now I own it!" It is incorrect because in order to change a user's password, you need to know his/her existing password. Details here or here.
  • "You can use the Get-ACL cmdlet in PowerShell with Active Directory and you can view who has the rights on the object that I am looking at, what rights they have." Who has what rights/permissions granted in the ACL of an Active Directory object is NOT the same as who actually has what rights in Active Directory! There's a world of a difference.
  • "If I have that permission, I can link that GPO" should be "If I effectively have that permission, then I can link that GPO." Having the permission listed in the ACL is by no means sufficient. Similarly, simply viewing the ACL to see who has Get Replication Changes All is neither sufficient nor the accurate way to find out who can actually replicate secrets from Active Directory. (You need to know who effectively has that permission granted.) More on that later this week.


The Trillion $ Question

Finally, the Trillion $ Question is -

  • The Context

    Microsoft, its 2016 and you're (only) a $500 Billion company today because virtually the entire world is your customer. Today, across your global organizational customer base, from the Fortune 1000 to entire federal, state and local governments, there exist billions of Active Directory security permissions (aka access privileges) protecting hundreds of millions of Active Directory objects across thousands of Active Directory deployments worldwide.

    Its 2016, and so it is 16 years after Active Directory shipped (and so interestingly coincidentally, just 2 months after we, Paramount Defenses, declassified the Paramount Brief) that you're just now and finally stressing the paramount importance of Active Directory Security to your customers, and you finally and rightly tell the world (and I quote from the video above titled "Defending the Directory") - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"   BUT when you do so, you completely forget to tell them the one most important technical fact about how to correctly assess who has actually been delegated what privileges in Active Directory i.e. the one technical fact that governs the actual resulting access and delegations in Active Directory.

    This, even though it was right in front of the presenter's eyes during one of the methods demonstrated in the video!

    (By the way, in the video, the methods demonstrated by the presenter on how to assess these rights/permissions and delegations are substantially inadequate and incorrect. However, the presenter is not to blame because he is merely presenting what has consistently been (inaccurate) official guidance from Microsoft in its whitepapers etc.)


    The Question

     In light of the context above, my simple question to you is - Can you please tell the world WHAT is the one cardinal (paramount) technical fact that governs the determination of who can actually do what in Active Directory?

    By the way, HOW in the world could you have forgotten to cover it, when you know that in all likelihood, millions of IT folks from 1000s of organizations across 150+ countries worldwide are going to view these videos and based on the guidance presented, enact measures to enhance the foundational cyber security of their organizations?!


Make not mistake about it. In the answer to this question lies the key to organizational cyber security globally. It's that simple.

Here's why - If organizations do not swiftly and correctly identify and eliminate the ocean of unauthorized access privileges that exists in their Active Directory deployments today, it is only a matter of time before intruders or insiders exploit this ocean of vulnerabilities to obtain complete command and control over foundational Active Directory deployments worldwide.

Oh, and, by the way, no cyber security company on the planet (neither the McAfees nor the CyberArks of the world, neither the FireEyes nor the CrowdStrikes of the world, neither the Centrifys nor the BeyondTrusts of the world) seems to have a clue as to the answer, or for that matter seems to know how to help organizations correctly identify the ocean of unauthorized access privileges that exist in 1000s of Active Directory deployments worldwide, just waiting to be found and exploited.



Substantiating the Trillion $

In case you're wondering why I say its a Trillion $ cyber security question, that's because if you were to add up the market cap of the 20,000+ organizations across 150+ countries, not to mention or include the 1000s of local, state and federal/national governments at whose very foundation lies Microsoft Active Directory, you'll find the sum will handily be in the trillions of $.

Also, in case you find yourself wondering as to how this 1 simple question could possibly impact organizational cyber security globally, for now just consider the colossal impact of even a single (i.e. just one) successful execution of mimikatz DCSync in an organization's network, i.e. the colossal damage a proficient adversary could subsequently, swiftly inflict - it'd be Game Over.

Oh, and by the way, mimikatz DCSync is just the Tip of the Iceberg.  (More (i.e. an ocean to be precise) on that later this week.)



Looking Forward to an Answer

So, to my incredibly talented, hard-working and respected colleagues and friends at Microsoft, I (and the world) look forward to your answer. Also, in case you don't really like that this question is being asked publicly, my sincerest apologies. It is 2016 after all, not 2006, and as you too likely know 100% of all major recent cyber security breaches (e.g. Snowden (at NSA), Target, JP Morgan, Sony, Anthem, OPM) have involved the compromise and misuse of just one Active Directory privileged user account.

If for any reason, you can't answer this question, no worries, I'll answer it for you, later this week, right here on this blog.

Best wishes,
Sanjay


PS: This blog is read by 1000s of prominent folks (CEOs, CIOs, CISOs,  IT Directors, Domain Admins, Security Analysts and Pen Testers at Fortune 100 and 1000 companies, institutional and individual shareholders, cyber security personnel and leadership at 3-letter government agencies worldwide, nation states (e.g. UK, the EU, Australia, Russia, China etc.) and it being a public blog, unfortunately even folks on the dark side) from 150+ countries worldwide. In other words, everyone's tuned in.


PS2: July 25, 2017 Update.  I just answered this question for Microsoft. The answer to this Trillion $ question is right  HERE.

October 14, 2016

Time to Respectfully Take Microsoft to Active Directory Security School

Folks,

My apologies for the month-long absence. About a month ago, something was brought to my attention and it made me realize that in the interest of the foundational organizational cyber security of organizations worldwide, we need to help Microsoft better understand Active Directory Security. I've thus been at work building something, and I think its time we share it with the world.


So, in the coming week, i.e. sometime between Monday, Oct 17, 2016 and Friday, Oct 21, 2016 I will be most respectfully and publicly taking Microsoft to Active Directory Security school, right here on this cyber blog, in a blog post befittingly titled "Defending Active Directory against Cyberattacks"


Please know that it is only in the interest of organizational cyber security worldwide that we'll be doing so publicly i.e. so that 20,000+ organizations across 150+ countries worldwide can also instantly have access to valuable, effective and immediately actionable Active Directory security insight and guidance, which is the need of the proverbial hour.

Please also know that as a deeply passionate ex-Microsoftie, I have great respect for Microsoft, and in fact have spent the last 15 years working to help make 1000s of Microsoft's customers across the world more secure, so it is only in Microsoft's best interest and in the best interest of 1000s of the world's biggest organizations that today operate on Microsoft Active Directory, that I have decided to do so.

If you're familiar with my background and some of my previous blog entries, then you'll want to tune in right here on Monday morning.

Best wishes,
Sanjay


PS: October 21, 2016 update - Here's the post Defending Active Directory Against CyberAttacks