Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


December 31, 2017

2017 - The Year The World Realized the Value of Active Directory Security

Folks,

As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!


I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



Active Directory Security Goes Mainstream Cyber Security

Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -


  1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

  2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

  3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

  4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

  5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

  6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

  7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

  8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

  9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

  10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.





Helping Defend Microsoft's Global Customer Base
( i.e. 85% of  Organizations Worldwide )

Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...


...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

This year, I ( / we) ...

  1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

  2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

  3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

  4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

  5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

  6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

  7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

  8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

  9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

  10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security


In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





Summary

All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.


Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

Best wishes,
Sanjay.

PS: Why I do, What I Do.

December 29, 2017

Why I Do, What I Do

Folks,

I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.


Here are the answers to the Top-5 questions I am frequently asked -

  1. You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?

    Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.

    In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.

    As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.




  2. Speaking of which, how big is Paramount Defenses?

    At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.

    If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.




  3. Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?

    The simple answer to this question - For Security Reasons.

    At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.

    As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.

    Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.




  4. What do you intend to accomplish by blogging?

    The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.

    That's because this impacts global security today, and here's why -




    You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.

    It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.

    Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.

    This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.

    In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.

    What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"

    On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.

    To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.

    Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.

    Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.




  5. Why have you been a little hard on Microsoft lately?

    Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.

    In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.

    You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.

    It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.

    Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.

    As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.

    Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.

    Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.


Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.

Best wishes,

December 12, 2017

Paramount Privileged Account Security Guidance (101) for CyberArk

Shadow Admins - The Stealthy Accounts That You Should Fear The Most, but Needn't Anymore


Folks,

Today's post concerns CyberArk's guidance on Privileged Account Security, a subject that is paramount to cyber security today, and it likely impacts Trillions of $, as it impacts the foundational cyber security of 85% of all organizations worldwide. I pen this as former Microsoft Program Manager for Active Directory Security, and thus as the world's top expert in privileged access.



An Intro to CyberArk

I shouldn't have to provide an intro to CyberArk (CYBR), a $ Billion+ cyber security company, because according to its website, CyberArk is the (self-proclaimed) leader in Privileged Account Security, with more than 3450 global companies, including more than 50% of the Fortune 100 companies, relying on its solutions to protect their most critical and high-value assets.

Image Attribution: CyberArk's Website
According to CyberArk's website - HALF OF FORTUNE 100 CISOs RELY ON CYBERARK.

If that is the case, then recent guidance provided by CyberArk's experts on a very important topic is a bit concerning.

Specifically, on June 08, 2017 CyberArk's researchers penned a blog post on their Threat Research Blog, which is presumably read by thousands, titled Shadow Admins - The Stealthy Accounts that You Should Fear The Most. In it, they've shed light on a category of privileged accounts they called Shadow Admin accounts, and introduced and recommended tooling that they have developed, and that according to them, could help organizations discover these Shadow Accounts in their networks.

It is concerning because as a subject matter expert, i.e. as former Microsoft Program Manager for Active Directory Security, it is my professional opinion that though its premise is accurate, the guidance and tooling provided in that post are inaccurate, and consequently any reliance upon it by organizations could result in a false sense of security, and leave them vulnerable.

Note: The specific details of the various inaccuracies are provided below in the section titled The Inaccuracy and a link to two demos that illustrate these inaccuracies is also provided in the section titled Accurate Guidance.

The remainder of this well-intentioned blog post is meant to help CyberArk and organizations worldwide understand this esoteric yet paramount aspect of organizational cyber security i.e. the so-called "Shadow Admins" and how to correctly discover them.





Privileged Account Security

Before I share why CyberArk's guidance may be inaccurate, its important to say a few words on Privileged Account Security.




The importance and value of Privileged Accounts is perhaps best summarized in line #1 of CyberArk's data-sheet -
"Privileged accounts represent the largest security vulnerability an organization faces today. These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data."
CyberArk is 100% right. The compromise of even just 1 (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over the entire IT infrastructure and empower them to swiftly enact a devastating cyber attack.

In fact, 100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.

In that regard, CyberArk's focus on helping organizations adequately protect privileged accounts is spot-on and appreciated.


That said, and as you'll hopefully agree, "one can't protect what one can't identify" which is why the accurate discovery of all privileged accounts in an organization's network, especially of all Active Directory Privileged Access Accounts, is paramount.

In fact, it is exactly these privileged access accounts in Active Directory that CyberArk's well-intentioned blog sought to shed light on. Further, they likely felt this was very important (and they're right), which is why they even proceeded to develop tooling to help organizations identify all such accounts. Its just that perhaps CyberArk's experts too may not yet understand the intricate details of Active Directory Security well enough, and thus their well-intentioned guidance may have turned out to be inaccurate.

Speaking of which, this makes for a perfect segue, so please allow me to shed light on where CyberArk's well-intentioned guidance is inaccurate, and how organizations can correctly discover all such "Shadow Accounts" in Active Directory.




The so-called Shadow Admin Accounts

CyberArk's famous post on Shadow Admins, titled Shadow Admins - The Stealthy Accounts that You Should Fear The Most begins by describing what these so-called "Shadow Admin Accounts" are, and I quote -
"Shadow Admin accounts are accounts in your network that have sensitive privileges and are typically overlooked because they are not members of a privileged Active Directory (AD) group. Instead, Shadow Admin accounts were granted their privileges through the direct assignment of permissions (using ACLs on AD Objects)"

I've been working on Active Directory Security for almost two-decades know and may have personally clocked over 30,000 hours on the subject, and yet the first time I came across the term "Shadow Admins" was when I read CyberArk's blog post.

If you Google/Bing "Shadow Admins" you're likely not going to find many references to it, other than to CyberArk's post on their blog, and then all the places wherein numerous people who may have read their blog have shared this across the Web.

Ah! What CyberArk's researchers are referring to as "Shadow Admin" accounts are actually Active Directory user accounts that may not belong to any privileged Active Directory groups, yet may have been directly granted various security permissions at various locations (i.e. on various Active Directory objects) within Active Directory, SUCH THAT the permissions they've been granted effectively provide them with access that is tantamount to possessing privileged access in Active Directory.

The rest of us, who have been doing Active Directory Security for years, and by that I also mean and include thousands of Active Directory admins at organizations worldwide, typically refer to such accounts as "Delegated Admins" in Active Directory.

By the way, I only know this because while at Microsoft, I wrote the Bible on Privileged Account Security in Windows - i.e. back in 2004, I authored Microsoft's official 400-page whitepaper titled "Best Practices for Delegating Active Directory Administration."

For instance, here are 3 quick examples -
  1. James has Write-Property Member permissions specified in the ACL of the Domain Admins group.
  2. Emily has Reset Password permissions specified in the ACL of a Domain Admin's user account.
  3. John has Get-Replication Changes All permissions granted in the ACL of the domain root.
In each case above, even though Emily, James and John may not be a member of any one of the many default Active Directory admins groups, their access is*  tantamount to Domain-Admin equivalent access; this discovery might be startling for novices.

Like other accomplished cyber security folks who may have recently taken a keen interest in Active Directory Security (e.g. one, two, three, etc.), CyberArk's experts too may be new to Active Directory Security, and may have come to realize that indeed there likely possibly exist hundreds of such "Delegated Admin" accounts in Active Directory, many of whom may have what is tantamount to unrestricted privileged access in Active Directory, yet neither these account holders nor the organization's privileged users may know about them, BECAUSE it is very difficult to accurately identify/discover/audit these accounts.

Speaking of which, therein lies the inaccuracy in CyberArk's guidance and tooling, as explained below.




The Inaccuracy

Let me first acknowledge that CyberArk's general recommendation on Privileged Account Security are correct, and I quote -
"To maintain a strong security posture, CyberArk Labs highly recommends that organizations get to know all of the privileged accounts in the network, including those Shadow Admins.
That said, if you read their entire blog post, which I highly recommend every IT and Cyber Security professional and CISO to do, you'll find that CyberArk's experts seem to be making the same classic mistake that so many other have been making for years.


Specifically, here's that classic mistake, and again I quote from their post -
"Searching and analyzing the ACL permissions granted to each account is a more comprehensive method."
You see, searching and analyzing the permissions granted to each account in Active Directory ACLs is NOT the right way to find out exactly what level of access that account holder may actually (i.e. effectively) have in Active Directory.

Here's why - the ONLY CORRECT WAY to find out exactly who actually has what access in Active Directory, including of course any/all privileged access, is by determining "Active Directory Effective Permissions / Active Directory Effective Access."

This cardinal technical fact may be confirmed by contacting Microsoft .

Not only is there a HUGE difference between merely "searching and analyzing the ACL permissions granted to each account" and "determining effective permissions in Active Directory," more importantly the latter is a thousand times more difficult.

Incidentally, for reasons best known to Microsoft, for an entire decade, Microsoft apparently forgot to educate the world about the paramount importance of effective permissions/access in (and to the security of) Active Directory, which is also likely why even the authors of An ACE Up the Sleeve - Designing Active Directory ACL Backdoors, which likely was what prompted CyberArk's experts to look into and pen this post, also seem to have made the same mistake in their approach and tooling.

I find it amazing that based on this limited (and inaccurate) knowledge, CyberArk's experts even procceded to develop tooling, and I say so because unlike the developers of (the inaccurate) Bloodhound, CyberArk is a respected Billion $ company -
"...we have developed a special tool that scans and discovers privileged accounts based on account permissions. The tool, ACLight, is available for free on GitHub and can be used to discover these Shadow Admin acocunts on your network today...

We tested their ACLight tooling and unfortunately it failed even the most basic of tests that one could put such a tool through.

Consequently, it is in light of the above (i.e. their guidance seems to be based on incorrect technical facts and relies upon the use of tooling which too may be based on the same incorrect technical facts, and thus may likely be vastly inaccurate) that my professional opinion leads me to believe that the following guidance from CyberArk's experts is most likely inaccurate -
"...We encourage you to use our Shadow Admins scanning tool, ACLight, to start uncovering these accounts."

To help everyone clearly understand this, I've illustrated this in 2 DEMOS which can be accessed here.




Accurate Guidance

To help CyberArk's experts and the entire world better understand why the naïve approach of "searching and analyzing the ACL permissions granted to each account" is fundamentally flawed, and why it is effective permissions that matter, as well as how to CORRECTLY identify all such Shadow Admins in Active Directory, I've penned a separate blog post on my technical blog, and here's the URL -



I highly recommend that every IT and Cyber Security professional and every CISO, including the CISOs of half of the Fortune 100 that rely on CyberArk today as well as the half that don't rely on CyberArk yet, READ that insightful technical blog post.




Fear, No More

Those who truly understand Active Directory Security, and thus those who truly understand Privileged Account Security in Windows networks know that the ONLY CORRECT WAY to accurately identify all such Delegated Admins (or as CyberArk calls them, "Shadow Admins") in Active Directory is by determining effective permissions / effective access in Active Directory.

As former Microsoft Program Manager for Active Directory Security, let me be the first to tell you that accurately determining effective permissions in Active Directory, on even a single Active Directory object, is very difficult. To then be able to do so on thousands of objects in an Active Directory is almost a herculean task on par with scaling Mount Everest.

That said, if you can click a button, you needn't fear "Shadow Accounts" anymore because this tool can uniquely, instantly and accurately identify all such "Delegated Admins" (or if you prefer to call them "Shadow Admins") accounts in Active Directory -


It is the only tool in the world that can accomplish the herculean feat of being able to accurately identify all such "Delegated Admin" / "Shadow Admin" accounts in Active Directory, and it took over half a decade to build, thoroughly test and deliver.

Today, the world's most powerful government and business organizations across 6 continents worldwide rely on it.

We care deeply about all organizations, including all cyber security companies so I'll also be the first to tell you that it does NOT obviate the need for various privileged account security solutions that respectable companies like CyberArk and others provide.

It ONLY helps accurately discover/identify/audit all such accounts, but as CyberArk too has emphasized in their blog, that in itself is PARAMOUNT because "you cannot protect what you cannot identify" and just ONE such privileged account (of which at most organizations, there likely are hundreds today) is all that perpetrators need to discover and compromise to then be able to easily 0wn the Kingdom.



Summary

Ladies and Gentlemen, in closing, Privileged Account Security is paramount to organizational cyber security, and please don't just take my word for it, for here's CyberArk communicating in effect the same fact -
"Privileged accounts represent the largest security vulnerability an organization faces today. These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data."
As I've said above, CyberArk is 100% right. The compromise of even just 1 (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over your entire network and empower them to swiftly take over everything.

In fact, 100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.


CyberArk is also 100% right that in most Active Directory deployments worldwide, today there likely exist a dangerously and excessively large number of such "Shadow Admin" accounts, that for all practical reasons possess the same level of privileged access as do members of default Active Directory administrative / privileged access groups, yet because they're not members of these default privileged access groups, these accounts are in fact very difficult to accurately identify.

Consequently, their presence may possibly post a FAR greater risk to organizational cyber security, which is why it is so very important for organizations to be able to accurately discover/identify all such accounts i.e. each and every single one of them.

We also appreciate CyberArk's well-intentioned efforts to offer guidance that could help organizations identify all such accounts. Unfortunately, because this is a rather esoteric subject, and Microsoft has apparently not provided any guidance on how to correctly identify such accounts, CyberArk's experts may not have known how to correctly identify all such accounts.

Thus, we were happy to have shed light on this paramount subject to help them and organizations worldwide better understand how to accurately identify all such "Shadow Admin" accounts. Towards the same, I also shared a pointer to a technical blog wherein we're illustrated the inaccuracy and classic mistake that most organizations make, as well as the correct approach.

Finally, for all such organizations that wish to be able to efficiently and accurately identify all such "Shadow Admin" accounts, I've also shared with you above how the world's most powerful government and business organizations easily do so today.

I hope you've found this to be helpful, and I wish you all, including CyberArk, all the very best.

We're all in this together.

Best wishes,
Sanjay


PS: (Highly) Recommended Reading -
  1. The Entire World runs on Active Directory
  2. Defending Active Directory Against CyberAttacks (Slide 88 alludes to CyberArk)
  3. Active Directory Effective Permissions
  4. Active Directory Privilege Escalation - A Trillion Dollar Example
  5. How to Thwart Sneaky Persistence in Active Directory
  6. How to Discover Stealthy Admins in Active Directory
  7. A Letter to Benjamin Delpy, a Letter to Microsoft, and a Letter to President Donald Trump

December 8, 2017

Time to DEMONSTRATE Thought Leadership in the Cyber Security Space

Folks,

Hope you're all well. Last year I had said that it was time for us to provide Thought Leadership to the Cyber Security space.


Since then, I've penned over 50 blog posts, on numerous important topics,
and helped 1000s of organizations worldwide better understand -

  1. The Importance of Active Directory Security

  2. Insight into Active Directory ACLs - Attack and Defense

  3. How to Defend Active Directory Against Cyber Attacks

  4. How to Mitigate the Risk Posed by Mimikatz DCSync

  5. How to Thwart Sneaky Persistence in Active Directory

  1. How to Identify Stealthy Admins in Active Directory

  2. Understand Windows Elevation of Privilege Vulnerability

  3. Illustrate Active Directory Privilege Escalation

  4. Correctly Identify Privileged Users in Active Directory

  5. Importance of Active Directory Effective Permissions
There's so much more to share, and I will continue to do so.





A Paramount Global Cyber Security Need

Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.

Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.


The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.

Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.

Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.





Thought Leadership

There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.

So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.


In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.

So, that post should be out right here on this blog next week, possibly as early as Monday morning.

Best wishes,
Sanjay