Trillion-Dollar Cyber Security Insight for President Donald Trump

Dear Mr. Trump,

Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.

Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.

One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."


That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.

Attribution: Mr.. Trump's photo: Michael Vadon >

In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.

You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.

By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)

In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.

It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.

Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)


Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.

The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -

Password (case-sensitive): AreWeReallySecure?

If you're short on time, here's a very brief summary -

In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.

Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.

In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise. 

In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.

From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.


I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.

Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.

Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.

For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)

Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.

We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.

From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...



Making America Great(er and Safer) Again

In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.

I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.

If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.

For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.

That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.

Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.

(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.)


Thank you, and Best Wishes

In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.

The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.

In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.

Most Respectfully,
Sanjay


PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.

Who Needs WMDs Today?

Folks,

Today, I would like to share with you another Trillion $ question, one that I had originally asked more that 10 years ago. Today it is exponentially more relevant, given the paramount role that Cyber Security plays in national and business security.

So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?

Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.

Why would an entity bother trying to acquire or use a WMD when (if you're really smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which the organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.

Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?

(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute and knowledgeable mind more than a minute to figure it out, given that I’ve actually already provided the answer above.

Some of you will have figured it out. For the others, I'll shed light on the answer soon. Stay tuned...

Best wishes,
Sanjay


PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help, tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder whose been able to breach an organization's network perimeter to root within seconds.)

PS2: If this intrigues you, you may want to check out - Defending Active Directory Against CyberAttacks

PS3: On a more serious note, WMDs are possibly the most horrific creation of humans. Only those who have no respect or regard for the most precious thing in the world, life, would even think about acquiring or using them. If in 2 millennia of history, humans haven't learn this, and don't understand that all 7,000,000,000 of us on this precious planet we call home should all strive to peacefully co-exist, then I'm afraid humans haven't learnt much. As such, given the rate at which mankind is exploiting this unique, beautiful and so precious planet we call home, it may likely not last another millennia or even a few hundred years. We ALL owe it to our planet to take utmost care of it.

Defending Active Directory Against CyberAttacks

Folks,

One week ago I had announced that I will be respectfully taking Microsoft to Active Directory Security School. I had also posed a Trillion $ question to Microsoft. As promised, today, in this post, I will do so. Sometimes less is more, so today I'll keep it short.

It is my privilege to share with you a presentation on Active Directory Security that I built for Microsoft and the world -

Download point - www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html

Here is a snapshot of a few sections from this 90+ slide deck -

I suggest that Microsoft and organizations worldwide, go through this deck, and absorb it like a sponge absorbs water, because in this deck lies the key to organizational cyber security worldwide and the answer to the Trillion $ question I posed to Microsoft.


If you find yourself wondering "What's the big deal?", please go through the entire deck, then consider the following:

       Here are the top 3 sources of guidance from Microsoft on the paramount subject of Active Directory Security -

1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II

2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO

3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

       If you can find even one mention of the Trillion $ phrase "Effective Permissions" in any of the above, let me know.


We've found that due to a complete decade+ lack of guidance from Microsoft on the most important technical aspect of Active Directory Security i.e. "Effective Permissions", 99% of the 1000s of IT personnel (Domain Admins, IT Auditors, IT Managers, CISOs etc.) from 1000s of organizations that have knocked at our doors do not even know what "Effective Permissions" are !


I'll let the $ 500 Billion Microsoft, and organizations worldwide, reflect on and absorb a) this fact, b) these questions and c) this deck, for a week, then continue sharing thoughts starting Nov 01, both on this blog and at - www.paramountdefenses.com/blog/.

Best wishes,
Sanjay

A Simple Trillion $ Cyber Security Question for Microsoft (MSFT) regarding Defending Active Directory Against Cyberattacks

Folks,

Ask any good security practioner or hacker and they'll tell you that security is in the details so this is a slightly detailed post.  This blog post is also worth a proverbial Trillion $, so if you're into cyber security, you'll want to read it in its entirety.

First things first - As I indicated last week, sometime this week, I will be respectfully and publicly taking Microsoft to Active Directory Security School. This post is not the one that takes them to school; this post is merely a curtain raiser and sets the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and it will be sometime this week.

Today I respectfully pose a simple trillion $ cyber security question to Microsoft regarding the contents of the following video that Microsoft released in May 2016 -  

(Please click the Play button to view the video. If it does not play, you can see it on Microsoft's website here.)

First, the context -

• In May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft developed and released a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it, which can be found here.

Next, the summary of the video above titled "Defending the Directory", quoted verbatim -

• "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence and escalation of privilege."

Then, a few quick thoughts -

• I'd like to publicly commend Microsoft for producing this video series on Active Directory Security. It was high time that Microsoft voiced and stressed the importance and urgency of defending Active Directory deployments.
• I strongly encourage IT personnel at all organizations to watch the above video. It is a 29 minute video, but its worth your time, because it concerns a lesser known but highly potent attack vector that most organizations are likely not aware about, and wherein the attack surface is the size of the Atlantic ocean, and one that could easily grant an intruder or an insider complete command and control of the organization's foundational Active Directory in minutes.

Finally, before I pose the question, for those who may not have the time to view it, some important quotes from this video -

1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 
2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"
3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"
4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"
5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."
6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"
7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy. That is why you want to keep a clean directory."
8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"
9. "Somebody, either possibly legitimately, or illegitimately, was granted rights that gave them a lot of power. They could grab the hash of any account, and become that account, simply by having been delegated the Get Replication Changes All rights on that object"
10. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"
11. "So effectively that is a means of escalation!"
12. "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" (See corrections below.)
13. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "
14. "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory"

Oh, and a few relevant (i.e. not all) corrections  -

• "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" is technically incorrect. It should have been "If a group or account has been granted RESET password on an account, and that account is privileged, I can RESET the password on that account, and now I own it!" It is incorrect because in order to change a user's password, you need to know his/her existing password. Details here or here.
• "You can use the Get-ACL cmdlet in PowerShell with Active Directory and you can view who has the rights on the object that I am looking at, what rights they have." Who has what rights/permissions granted in the ACL of an Active Directory object is NOT the same as who actually has what rights in Active Directory! There's a world of a difference.
• "If I have that permission, I can link that GPO" should be "If I effectively have that permission, then I can link that GPO." Having the permission listed in the ACL is by no means sufficient. Similarly, simply viewing the ACL to see who has Get Replication Changes All is neither sufficient nor the accurate way to find out who can actually replicate secrets from Active Directory. (You need to know who effectively has that permission granted.) More on that later this week.

The Trillion $ Question

Finally, the Trillion $ Question is -

• The Context
  
  Microsoft, its 2016 and you're (only) a $500 Billion company today because virtually the entire world is your customer. Today, across your global organizational customer base, from the Fortune 1000 to entire federal, state and local governments, there exist billions of Active Directory security permissions (aka access privileges) protecting hundreds of millions of Active Directory objects across thousands of Active Directory deployments worldwide.
  
  Its 2016, and so it is 16 years after Active Directory shipped (and so interestingly coincidentally, just 2 months after we, Paramount Defenses, declassified the Paramount Brief) that you're just now and finally stressing the paramount importance of Active Directory Security to your customers, and you finally and rightly tell the world (and I quote from the video above titled "Defending the Directory") - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"   BUT when you do so, you completely forget to tell them the one most important technical fact about how to correctly assess who has actually been delegated what privileges in Active Directory i.e. the one technical fact that governs the actual resulting access and delegations in Active Directory.
  
  This, even though it was right in front of the presenter's eyes during one of the methods demonstrated in the video!
  
  (By the way, in the video, the methods demonstrated by the presenter on how to assess these rights/permissions and delegations are substantially inadequate and incorrect. However, the presenter is not to blame because he is merely presenting what has consistently been (inaccurate) official guidance from Microsoft in its whitepapers etc.)
  
  
  The Question
  
   In light of the context above, my simple question to you is - Can you please tell the world WHAT is the one cardinal (paramount) technical fact that governs the determination of who can actually do what in Active Directory?
  
  By the way, HOW in the world could you have forgotten to cover it, when you know that in all likelihood, millions of IT folks from 1000s of organizations across 150+ countries worldwide are going to view these videos and based on the guidance presented, enact measures to enhance the foundational cyber security of their organizations?!

Make not mistake about it. In the answer to this question lies the key to organizational cyber security globally. It's that simple.

Here's why - If organizations do not swiftly and correctly identify and eliminate the ocean of unauthorized access privileges that exists in their Active Directory deployments today, it is only a matter of time before intruders or insiders exploit this ocean of vulnerabilities to obtain complete command and control over foundational Active Directory deployments worldwide.

Oh, and, by the way, no cyber security company on the planet (neither the McAfees nor the CyberArks of the world, neither the FireEyes nor the CrowdStrikes of the world, neither the Centrifys nor the BeyondTrusts of the world) seems to have a clue as to the answer, or for that matter seems to know how to help organizations correctly identify the ocean of unauthorized access privileges that exist in 1000s of Active Directory deployments worldwide, just waiting to be found and exploited.



Substantiating the Trillion $

In case you're wondering why I say its a Trillion $ cyber security question, that's because if you were to add up the market cap of the 20,000+ organizations across 150+ countries, not to mention or include the 1000s of local, state and federal/national governments at whose very foundation lies Microsoft Active Directory, you'll find the sum will handily be in the trillions of $.

Also, in case you find yourself wondering as to how this 1 simple question could possibly impact organizational cyber security globally, for now just consider the colossal impact of even a single (i.e. just one) successful execution of mimikatz DCSync in an organization's network, i.e. the colossal damage a proficient adversary could subsequently, swiftly inflict - it'd be Game Over.

Oh, and by the way, mimikatz DCSync is just the Tip of the Iceberg.  (More (i.e. an ocean to be precise) on that later this week.)



Looking Forward to an Answer

So, to my incredibly talented, hard-working and respected colleagues and friends at Microsoft, I (and the world) look forward to your answer. Also, in case you don't really like that this question is being asked publicly, my sincerest apologies. It is 2016 after all, not 2006, and as you too likely know 100% of all major recent cyber security breaches (e.g. Snowden (at NSA), Target, JP Morgan, Sony, Anthem, OPM) have involved the compromise and misuse of just one Active Directory privileged user account.

If for any reason, you can't answer this question, no worries, I'll answer it for you, later this week, right here on this blog.

Best wishes,
Sanjay


PS: This blog is read by 1000s of prominent folks (CEOs, CIOs, CISOs,  IT Directors, Domain Admins, Security Analysts and Pen Testers at Fortune 100 and 1000 companies, institutional and individual shareholders, cyber security personnel and leadership at 3-letter government agencies worldwide, nation states (e.g. UK, the EU, Australia, Russia, China etc.) and it being a public blog, unfortunately even folks on the dark side) from 150+ countries worldwide. In other words, everyone's tuned in.


PS2: July 25, 2017 Update.  I just answered this question for Microsoft. The answer to this Trillion $ question is right  HERE.

The Importance of Active Directory Security: It Impacts Global Security

Folks,

Today, as the very foundation of identity, security and access management at 90% of business and government organizations worldwide, Microsoft Active Directory is the very foundation of cyber security worldwide. Today, it helps protect Trillions.

To understand how this relates to all of us, perhaps it may help to internalize that at the very foundation of cyber security of virtually every organization that directly impacts billions of people worldwide, from our employers to our financial institutions, from the companies we invest in to our governments, from our educational institutions to our hospitals, from companies that build and sell all that the world needs to companies that provide the world's utilities (energy, transportation, security etc.) lies Microsoft Active Directory.

The security of Active Directory deployments worldwide is thus critical to global security and a matter of paramount defenses.

Unfortunately, the executive and IT leadership of most organizations do not seem to clearly understand this profound fact yet, so a few weeks ago we directly brought this fact to the attention of the executive leaders of the world's Top-100 companies. In weeks to follow, we learnt just how little organizations worldwide know about the top cyber security risks to Active Directory.

It appears that in part, at the root of global lack of gravitas on this most important subject, and the lack of adequate awareness, guidance and solutions on/for Active Directory security, may lie the lack of gravitas of one particular organization, so, starting tomorrow, July 27, 2016, and in days to follow, we will ask a few questions and share a few insights right here on this blog.

Best wishes,
Sanjay

PS: I'll ask a $100B question tomorrow. Technically, given the above, it could be a Trillion $ question, but we'll leave it at 100B.

The Paramount Brief - Declassified and Substantiated

Folks,

Earlier today, at Paramount Defenses we declassified The Paramount Brief.

All along, the password to the brief has been :  AreWeReallySecure?  (A question organizations need to ask themselves.)

To some the brief may appear to be a fairly simple document. Its simplicity is intentional, because it was primarily written for a non-technical audience i.e. C-Level Executives worldwide who lead the world's top business and government organizations.

It was written for C-Level executives because we found that in most organizations, not only is there a substantial lack of understanding regarding the importance of protecting their foundational Active Directory, but also there is no accountability chain, and almost no one at the top realizes the consequences that an Active Directory Security breach could have on business.

The risk described in the brief is in our opinion the world's #1 cyber security because it provides possibly the easiest possible avenue for professional perpetrators to start at a single initial easily compromisable organizational domain-joined machine or account and gain all-powerful privileged access (the "Keys to the Kingdom") in minutes, by just enacting a few simple tasks.

It is also imperative to understand that neither of 1) multi-factor authentication, 2) auditing, or 3) user-activity/network logging/profiling can prevent a proficient perpetrator from being successful. (Details available upon request.)

Today, I'll share just a few high-level technical details involved. The low-level technical details can be boring, so I'll save them for another day, or you can have your best IT folks try and explain them to you.




Active Directory - The Core of Privileged Access

Unless you live on another planet, you know that Active Directory is the core of privileged access in Microsoft Windows Server based IT infrastructures (and that's over 85% of the world) because all privileged power resides in Active Directory.

In fact, Active Directory is not just the core of privileged access, it is the very foundation of cyber security worldwide, because the IT infrastructures of most business and government organizations are powered by Microsoft Active Directory, and in these IT infrastructures, the entirety of the organization's user accounts, computer accounts and security groups are stored, protected and managed in the organization's Active Directory.

By the way, Active Directory is not only foundational to Microsoft's native authentication protocol in Windows, Kerberos (without which no one can logon to engage in any secure network activity in a Microsoft Windows Server based network), it is also foundational to Microsoft's entire cloud computing platform, Microsoft Azure.





An Ocean of Active Directory Permissions

Within Active Directory, each of these foundational building blocks of cyber security, i.e. domain user and computer accounts, security groups, etc. are all stored as  Active Directory objects, and are each protected by an access control list (ACL) that specifies security permissions (e.g. Create Child, Reset Password etc.) granted (allowed/denied) to a security principal (user, group, well-known SID etc.) on the object.

 

In most Active Directory deployment, there exist thousands of objects (accounts, groups, OUs etc.), each one of which needs to be securely managed. Since it is not feasible for a small number of individuals to manage such a large number of accounts and groups, Active Directory provides a valuable capability called delegation of administration which enables organizations to delegate various aspects of identity and access management amongst their IT teams based on the principle of least privilege.

This administrative delegation capability leverages Active Directory's security model, and in essence, for each administrative delegation made in Active Directory, corresponding security permissions are specified in the ACLs of all objects that fall in the scope of the administrative delegation, for the security principals (users, groups etc.) to whom the tasks are being delegated.

In addition, IT personnel also often specify access directly/manually in the ACLs of Active Directory objects to directly delegate administrative tasks or provision access to fulfill specific business requirements.


Consequently, today, in thousands of organizations worldwide, it is these very Active Directory security permissions that protect all privileged user accounts and group memberships, and in fact all Active Directory content, and that ultimately control/govern who has what privileged access across the network.

In fact, in most Active Directory deployments, since IT personnel have been delegating administration and provisioning access in the Active Directory for years now, there exist hundreds of thousands, if not millions of Active Directory security permissions that are collectively protecting the organization's foundational building blocks of cyber security.

In essence, underlying the foundational cyber security of most organizations worldwide, is an ocean of Active Directory security permissions collectively protecting the very building blocks of cyber security in their Active Directory.





How Secure are our Building Blocks of Security in Active Directory?

If the very foundational building blocks of cyber security that help an organization facilitate secure access to the entirety of their IT assets, it is worth asking the question as to how secure are these very building blocks themselves within the Active Directory.

For instance, since all of the most powerful administrative security groups in a Microsoft Windows Server IT infrastructure (e.g. Enterprise Admins, Domain Admins, Builtin Admins, etc.) are stored in Active Directory, its worth asking the question - Exactly how many individuals today have sufficient access to be able to change/control/manage the membership of these groups?

After all, if an unauthorized individual could control the membership of any one of these powerful privileged access groups, he could instantly elevate himself or anyone of his choice to be an all-powerful admin and obtain the "Keys to the Kingdom".

Similarly, for each privileged access user that is a member of these powerful privileged groups, its worth asking the question - Exactly how many individuals can reset the password of the domain user account of these privileged access users?

After all, if a single unauthorized individual could reset the password of even one of these privileged accounts, he/she could instantly become a privileged user and obtain the "Keys to the Kingdom". Similarly, if Smart cards are in use, its absolutely worth knowing, at all times, exactly how many individuals can disable the use of Smart Cards on Active Directory accounts?

In fact, the same questions must be asked for all Executive accounts, such as that of the CEO, CIO, CISO, CFO etc. Actually they hold true for all accounts, such as that of a Software Engineer that might have access to the source-code of an operating system at a major software company, or a financial analyst who might have access to confidential financial data, so ideally organizations must know exactly who can reset the password of / disable the Smart Card of every employee in the organization.

By the same token, isn't it worth asking the question as to exactly how many people can change the membership of any domain security group that is being used to control access to a small or large set of IT resources across the network? After all, the easiest way to gain access to a large number of IT resources across the network is simply to add your account to a security group that already has access to these IT resources. That way, you don't even have to try to compromise a server; you'll automatically be granted access to all IT assets across the network to which that group is granted access!

In summary, organizations have a mission-critical need to know, at all times, exactly who can control the very foundational building blocks of their cyber security, because without this knowledge, they are operating in the (dangerous) proverbial dark.




100%

In case you're wondering how relevant this might be to cyber security today, allow me to share a simple fact with you - 100% of all major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of a single Active Directory privileged access user account.

As evidenced by these breaches, today Active Directory privileged user accounts are the #1 target for malicious perpetrators.

Thus far, perpetrators have been using difficult ways to compromise Active Directory accounts. I'm referring to passing hashes, reusing tickets etc. Unfortunately, there are far easier was to compromise Active Directory privileged user accounts today.

For instance, all you need to do is to find out who can reset a privileged user's password, iterate that process a few times, and find a single vulnerable starting point, which once compromised, will allow you to escalate your privilege to that privileged user within seconds, without having to go through such archaic and painful ways (i.e. pass-the-hash etc.)

For that matter, simply determine who controls the membership of a privileged user group, then find out who can reset their password, and iterate the process a couple of times, and you'll likely find that some local IT admin whose account or computer is insufficiently protected is in that chain. That's your starting point. Once you've got his account, the rest takes a few seconds.

The astute mind will get the drift.





But we use Smart Cards!

Organizations that have Smart Cards or other multi-factor authentication measures in place may be operating under a false sense of security by assuming that since they have multi-factor authentication in place, they're immune from password reset based attack vectors. (Besides there's much more to this than mere password resets.)

For such organizations, it might help to know that the weakest link in the use of smart cards (or other multi-factor authentication measures) is that anyone who has administrative control over the smart-card protected account can with a single mouse-click uncheck the Smart card is required for interactive logon setting on the account.

As soon as that happens, authentication on the account will fallback to being password based, and one can set any password of choice on the account and login with it. So at the very least, its worth knowing at all times - Exactly how many individuals have modify permissions or write-property to the relevant attribute on smart-card enabled accounts?

The astute mind will note that in addition to the above, you'll also want to know exactly who has Modify Permissions permissions on a Smart Card enabled account, because anyone who has that permission, can grant him/herself any permission on the account, including the permission required to uncheck the uncheck the Smart card is required for interactive logon setting.




Cyber Security 101

Folks, this is Cyber Security 101. After all, if cyber security is fundamentally about ensuring that all to an organization's digital assets is authenticated and authorized based on the principle of least-privilege, how can an organization accomplish that without knowing exactly who effectively has what access on the very foundational building blocks of cyber security that enable them to provision and maintain least-privileged access across your IT infrastructure?

Today, at the very least, today, all organizations must have answers to the following basic questions -

1. How many individuals possess unrestricted privileged access in Active Directory?
2. How many individuals possess restricted (delegated) privileged access in Active Directory?
3. Exactly who can manage the accounts of these unrestricted and restricted privileged access users?
4. Exactly who can reset the passwords of these unrestricted and restricted privileged access users?
5. Exactly who can change the membership of our privileged security groups in Active Directory?
6. Exactly who can control security permissions on privileged accounts, groups and OUs in Active Directory?

(The astute mind will observe that one should at the very least also know exactly who can modify the Trusted for Unconstrained Delegation bit on domain computer accounts, because if you can do that, then ...   (... I'll let you complete the sentence.))

After all, if we don't even know who possesses and controls privileged access in our foundational Active Directory environments, i.e. who possesses and controls the Keys to the Kingdom, what's the point of deploying a plethora of cyber security measures.

Ideally, at a minimum, the same questions should be answered for all executive accounts (CEO, CFO, CIO, CISO, Board Members, VPs etc.) and groups, as well as all high-value accounts, groups and IT assets stored in the Active Directory.

Speaking of which, shouldn't organizations know exactly who can create user accounts and security groups in their Active Directory, or for that matter, join machines to the domain, and of course who can delete domain user and computer accounts, security groups and OUs?

(The astute mind will observe that in fact there is a lot more that all organizations must know about at all times, such as, for instance, something as simple as who can change the logon hours of domain user accounts, because if just ONE perpetrator (e.g. a disgruntled insider) who had sufficient effective access to be able to do so, were to write a simple script to change the logon hours of all domain user accounts, you could easily have a situation wherein come Monday morning at 9:00 am no one would be able to logon, and if course if no one can logon, business comes to a proverbial halt!)




So, how do we answer these fundamental yet important cyber-security questions?

As mentioned above, today, in most organizations worldwide, the entirety of an organization's foundational cyber security building blocks are being collectively protected by hundreds of thousands (and in most cases, millions) of Active Directory security permissions specified in Active Directory ACLs.

How is an organization to determine exactly who has what level of privileged access across these hundreds of thousands (or millions) of security permissions spanning thousands of their Active Directory objects?

Those who know very little about Active Directory Security will tell you that's easy. They'll suggest doing  a simple ACL dump and then looking at what permissions are granted to which users/groups. In fact, I wouldn't be surprised if most IT personnel at most organizations will suggest this route. (One could of course follow that suggestion, but then one would end up with substantially inaccurate data, reliance upon which could be very dangerous, to say the least.)

You see, unfortunately, its not that easy. In fact, its difficult, very difficult.

Here's why...




Active Directory Effective Permissions/Access

For the sake of simplicity, consider the security permissions specified in the ACL of a single Active Directory object.

Each of these Active Directory security permissions allows or denies some user or group some access. However, they do not individually influence access because as you may know, permissions can be allowed or denied, and be explicit or inherited, so in fact it is the complete set of all security permissions specified in the ACL of an Active Directory object, considered as a whole, in light of the governing precedence orders (e.g. explicitly specified permissions override inherited permissions but not always, denies override allows but not always, etc.) that ultimately determine the true and actually i.e. effective permissions/access granted on the object.

In other words, it is the effective permissions on an Active Directory object that matter and that govern who really has what access on an Active Directory object. This one fundamental fact of Active Directory security potentially impacts global security today, yet very few folks understand it.

Any individual or organizations that is relying on a simple enumeration/analysis of who has what permissions, as opposed to who has what effective permissions, is doing it completely wrong, and operating on dangerously inaccurate data.


In fact, Effective Permissions are so important that Microsoft's native tooling has an entire tab dedicated to them -

Unfortunately, Microsoft's Effective Permissions Tab has three major deficiencies which almost render it practically useless.

The first is that it may not always take all factors involved in the accurate determination of effective permissions into account.

(I'm not about to publicly mention the inaccuracies of the native Effective Permissions calculator in Active Directory, because the last time I mentioned one publicly, Microsoft picked up on it, and fixed it. (That one had to do with determining and displaying who can modify back-links in Active Directory. Strictly speaking, no one can modify back-links, because they are constructed / read-only. However, prior to my having mentioned that publicly, the Effective Permissions Tab/calculator would happily (and errantly) display a list of individuals who could modify back-links.))

The second and major one is that (as seen in the picture above) it can at best compute an approximation of the effective permissions for a specific user that you have to specify. The astute mind will note that this very quickly renders it almost unusable, because if you had 10,000 domain user accounts in your Active Directory, you would have to enter the identity of each one of these 10,000 users, ONE by ONE, and then make a note of their effective permissions to ultimately and hopefully arrive at the list of all individuals that may have a specific effective permission granted on a given Active Directory object.

I don't know about you, but if my manager asked me to sit in front of a computer, and enter 10,000 names one after the other, then make a note of all the effective permissions granted to each user, (you know, a process that could take weeks), I would probably find more suitable employment elsewhere.


The third one and the biggest one is that the Microsoft's native Effective Permissions Tab can at best determine effective permissions for a single user on a single object. In other words, if an organization had thousands of objects in its Active Directory, organizational IT personnel would have to use the tab one object at a time, specifying one user at a time, and that process could take years to do, not to mention that since the state of access in Active Directory is constantly changing, in all likelihood, any such attempts to make such determinations would be futile to begin with.

For instance, consider this - let's say you wanted to answer the simple, fundamental question - Who can create user accounts in our Active Directory?

That seems like a question most organizations should want to know the answer to, because if someone could create a user account, they could engage in malicious activities that could not be linked to them.

It turns out that to answer this one single question, the organization would have to determine effective permissions on every object in Active Directory under which someone could create a user account e.g. Organizational Units, Container etc.

We recently had a very prominent government organization come to us with this exact need. For reasons known best to them, they had 20,000 organizational units in their Active Directory domain, so to answer that one simple fundamental question, they would have to determine effective permissions on at least 20,000 OUs in their Active Directory!

There are very few people in the world who know how to accurately determine effective permissions in Active Directory. Even if they could, and it took them 30 minutes to do so per object, it would take them 600,000 minutes to determine effective permissions across 20,000 objects, and that's assuming no one changed a single permission during that time.

I think you'll get the drift.

(Incidentally, with our innovative cyber security tooling that embodies our unique, patented and globally recognized effective access assessment technology, this organizations was able to make this determination within minutes, at a button's touch.)


You see, in order to answer these elemental and fundamental cyber security questions concerning who has what privileged access in Active Directory, organizations require the ability to accurately and efficiently determine effective access across an entire tree of Active Directory objects. (Simply put, the ability to efficiently perform an accurate effective privileged access audit.)

You know, something like this.

Unfortunately, Active Directory completely lacks this elemental and fundamental capability, and as a result, organizations have no way of knowing exactly who effectively has what privileged access on their foundational building blocks of cyber security. (They never have!)

In fact, because they have never had this capability, considering that most Active Directory deployments have been around for years, and that a substantial amount of access provisioning and delegation has been done over the years, we have a situation wherein an excessive and unknown number of users have all kinds of effective privileged access in the Active Directory, yet no one knows exactly who has what effective privileged access.





Beware of Inaccurate Tooling

I'll digress for a minute to share something important with you. As goes the old saying, the only thing more dangerous than no knowledge is inaccurate knowledge. In all of ten years that we've been around, not a single organization has attempted to address the problem, perhaps because they're mature enough to understand just how difficult it is to solve this problem.

However recently, one company had a brilliant(ly dumb) marketing idea for their auditing solution, so amidst some fanfare, it released freeware tooling that claims to make some of this easy. Having written the book on the subject, we tested this tooling, and were shocked to find that it is not only woefully inadequate, it is so substantially inaccurate, that its almost dangerous.

Interestingly, this company seems to have no clue as to just how substantially inaccurate their tooling is. Sadly, neither do most IT pros, who may happily proceed to rely on it, in effect endangering the very foundational security for their organizations.

To metaphorically give you an idea of just how inaccurate it is, if it were being used as a metal/weapon detector at an airport, let alone boarding the flight, we would not just run out of the terminal, we would get out of the airport as fast as we could!

In our opinion, the only folks who could possibly benefit from such substantially inaccurate freeware tooling are malicious perpetrators, because even if its only 20% accurate, that's sufficient for them to identify a few privilege escalation paths.





Organizations Worldwide are likely at High Risk

In the foundational Active Directory deployments of most organizations today, today there likely exist 1000s of arcane privilege escalation paths in most Active Directory deployments worldwide, leading from regular domain/computer accounts to highly privileged user accounts and security groups, that are difficult hard to identify with the naked eye.

However, with sufficient tooling, in the wrong hands, they could be very quickly identified and potentially exploited by malicious perpetrators to inflict substantial damage within minutes.

Sadly, a malicious perpetrator need only compromise a single domain user/computer account to deploy and use such tooling to identify these privilege escalation paths. The entire discovery process would be read-only and given the sheer amount of read access that takes place in Active Directory deployments, it would in all likelihood not show up on any radar.

Once the perpetrator has identified a kill-chain, he/she could make a move at an opportune time (e.g. Saturday morning 3:00 am) and in less than 5 minutes, simply by using basic Active Directory management tools provided by Microsoft, escalate his/her privilege to that of an all-powerful privileged access user.

Once that's done, its game over.


[Fortunately, with similar tooling, designed for and only made available to the good guys (i.e. organizational IT personnel), organizations could quickly and accurately determine effective privileged access in their Active Directory, as well as their source, and eliminate all excessive access before it can be exploited by malicious perpetrators.]





The Attack Surface

The attack surface is unfortunately vast - it is the entire Active Directory.

The attack surface is vast because virtually every domain user account, computer account, security group and other vital content stored in Active Directory is a potential target of compromise.

Attack surface details are over at - http://www.paramountdefenses.com/cyber-security/attack-surface.html





Active Directory Effective Privileged Access Audit

As a mature and professional cyber security company, we do not shed light on cyber security risks that cannot be mitigated, because we understand that doing so can potentially endanger organizations.

Folks, this profoundly elemental, high-impact cyber security risk is actually virtually 100% mitigatable, and in fact any organization that wishes to mitigate it can do so in a very short amount of time.

To mitigate this risk, what organizations worldwide require is the ability to accurately and efficiently determine effective privileged access across entire Active Directory trees (OUs, domains etc.) so that they can quickly and reliably identify all individuals who currently possess, but are not entitled/authorized to possessing, effective privileged access in their foundational Active Directory, as well as identify the source of all such identified excessive access, so that they can then quickly revoke all such excessive access before malicious perpetrators are able to identify and potentially exploit them.

Today, organizations also have several options to do so, as outlined at - http://www.paramountdefenses.com/effective-privileged-access-audit.html

Subsequently, having attained least-privileged access state in their Active Directory, they can and must continue to maintain this least-privileged access state in their foundational Active Directory at all times, because it only takes the compromise of one privileged access user account to cause substantial damage.

My 10 minutes are almost up, so I will conclude this by adding that although this is a high-impact esoteric cyber security risk that potentially threatens the foundational cyber security of most organizations worldwide today, it is virtually 100% mitigatable, and all it really takes for an organization to mitigate this risk is to have the will to mitigate it.

Finally, as you will hopefully agree, there can be no security without accountability, and accountability must start at the very top, because should there be a cyber security incident, ultimately, it the organization's leadership that will be held accountable by its stakeholders, which is why the Paramount Brief was written for executives.

Over the last decade, IT administrators and IT professionals from 8,000+ organizations across 150+ countries worldwide have knocked at our door (completely unsolicited), and we found that most of these organizations had one thing in common - the troops in the trenches know about the problem, but middle and senior management seem clueless, as a result of which, the troops are powerless, and afraid to escalate the problem, and as a result, we have a dangerous situation wherein most organizations worldwide are still defenseless and in the proverbial dark.

It is high-time the Generals (CEOs) and their Colonels (CIOs, CISOs, IT Directors etc.) understood that their troops need their help, and that should an adversary be successful in taking them down, entire Kingdoms could be lost very, very quickly.

(Any organization in the world that would like to see a demo of just how easy this is to do may feel free to request one.)

The CEOs of the world's Top-200 business organizations have also been directly informed about this cyber security risk.

Best wishes,
Sanjay


PS1: Note to the folks at Microsoft - If you need help understanding this stuff, let me know.

PS2: If you found this interesting, you may like - OPM Data Breach Cyber Security Hack: Trillion $ Privileged Access Insight