Perspectives on Cyber Security by the CEO of Paramount Defenses
Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.
Showing posts with label Global Security. Show all posts
Showing posts with label Global Security. Show all posts
Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.
In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.
So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?
Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.
Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?
Today, all you need is two WDs in the same (pl)ACE and its Game Over.
Puzzled? Allow me to give you a HINT:.
Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.
If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.
Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.
They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.
If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)
Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.
PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)
PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)
I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.
Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.
When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.
So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, that blog and the official PD blog (;see below.)
Stay tuned for some valuable cyber security insights right here from January 06, 2020
and let me take your leave with a befitting (and one of my favorite) song(s) -
Best wishes,
Sanjay.
PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right here.
In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.
Hello again. I trust this finds you all doing well. It has been a few weeks since I last blogged. I hope you'll pardon my absence.
Yes I was supposed to answer a rather important question, in fact, possibly the world's most important cyber security question, for the whole world, back in July, but I had to postpone doing so, for a few good reasons, which I may reveal in days to come.
Let's just say that amongst other things (e.g. a rather interesting trip across the Atlantic), I was working on finalising a project that directly impacts cyber security worldwide today, you know, the kind of stuff that even James Bond doesn't have yet!
By the way, speaking of Mr. Bond, as you probably know, I'm a huge fan, so thought I'd share a catchy tune with you -
Oh, that project I was working is almost over (i.e. RC1), so its time for me to get back to blogging, and... … well, get ready!
Today, to give a hint for the answer to this1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
What's the World's Most Important Active Directory Security Capability?
A few days ago I asked a (seemingly) very simple question ; no I'm not referring to this one, I'm referring to this one here -
Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?
Here's why I did so - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.
So, as promised, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.
In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.
First, A Quick Overview
For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.
Mimikatz DCSync, a Windows security tool, is the creation of the brilliant technical expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.
Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!
Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on detection as a security measure, then its unfortunately already TOO late, because the damage has already been done.
Detection Is Hardly Sufficient
They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -
Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!
Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!
This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.
How to Mitigate Mimikatz DCSync
The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.
Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.
Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient Get Replication Changes All effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.
While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.
Now, it is paramount to understand ONE subtle but profound difference here - it is NOT who has what permissions on the domain root that matters, but who has what effective permissions on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.
The Key - Active Directory Effective Permissions
If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.
In fact Effective Permissions are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to Effective Permissions.
Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as this dangerously inaccurate free tool.
Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...
Finally, How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync
Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk -
Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.
Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.
Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found here.
I'll say this one last time - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why mitigation is paramount.
Hello again. Today onwards, as I had promised, it is finally TIME for us to help SAFEGUARD Microsoft's Global Ecosystem.
Before I share how we uniquely do so, or answer this paramount question, or ask more such ones, I thought I'd ask likely the most important question that today DIRECTLY impacts the foundational cyber security of 1000s of organizations worldwide.
HereIt Is -
What Is the 1 Essential Cyber Security Capability Without Which NOT a single Active Directory object, domain, forest or deployment can be adequately secured?
A Hint
I'll give you a hint. It controls exactly who is denied and who is granted access to literally everything within Active Directory.
In fact, it comes into play every time anyone accesses anything in any Active Directory domain in any organization worldwide.
Make No Mistake
Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.
Only 2 Kinds of Organizations
Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably insecure.
If you know the answer, feel free to leave a comment below.
I'll answer this question right here, likely on July04, 2018.
As some of you may know, over the past few weeks, I have been publicly taking the $ 550 Billion Microsoft (Nasdaq: MSFT) to Active Directory Security School (see PS3 below) because today global security literally depends on Active Directory Security.
In case you're wondering why, here's why -
The Importance of Active Directory Security
From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.
In other words, the foundational security of thousands of government and business organizations depends on Active Directory.
To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Active Directory.
Operating in the Dark
Given my background, experience and whatever little I know about the subject, I have reason to believe that most organizations worldwide that operate on Active Directory are operating in the dark today, and have absolutely no idea as to exactly who has what level of privileged access in their foundational Active Directory!
Further, because over the last decade, almost 10,000 organizations from across 150+ countries worldwide have knocked at our doors unsolicited, we know exactly how much these organizations know about Active Directory Security, and we're shocked to know that 99% of them don't even know what "Active Directory Effective Permissions" are, and upon giving this due thought, we have arrived at the conclusion that the world's complete ignorance on this most paramount aspect of organizational cyber security can be attributed to the fact that Microsoft has likely not even once educated its customers about its importance!
Let There Be Light
So, I made an executive decision that we need to educate the $ 550 Billion Microsoft Corp about the paramount importance of "Active Directory Effective Permissions", so that they can in turn educate the thousands of vital business and government organizations at whose very foundation lies Active Directory about its sheer and cardinal importance.
Make no mistake about it - no organization that operates on Microsoft Active Directory today can be adequately secured without possessing the ability to determine effective permissions on the thousands of building blocks of cyber security (i.e. thousands of domain user accounts, computer accounts, security groups and policies) that reside in its Active Directory. Its really that simple.
A 1000 Cyber Security Companies!
Speaking of which, although there are supposedly over a 1000 cyber security companies in the world (, and incidentally at their very foundation too lies Microsoft Active Directory) not a single one of them has the ability, the expertise or even a single solution to help the world accurately determine "effective permissions" in Active Directory. Not a single one of them!
Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our United States.
Sir, almost all reasonable people would agree that a bellicose and now nuclear North Korea likely poses a threat not just to the United States but to the whole world, and that this threat must be dealt with. While there are several options, including military options, that you may be considering, I just wanted to say that you may want to give a peaceful resolution to this situation a reasonable chance (because wars are gruesomely destructive), and perhaps there may be still something that could be done.
Of course, North Korea must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.
Speaking of Nuclear Weapons and North Korea
I likely speak on behalf of not just millions of American citizens, but billions of people worldwide when I say that this dangerous "sabre rattling" needs to please stop; we just cannot have a(ny) country threatening the world with the use of Nuclear Weapons.
Nuclear Weapons
We should also make NO mistake about this - This must please stop, and yet we must try and do all we can do to resolve this PEACEFULLY, because wars are gruesomely destructive. It is estimated that should this situation result in a war on the Korean peninsula, millions of people in numerous countries may lose their lives and/or be severely impacted.
If I might add, in today's civilized world, no one person in the world, whether it be the leader of any country (whether it be North Korea, Iran, China, Russia, USA, etc.) or entity should be able to endanger the lives of all 7,000,000,000+ people on Earth.
Speaking of peaceful efforts, allow me to voice one unsolicited suggestion, which involves a country that may likely have, over the years, whether unintentionally or otherwise, played^ a (not so small) role in helping North Korea get where it is today, and they now ought to do everything they can to help resolve this situation peacefully, and that one country is China.
[ ^ Watch this 6 min video - "China is North Korea's largest trading partner and has pushed hard for the livelihood exemptions" , "Sanctions will only be as effective as Beijing wants them to be" , "Regime survival is exactly what China actually wants to see"]
Where Does China Stand on This?
Sir, as of Aug 11, 17, you've certainly tried to have China resolve this problem. However, it does not seem to (yet) have worked.
As of this morning, according to the Global Times newspaper, which although is not an official mouthpiece of the Communist Party, does according to experts most likely reflect government policy, China is likely okay with an armed conflict in the region.
"Beijing is not able to persuade Washington or Pyongyang to back down at this time. It needs to make clear its stance to all sides and make them understand that when their actions jeopardize China's interests, China will respond with a firm hand."
"China should also make clear that if North Korea launches missiles that threaten U.S. soil first and the U.S. retaliates, China will stay neutral. If the U.S. and South Korea carry out strikes and try to overthrow the North Korean regime and change the political pattern of the Korean peninsula, China will prevent them from doing so."
In other words, by not being against it, China is apparently tacitly okay with an armed conflict in the region. That's concerning.
Today, no country in the world should be okay with any such conflict, especially one involving countries with Nuclear Weapons.
China needs to realize that now is the time to respond to North Korea with a firm hand (; lest it might be too late & cost a 100x.)
China may need to unequivocally understand that this isn't just about a regional conflict or stability in one specific region of the world, but that this could result in the use of Nuclear Weapons and that could potentially dangerously impact the entire world.
The Suggestion - Having China Do More
In reality, as its largest trading partner, China does likely have a substantial amount of influence on North Korea, which is also why most sanctions imposed on North Korea by the U.N. thus far may have only been as effective as China wanted them to be.
Thus, perhaps, all countries in the world that desire peace, led by the U.S., should earnestly communicate to China that unless China does more to help, the world may have no choice left but to begin to look into potentially unfair Chinese trade practices and consider* (even if temporarily) substantially reducing their imports from China (i.e. the import of goods Made in China).
Perhaps, as a consequence, if China realizes that the world may seriously no longer be interested in importing its inexpensive goods, and that it may stand to lose up to a Trillion $ in trade each year, unless it "reins in" North Korea, perhaps it will do more.
(As such, China should be quite concerned about the possibility of any armed conflict in its region as it could impact its people. If concern for the safety of its billion+ people doesn't motivate China, perhaps the potential of a Trillion $ a year of loss, may.)
China may very well understand this today, so they need to flex some serious muscle to help resolve this dangerous situation.
[ A small digression... An Unintended Impact
Incidentally, this could help kick-start your MadeinUSA initiative, and perhaps help reduce the trade imbalance with China, and although products for the U.S. consumer may no longer be dirt cheap, it could start bringing back American manufacturing jobs, thus helping your #MAGA slogan.
Speaking of #MAGA, while America is already a great country, its greatness may likely indeed have diminished a bit in light of globalization, and speaking of jobs, perhaps it may help to let the American people know that it is our own companies, i.e. the major companies whose products the American populace consumes, that whether driven by fierce competition and/or a desire to "maximize shareholder value", may have over the years substantially outsourced manufacturing, so and it may be up to the people to consider having (and if they decide, could have) these companies put country/security ahead of maximizing profits.
(It is difficult to walk into a Walmart or a Home Depot anywhere in the U.S. and find any products that are not "Made in China." Obviously, since you Sir, are (supposedly) a Billionaire, I do not expect you to have personally walked into a Walmart or a Home Depot, but in all likelihood a majority all hard-working people living in the U.S. may likely know what I'm talking about.)
Lastly, perhaps we, the American people may also need to realize that it may not likely be possible to simultaneously have both, "dirt-cheap (i.e. super inexpensive) products" and "American manufacturing jobs." Perhaps, if there is a strong desire to bring back manufacturing jobs to the U.S., it may require, even if for a bit, some adjustments as consumers - perhaps consume a little less, but buy quality products that are Made in USAas well as made in all such countries that adhere to fair trade practices.
Here, I should mention that it is also certainly possibly for (a more responsible and fairly competing) China to continue to be a major exporter of goods to the U.S., just as long as the Chinese too engage in manufacturing under fair trade practices, fair employment, regard for the environment, and for human rights, thus making the manufacturing playing-field level for all nations.
Alternatively, in lieu of having thousands of companies bring back manufacturing jobs to America, perhaps we could make solid results-driven investments towards helping our workforce acquire skills in those fields and industries that play a substantial role in contributing to America's exports, in effect helping millions of our people find suitable, respectable and gainful employment, as well as contributing to an increase in American exports, which too will have the effect of improving uneven trade deficits.
Speaking of Made in USA, perhaps the best way for you Sir, to demonstrate your commitment and seriousness of purpose to #MAGA, may likely be to lead by example and have all products made by the Trump Organization be made here in USA.
... end of digression.] In Summary The World should stand united on one front - regarding threats involving use of Nuclear Weapons, there must be zero tolerance.
As for North Korea, it must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.
The Chinese too must understand that any military conflict in their region, especially one potentially involving the use of even a single nuclear weapon, and its fallout, could endanger not just all the countries in the Korean Peninsula, but also likely threaten and perhaps possibly jeopardize the very existence of Earth, and the last I checked, a billion Chinese people too, live on Earth.
If a millennia of history haven't taught us about the horrors and savagery that military conflicts and wars entail, and if a millennia of progress hasn't made us all realize that we all need to peacefully co-exist, then while we may have made material progress, what have we truly learnt?
Instead of predominantly pursuing profits, world-domination and egos, we should (all) instead be first pursuing peace, love and harmony, improving life for everyone, and cherishing and saving our precious planet (because in the Universe, its all we have.)
PS: I write neither as a Republican nor a Democrat, merely as a caring citizen, and not just as a U.S. citizen, but as a peace-loving global citizen, i.e. just one of 7,000,000,000+ people that live in 150+ countries worldwide who believe in living in Peace.
*A Note to China: We respect almost everyone, including your great nation, we mean no disrespect whatsoever, and like you we believe in fair trade, including with your nation, but far more importantly, we also value and believe in peaceful co-existence (as should you), so if the suggestion made above seems a tad extreme, please consider that it is only made in light of far more extreme circumstances i.e. a belligerent North Korea threatening (in effect, not only) the U.S. (but global security) with WMDs. You ought to ask yourselves if you're really doing everything you can to diffuse this incredibly reckless and dangerous situation; should this result in an armed conflict in your region, your great country and its people may very likely be substantially impacted. This is not the time for any party to play "Chess." This is the time for all countries to help prevent a potentially nuclear conflict.
Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of ourGreat United States.
First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.
I'll do my best to keep this VERY simple.
Top-5 Global Security Risks
As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -
1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats
I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.
As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.
The Importance of AmericanLeadership
Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.
Sir, the elections are over.You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.
If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.
(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)
Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.
Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, todayhave the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.
[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]
The Cyber Risk
Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.
(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)
Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.
It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.
Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing aCyber Security Unitwith the Russians might NOT be such a good idea, as also voiced by 1, 2, 3.
By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".
A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.
Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.
Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.
Today, as the very foundation of identity, security and access management at 90% of business and government organizations worldwide, Microsoft Active Directory is the very foundation of cyber security worldwide. Today, it helps protectTrillions.
To understand how this relates to all of us, perhaps it may help to internalize that at the very foundation of cyber security of virtually every organization that directly impacts billions of people worldwide, from our employers to our financial institutions, from the companies we invest in to our governments, from our educational institutions to our hospitals, from companies that build and sell all that the world needs to companies that provide the world's utilities (energy, transportation, security etc.) lies Microsoft Active Directory.
The security of Active Directory deployments worldwide is thus critical to global security and a matter of paramount defenses.
Unfortunately, the executive and IT leadership of most organizations do not seem to clearly understand this profound fact yet, so a few weeks ago we directly brought this fact to the attention of the executive leaders of the world's Top-100 companies. In weeks to follow, we learnt just how little organizations worldwide know about the top cyber security risks to Active Directory.
It appears that in part, at the root of global lack of gravitas on this most important subject, and the lack of adequate awareness, guidance and solutions on/for Active Directory security, may lie the lack of gravitas of one particular organization, so, starting tomorrow, July 27, 2016, and in days to follow, we will ask a few questions and share a few insights right here on this blog.
Best wishes,
Sanjay
PS: I'll ask a $100B question tomorrow. Technically, given the above, it could be a Trillion $ question, but we'll leave it at 100B.
By now, you must have heard about the Sony Hack. Thought I'd share a few thoughts (possibly worth a US $ Trillion) on it.
The Sony Hack has to be possibly the worst cyber security attack the world has witnessed thus far. I say thus far, because if you understand Active Directory Security, you know, that with just a little bit of effort, one can easily automate the destruction of virtually any (number of) organization(s) in the world. (To the FireEyes, TripWires, Mandiants, Kasperkys and Symantecs of the world - if you need a primer/demo, let us know.)
Essence
A few weeks ago malicious perpetrators completed compromised Sony's IT infrastructure and stole vast amounts of Sony's confidential information. They then threatened Sony to engage in a specific action, and when Sony refused, they made good on their threat by releasing part of this information in the public domain. The release of such confidential information into the public domain caused Sony significant tangible and intangible damage, the true cost of which won't be known for years.
Remarkably Easy
Based on what is known thus far, and based on what U.S officials have shared, in all likelihood, what happened here is that malicious perpetrators gained administrative access within Sony's network, and used it to obtain access to (and make a copy of) whatever they wished to obtain access to within Sony's internal network i.e. files, databases, emails, etc.
As described below, such an attack is remarkably easy to carry out. In fact, with just a little effort, today it can be carried out in the IT infrastructures of 85% of all organizations worldwide. (Should you need a demo, we'll be happy to arrange one for you.)
A word on Motive
The Sony Hack was so remarkably simple to carry out that when you think about it, you'd wonder why the hackers that carried out the attacks at Target, Home Depot, EBay, etc. did not inflict as much damage as the hackers who carried out the Sony Hack. I believe that the answer lies in one word - Motive.
In all likelihood, the motive of the hackers of the previous attacks was simply to obtain (steal) information for financial gain. In Sony's case, the motive seems to have been to proverbially take Sony hostage and force it to act in a specific manner (i.e. have them pull a movie.) It seems that certain demands may have initially been put forth and when Sony's executives didn't comply, the perpetrators started releasing the stolen information to demonstrate that threats were real. It is the release of this information in the public domain that caused substantial damage to Sony. In other words, the perpetrators succeeded in holding a $20+B company hostage and during the process inflicted colossal damage to the company.
As damaging as it was, this was a remarkably simple hack.
So, what makes this a remarkably simple and easily enactable hack to carry out?
Well, the answer is simple. It was very easy to carry out, as described below.
The Sony Hack is the perfect example of what is described in "The Paramount Brief."
In the best interest of organizations worldwide (so as not to tip the bad guys off), we have not declassified it yet. There are some (at the highest offices in Microsoft and elsewhere) who have read it and who will tell you that we predicted the occurrence of such an attack over 5 years ago.
In light of what happened, we are inclined to declassify this brief in early 2015. Stay tuned.
What Really Seems to have Happened at Sony
What happened at Sony was remarkably simple. Like over 85% of the world's organizations, the IT infrastructure of Sony too is powered by Microsoft Windows Server platform, and at the very foundation of their cyber security was their Active Directory deployment.
You can think of Active Directory as the heart of an organization's IT infrastructure. Not only does Active Directory store and protect all of the organization's administrative accounts and their passwords, it stores and protects the user accounts of all the employees and contractors, as well as the computer accounts of all the computers that make up the IT infrastructure as well as all the security groups that are used to protect the entirety of all the IT resources in the IT infrastructure. And more.
In order to help organizations establish and manage their IT infrastructure, there exist a few default administrative groups in Active Directory. These administrative groups have unrestricted access to Active Directory and to virtually every machine (laptop, desktop, server) that is joined to the Active Directory and is thus a part of the organization's IT infrastructure. Examples of such administrative groups include the Enterprise Admins group, the Domain Admins group etc.
Every individual that is a member of one of these default administrative groups has virtually unrestricted access across the entire IT infrastructure. He/she can obtain and control access to virtually every IT resource in the organization's IT infrastructure, whether it be a file, a folder, a Share point, a server, a database, a line-of-business app etc. ... everything.
In other words, anyone with administrative access in Active Directory proverbially has God-like powers, and practically speaking, he/she any day is about 100,000 times more powerful than the organization's CEO.
Should a SINGLE account that has administrative access in Active Directory be compromised, theoretically every IT resource in the organization could be at risk of compromise, and in the worst case scenario, the entirety of the organization's IT resources could be compromised.
In other words, proverbially speaking, he/she who is able to obtain Active Directory administrative access will have the "keys to the kingdom" i.e. once you have Active Directory administrative access, you can obtain access to, copy, tamper, divulge and destroy virtually any IT resource in the IT infrastructure.
THAT is EXACTLY what seemed to have happened at Sony.
Quoting U.S. officials that were briefed on the investigation - "U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony's computer system, allowing them broad access."
In a Microsoft Windows Server based IT infrastructure, a system administrator is layman's speak for an Active Directory administrator, because in a Microsoft Windows Server based IT infrastructure, Active Directory is the heart of the "system".
The same U.S. officials also said that "The hackers ability to gain access to the passwords of a top-level information technology employee allowed them to have "keys to the entire building,"."
In all likelihood, someone compromised the account of an Active Directory administrator and once that was done, the rest was just a matter of time... taking one's sweet time to obtain read access to and copy vast parts of organization's IT resources.
It was really as simple as that.
Not Surprising at All
In light of the fact that someone with Active Directory administrative access has God-like powers, you might find yourself asking two questions -
Shouldn't organizations minimize the number of such highly privileged administrative accounts?
Shouldn't organizations offer the highest protection for these highly privileged administrative accounts?
The obvious answer to both the questions is YES.
Sadly, in reality, based on what we have seen thus far, in most organizations, not only are there an unacceptably and unbelievably large number of these highly privilege administrative accounts, but these accounts also continue to remain substantially vulnerable to compromise. In fact, in most organizations, the IT groups have no idea as to exactly who has what administrative access provisioned in their Active Directory deployments.
By the way, by what we have seen thus far, I'm referring to over 7,000 organizations from across 150 countries that have knocked at our doors thus far, and many of these organizations are some of the world's most prominent and powerful business and government organizations.
So, it is not surprising at all to us that someone was able to pull off this attack at Sony.
It helps to keep in mind that once a malicious perpetrator has Active Directory administrative access, and their primary intent is to obtain access to and copy information (files, folders, databases, mail etc.), all they're really doing is engaging in "read access" to vast amounts of information, and "read" access is almost never audited, so it would be very difficult to catch someone who has Active Directory administrative access in the act of engaging in rampant information theft.
How to Enact the Sony Hack in 4 Steps
At its core, a perpetrator seems to have obtained administrative access and used it to obtain access to (and copy) large amounts of confidential information, all done in 4 simple steps -
Step 1 - Become an Authenticated User - This step involves obtaining the credentials of any ONE of the thousands of Active Directory accounts that exist for Sony's employees, vendors and contractors. With just a little creativity (social engineering), this is fairly easy to do from the outside. It is easier still if you can officially get an account by virtue of say being a temporary contractor to Sony, not just in the U.S. but say in another country that Sony does business in/has operations in.
Step 2 - Identify Administrative Accounts - Once you're an Authenticated User, you now have READ access to vast amounts of information, including valuable information, such as the list of all administrative accounts in the organization i.e. the list of the accounts of all individuals who have administrative access in the organization's Active Directory. For instance, the list of all Enterprise Admins and Domain Admins. By the way, this is as easy as issuing the following LDAP query: (&(objectClass=user)(objectCategory=person)(admincount=1))
Step 3 - Escalate Privilege to Administrator Level - This is the defining step in which you escalate your privilege from that of a regular non-administrative account holder to that of an administrative account i.e. one of the many administrative accounts you identified in Step 2. This is the most difficult step in the entire attack-vector. However, what is "difficult" for some, is "easy"for others, and depending on your expertise and tool-set, this can take days or minutes. (With the right tooling it only takes a few minutes.) Most amateurs use the PtH attack vector to enact this step. Unfortunately for them, as organizations establish and enforce stricter admin account use policies, this attack vector is becoming harder to use. The second vector, called Active Directory Privilege Escalation, which these amateurs don't know much about yet, still remains the easiest way to enact this step.)
Step 4 - Own The Building/Kingdom - Once you've obtained Enterprise/Domain Admin credentials, you're proverbially God within the network, because you can now obtain access to, copy, tamper, destroy and divulge virtually any IT resource that is stored on a computer that is joined to the Active Directory domain and/or protected by an Active Directory security group, (and that by the way is virtually the entire IT infrastructure.) Once you've obtained Enterprise/Domain Admin credentials, you can take your sweet time (weeks, even months) accessing and copying large amounts of information from virtually any server (file server, mail server etc.), database, laptop etc. and because all of it is read access, it is hardly every audited, so you're going to go unnoticed for a very long time.
(Strictly speaking, each time you obtain a Kerberos ticket to a separate machine, an event is logged in the audit log, but based on our experience in dealing with the 1000s of organizations that have knocked at our doors seeking assistance, less than 1% of
organizations even know how many administrative personnel they really have, let
alone paying attention to audit entries related to Domain Admin network logons
on to various machines. Besides, for the most part, its not your identity that
shows up in the audit log, but that of the account of the Enterprise/Domain
Admin you compromised, and he/she could very well have a legitimate need for
all these logins, making these audit log entries seem unsuspicious.)
Once you've taken your sweet time (days, weeks or months, your choice) to obtain access to virtually whatever you wanted (documents, emails, confidential data), you simply walk out, and once you're out, you're now in possession of a treasure trove of data. What you do with it, is driven by your motive.
In Sony's case, the attackers used it to coerce Sony into not releasing a movie. (It appears that in order to prove to Sony that their threats were credible, they released vast amounts of stolen information into the public domain, causing substantial tangible and intangible harm to Sony for years to come.)
It's (really) that simple.
Step 3 Above - Privilege Escalation
As you'll hopefully agree, steps 1, 2 and 4 above are pretty darn easy to enact, for anyone who knows the littlest thing about cyber security. It is step 3 that empowers a non-administrative individual to escalate his/her privilege to that of an all-powerful administrative account, that is the defining step here.
In fact, in most of the famous cyber security breaches thus far, privilege escalation has been the defining step that gave the perpetrators powerful administrative access, which could then be misused to fulfill virtually any malicious objective.
When it comes to privilege escalation in Windows / Active Directory, there are fundamentally two ways to escalate privilege - privilege escalation based on the capture and replay of hashes, and privilege escalation based on performing (a few) password resets (i.e. based on identification and exploitation of excessive permissions granted on Active Directory content such as admin accounts and groups.)
The first way i.e. privilege escalation based on the capture and replay of hashes (PtH) is well-known and commonly-used, and thankfully is steadily becoming harder to use, as organizations understand how to avoid being victimized i.e. essentially, prevent their admins from logging on to untrustworthy machines.
The second way i.e. Active Directory privilege escalation based on performing (a few) password resets, is steadily increasing as hackers become savvier about Active Directory security, and are able to identify and exploit privilege escalation paths with moderate effort. (With the right tools , this too is child's play.)
The cardinal difference between these two ways is that whereas the former absolutely requires that an administrator logs on to a machine owned by the attacker, the latter has no such requirement, and in fact can be enacted from any machine. NOW, if an administrator NEVER logs on to the computer owned by the attacker, the attacker can sit and wait and grow old and will not be successful. However, with the latter, the attacker can use any computer/account to identify and exploit these privilege escalation paths, and once identified escalate his/her privilege within minutes.
Amongst these two ways, privilege escalation based on password resets poses a far greater threat to organizations worldwide than privilege escalation based on the capture and replay of hashes, because it doesn't require the victim to logon to any specific machine, and because virtually any insider (i.e. anyone with a simple Active Directory account) could with some basic knowledge and tooling engage in it to obtain all-powerful administrative access within minutes.
Microsoft's recent acquisition of a little start-up called Aorato may be a step in the right direction towards helping organizations detect the occurrence of privilege escalation based on the capture and replay of hashes, but it still leaves organizations vulnerable to privilege escalation attacks based on (i.e. involving the identification and exploitation of excessive permissions in Active Directory that can be enacted by performing) password resets. Fortunately, our patented technology is helping organizations worldwide minimize the possibility of successful privilege escalation attacks involving password resets.
Why is Administrative Access Such a Big Deal?
Obtaining administrative access is a HUGE deal because once you have administrative access, you not only have virtually unrestricted access to just about every resource in the system, you are also a part of what is commonly referred to as the Trusted Computing Base (TCB) of the system, and once you're a part of the TCB, you can not only control the security of the entire system, you can also circumvent any additional control that might have been put in place to stop you.
In addition, in every system, default security specifications grant the administrators complete and unrestricted access. This is done so as to be able to provide the administrators the ability to control that system at all times.
For instance, in an Active Directory deployment, the default security on every domain-joined machine grants Domain Admins full control across all resource managers on that machine, as well as virtually all the privileges required to obtain access to and control the entire domain-joined machine.
So for instance, once you're a Domain Admin in an Active Directory deployment, you can obtain access to virtually every IT resource (file, folder, database, process, service etc.) on any domain-joined machine in that Active Directory forest. So, of course, by default you'd also have access to any and every server that is domain-joined, such as and not limited to Exchange Servers, File servers, Database servers, Application servers, LOB servers, PKI Servers etc., and of course all files and folders on any domain-joined client machine, e.g. the laptop or desktop of virtually every employee in the organization, including the CEO, CFO, CIO, CISO etc. In other words, you have access to virtually everything.
This is why administrative access is a HUGE deal, and this is why organizations must leave no stone unturned in minimizing the number of administrative personnel to a bare minimum. Fortunately, all mature commercial operating systems (e.g. Microsoft Windows Server) provide the means to delegate a majority of all administrative responsibilities to lesser privileged administrators, and organizations should leverage the ability to delegate administrative functions to the extent they can.
At the end of the day, once you're an administrator, you have sufficient power to be able to control the security of the entire system. When you're consider a system like the IT infrastructure of a $20B company, you could potentially (positively or negatively) impact more than $20B, if one includes the cost of intangible losses one could inflict.
Unaudited Delegated Administrative Access Grants - Low-hanging Fruit for Hackers
One often overlooked area of cyber security is that of delegated administrative access in Active Directory deployments. By delegated administrative access, I am referring to administrative access delegations that are provisioned in Active Directory deployments for the purpose of separating and/or distributing responsibilities for vital areas of IT management. Examples of such areas include account management, group management and access management.
Active Directory makes it very easy to delegate access, and thus most organizations leverage this capability to ease IT management. In most organizations, IT departments have delegated varying levels of access to numerous IT personnel, whether directly, or via group memberships. Delegation of administration is a very useful and powerful capability that if correctly used, could substantially help organizations minimize the number of highly privileged administrators in Active Directory, and thus help them reduce the risk associated with the compromise of a highly privileged Active Directory administrative account.
There is one challenge associated with delegation though which is that although it is easy to delegate access precisely, it is very difficult to assess delegated access precisely, and over time, the state of effective delegated access can change, resulting in a situation wherein many more individuals than should ideally have been delegated specific types of access end up having such access.
This results in a situation wherein many individuals end up being entitled to and having powerful, delegated unauthorized access, which can then be easily misused to compromise organizational security.
For example, a group called Privileged Account Managers could have been delegated the ability to manage administrative accounts, and thus be able to carry out sensitive tasks like being able to reset the password of all Domain Admins. Over time, someone could directly or indirectly, and intentionally or inadvertently modify the membership of this group resulting in a situation wherein more individuals than were initially assigned to this group are now able to carry out these management tasks on these privileged accounts as well.
For instance, someone could accidentally or intentionally make another group called HQ Local Admins a member of this Privileged Account Managers group, resulting in a situation wherein all members of the former group would now also have the same rights as the latter group, and thus also be able to manage the organization's privileged accounts. These changes, and their impact can sometimes be hard to detect, assess and visualize, resulting in a situation wherein many more individuals than expected end up having escalated levels of privilege which could be accidentally or intentionally misused to inflict damage. In this case, the damage could be the compromise of one of the organization's privilege Domain Admin accounts, and the impact of such a compromise could be, well... we all know what happened at Sony.
This is why delegated administrative access rights are also very important to keep an eye on, because left as is, they could potentially be the weakest link in an organization's cyber security defenses. Fortunately, today solving the delegation audit challenge too has become as easy as touching a button, so organizations can safely use delegation to minimize the number of highly privileged administrative accounts in their Active Directory.
Could This Have Been Prevented?
Cyber security is fundamentally about risk management in computer systems, and any cyber security expert worth his salt will tell that you can never mitigate a 100% of the risk; you can mitigate much of it but not all of it, and you have to manage the part you can't mitigate.
In other words, no one can say with absolute certainty that such a security incident could have been completely prevented.
What I will say, is that with adequate security measures in place, i.e. a combination of adequate security policies, procedures and controls, the likelihood of Sony witnessing a security incident of this magnitude could have been highly minimized.
Organizations around the world can learn from what happened at Sony, and enact adequate risk mitigation measures in a timely manner to minimize the likelihood of hackers being able to pull of an attack of such a devastating magnitude in their IT environments.
5 Risk Mitigation Measures Sony Could have Taken to Reduce their Exposure
Here are 5 risk mitigation measures that the Sony could have taken, and that other organizations can take today, to prevent the occurrence of a security incident of this magnitude -
1. Reduce the number of Active Directory administrative personnel to a bare minimum, by separating, distributing and delegating all non-administrative responsibilities amongst and to a large number of relatively less-privileged administrators. For more information on how to do so, please refer to Microsoft's official best-practice guide on Delegation of Administration.
2. Ensure that all administrative delegations in Active Directory adhere to the principal of least privilege. This is very important because unless this is done, perpetrators could compromise a delegated administrator's account and use it to elevate their privilege to that of a Domain Admin. For more information on how to do so, please click here.
3. Afford the highest protection to all Active Directory administrative personnel and groups. This involves protecting these accounts from all avenues of credential compromise (some of them are listed below) as well as assigning dedicated computers for each of these administrative personnel.
4. Ensure that only equally trustworthy individuals can manage these Active Directory administrative personnel and groups. For example, ensure that only equally trustworthy individuals and no delegated administrators have the ability to reset the passwords of these accounts, change critical settings on these accounts (e.g. the userAccountControl attribute), unlock these accounts should they become locked, as well as change/modify the group memberships of any administrative groups (e.g. the Domain Admins group), create and link a GPO to the OU in which the computer account of these admins is stored, as well as manage the OUs in which these user & computer accounts/groups are stored.
5. Use auditing to audit the enactment of management tasks on Active Directory administrative personnel accounts, their computer accounts and Active Directory administrative groups, as well as audit changes in security permissions on any of these objects and on the OUs in which they reside.
Also, any time an Active Directory administrative account holder find that his/her password is not working, before simply getting it reset, investigate and find out whether or not someone reset his/her password, because if someone did so, chances are that they were in the midst of engaging in Active Directory Privilege Escalation.
In addition to the above, organizations can and should certainly invest in deploying additional security controls to add additional layers of security for their IT resources. However, it must be noted and understood that no matter how many layers you deploy, you CANNOT prevent the administrator of a system from being able to circumvent/disable any such deployed control, because he/she is by definition an administrator of the system, and is thus a part of the system's Trusted Computing Base (TCB).
Further Simplified - 5 Simple Risk Reduction Steps
In case the above risk mitigation measures seem too much to enact immediately, here are 5 simple steps that organizations can take today to reduce their exposure and mitigate this risk -
Identify every single administrative account and group in your Active Directory (AD)
Identify every single individual that can manage every AD admin account and group
Reduce the number of individuals on these 2 lists to a bare minimum.
Ensure that only the most trustworthy individuals are on these 2 lists
Designate a unique specific computer for logon/use for each of these individuals
Having done so, establish a schedule (weekly, fortnightly or monthly) to audit both, the list of admin accounts and groups, as well as the list of all individuals who can manage them.
Examples of such groups include Enterprise Admins, Domain Admins etc., and examples of management tasks include who can reset their passwords, unlock these accounts, modify these groups memberships, modify permissions on these accounts and group memberships etc.
For more details and specific risk-mitigation guidance, click here.
Tip 1: Design and use a simple in-house script that shows each administrator the last time (and target computer) at (and for) which a Kerberos ticket was issued for him/her, helping him/her identify whether or not his/her account has been compromised and may currently be in simultaneous use.
Note: As stated above, organizations should additionally implement other controls as well, but the above mentioned steps are essential because no matter what additional controls are in place, by definition, a system's administrators are part of the system's Trusted Computing Base (TCB) and can thus almost always circumvent and/or disable any additional controls that are in place.
Common Account Compromise Avenues
Here are some common ways in which someone could attempt to compromise an administrative account -
Guess the user's password
Brute-force the user's password
Obtain access to hashes and compare hashes to infer his password
Deploy key-stroke logging software on the user's computer to capture his password
Social engineer the user to enter his password on a fake website, and capture that entry
Social engineer the user to logon to a compromised computer and capture his hash
Reset the user's password
Coerce the user to giving you his password
Interestingly, of all the ways listed, the easiest way to compromise an administrator's account is to reset his password.
Here's why -
Most organizations have account lockout policies in place, making password guessing and brute-forcing difficult. Obtaining access to hashes requires physical(+system) access to a DC, which is not very easy to obtain. Deploying a keystroke logger requires you to obtain system access to the admin's computer (since you need the privilege to install a driver, and that may or may not be easy. Social engineering a user to enter his password on a fake site and/or logon to a compromised computer will require some social engineering skill. Coercing the user will most likely involve physical intimidation and thus thus require physical access to the user.
In contrast, a password reset can be performed from half way around the world in about 30 seconds, just as long as you have sufficient effective permissions to reset the user's password. With a little bit of creativity and the right tools, such permissions can usually be obtained rather quickly. (It turns out that it is very difficult to accurately assess who can reset whose passwords, so organizations are seldom able to accurately assess and thus precisely control who can reset whose passwords, as a result of which many more individuals than should be able to, can actually reset someone's password.)
Penetration Testing - Overrated
Folks, whether you turn on your Television sets or look at the media coverage of the Sony Hack online, you'll find many self-proclaimed cyber-security experts opine on the subject. You'll also find some cyber-security companies, particularly those in the penetration testing space, trying to claim that penetration-testing could have helped Sony prevent this. That's lame.
You see, a penetration test is merely a tactical security measure designed to assess an organization's security defenses at a given point in time. While the findings of a penetration test can certainly help identify specific areas for improvement, by itself it is not the "fix" itself, and it only gives you a moment in time assessment. (Besides, a cyber-security company / professional's penetration testing capabilities depend on their skill-set and tool-set, and even the world's leading penetration testing companies are novices at best when it comes to assessing the myriad of advanced ways in which a malicious insider could gain administrative access in Active Directory.)
In essence, penetration testing could at best help you identify your security worthiness at a given point in time, and given how rapidly the state of access changes in an environment, the value of a pen test is rather limited in contrast your ability to actually "fix" the problem i.e. in this case, minimize the number of highly privileged administrative personnel in your Active Directory deployment.
Colossal Impact
What happened at Sony was tantamount to a complete and system-wide compromise of an organization's IT infrastructure.
Trying to put a price on the cost of this security incident is very difficult. Suffice it to say that in the long run, it could potentially exceed the net worth of the organization, if you take into account, not just the lawsuits that they're now going to face, but more so the intangible loss i.e. the loss of trust, damage to reputation, etc. etc.
In addition, if their IP was stolen as well, it could really impact their ability to stay competitive, and because the products they develop and sell operate largely in commoditized spaces, the loss of IP could have profound implications on their business in the long run.
If this is not enough to be a wake-up call for the rest of the world, I don't know what else can drive home the point any better.
Reiterated This A Year Ago
This isn't rocket-science; it's common-sense. But perhaps, as they say, common sense is not so common. At Paramount Defenses, we saw this coming years ago, and in addition to documenting this in The Paramount Brief, I reiterated this in this blog entry last year. (The text in red italics below are quotes from that old blog post.)
"It is SO powerful that one who knows how to exploit it can use it to instantly take over virtually any Microsoft Windows Server based IT infrastructure in the world." In this case, the IT infrastructure was that of Sony's, and the perpetrators did take it over.
"With sufficient effort, it can also be used to develop an exploit that can then be packaged into a malicious payload that can automate the disruption / destruction of any Active Directory deployment of choice within hours to days." As you may know, at Sony, the hackers deployed malware to disrupt virtually all of Sony's computers.
"Once determined, this information can be easily used to perform single/multi step privilege escalations and ultimately gain varying levels of, and usually complete, administrative access...Once an attacker has gained Domain Admin access in your environment, he could do whatever he/she wants." U.S. officials that were briefed on the investigation told CNN that "U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony's computer system, allowing them broad access"
"...once you have compromised his account, you're a minute away from owning the kingdom...The attack surface is vast, and the prize is the coveted "keys to the kingdom"." The same U.S. officials also said that "The hackers ability to gain access to the passwords of a top-level information technology employee allowed them to have "keys to the entire building,"."
I could share many more quotes from that blog entry, but out of respect for your time (and mine), I'll share just these two pertinent ones...
"So you see, virtually every IT resource in the Active Directory is a potential target. I'll say this again - technically ANYONE with a Domain User account could take HOURS/DAYS/WEEKS to determine effective access in your environment, and find privilege escalation paths, and when he has, at a time of his choice, he could make his move i.e. WITHIN MINUTES, exploit the identified privilege escalation paths to take over the entire IT infrastructure."
and, finally...
"...imagine what a foreign government can do with 1000s of personnel devoted to building something like this, especially if you consider what is at stake, and what can be had."
Well, my 10 minute timer just rang, so this will have to end right here. But, just one more thing...
Who's Next? (Every Organization is Vulnerable - The Whole World Sitting on a Ticking Bomb?)
As I mentioned above, what (most likely) happened at Sony was rather simple - hackers compromised a single administrative account, then used that access to obtain virtually unrestricted access to and steal a colossal amount of corporate data, and finally used the stolen data to wreak havoc for the organization. To rub it in, they went a mile further to develop and deploy malware that destroyed a majority's of Sony's computers.
Sadly, ONE Active Directory administrative account is all one needs to carry this out. Just ONE.
Speaking of which, since over 85% of the world operates on Active Directory, and in 99% of these IT infrastructures, not only do these organizations have absolutely no idea as to exactly how many administrative accounts and groups they have in Active Directory, they also seem to have no idea as to exactly who is delegated what access on their Active Directory administrative accounts and groups, the following song featured in the movie November Man comes to mind...
(You can click on play above, or if you prefer, view it on YouTube here.)
From the world's most powerful governments to the world's top business organizations, over 85% of the world is vulnerable today, and as hackers become sophisticated, unless organizations start to take this SERIOUSLY, anyone could be next.
Incidentally, a year ago, I ended that blog post with the following words... "Unaddressed though, it is a ticking time-bomb..."
