Andy Robbins Profile picture
Product Architect of BloodHound Enterprise. Co-creator of BloodHound. Please donate to MDA: https://t.co/wtLm1eFzRc. He/him. @SpecterOps. Mstdn: @wald0@infosec.exchange

Feb 20, 2019, 7 tweets

1/n Domain trust boundaries are not, of course, security boundaries; however many organizations effectively treat them as such. #BloodHound's attack graph tells the real story of how isolated our domains are from each other. Take this simple 3-domain forest for example.

2/n The domain trust map is pretty simple. Domain 1 is trusted by Domain 2, and Domain 2 is trusted by Domain 3. (This is real, anonymized data). So principals in Domain 1 can query Domain 2 or 3 for information, but no privileges are implied by default.

3/n With #BloodHound we can easily find the shortest attack paths from "Domain Users" in Domain 1 to "Domain Admins" in Domain 3. Pretty easy attack path, and very common situation in the real world:

4/n With some Cypher, we can find every "bridge" between each domain. Here, I'm seeing how many users in "Domain 1" have admin rights on computers in "Domain 2".

5/n We can increase our scope and build a matrix of all these cross-domain "bridges" to see where our biggest issues are. We have [n,m], where "n" is the number of users from the domain column, and "m" is the number of computers in the domain row those users have admin rights on

6/n To make this data a little easier to digest, we can visualize it as a Sankey diagram (a Chord diagram would also be cool to see).

7/7 Don't treat domain trust boundaries as security boundaries? Good! But if you must (re-architecting a decade old forest is very expensive work), you can use this methodology to find those hidden doors between your domains. We will show you how in March.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling