It's time to stop ignoring prevention. A thread:
Point #1: Red teamers know how year after year the same tools and methodologies can be used to take over almost any organization running Active Directory. Sometimes even the same exact attack path steps find their way into reports year after year.
We shouldn't be satisfied with doing the same attacks against our clients for years (even decades) and collecting paychecks - what exactly is the point of all this tailchasing if things aren't getting better?
The reliability of tools like Mimikatz, Responder, and BloodHound is a huge problem. I love Responder. Responder came out in October of 2012. If we are still reliably using Responder in October of 2022, a full decade after its initial release, that's a failure that we all own.
Point #2: No control is a panacea, including detection. Investing heavily into detection is an attractive proposition because detection almost never means needing to change the status quo: users keep privileges, networks remain flat, and dangerous configurations go ignored.
Investment in detection becomes dangerous when it comes at the cost of other critical security controls, like prevention. You don't expect detection to protect you from Eternal Blue, HeartBleed, and $exploitoftheday. Why do you expect it to protect you from PSExec, WMI, and RDP?
Point #3: Vulnerability Management has given us the tools, methodologies, and vocabularies to effectively mitigate and manage the risks brought on by vulnerabilities. But historically, the same tools, methodologies, and vocabularies haven't existed for identity-based prevention.
Graph-based tools like FOSS #BloodHound, Stormspotter by @mcohmi, and Microburst by @kfosaaen have finally made it possible to easily understand outbound, inbound, and effective permissions against any securable object.
As those tools, their commercial counterparts, and associated methodologies and vocabularies mature, I believe we will finally see a fundamental shift in post-exploitation tactics. This will be a good thing for everyone involved: defenders, red teams, detection vendors, etc.
Will this happen overnight? No.
But will it be easy? Also no.
But I believe we're on the right track with things like BloodHound Enterprise, Attack Path Management, and others we compete with and complement who are loudly saying the same thing we are saying: it's time to get serious about prevention. /thread

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andrew Robbins

Andrew Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

13 May
(1/n) The other day, @JulioUrena asked a great question in the BloodHound Slack:

"How can I determine which Group Policies apply to members of a certain group?"

We can use #BloodHound to answer this question, but I want to explain the moving pieces here as well
(2/n) Group Policy can't be applied directly to security groups, except when using SID filtering and linking the Group Policy correctly. SID filtering on GPOs is not very common, so #BloodHound doesn't currently model that.

We can still use #BloodHound to figure this out though
(3/n) Take for example this security group -- real data so labels are hidden (left CTRL in BloodHound GUI). This group has 7 users in it, but because it has a group added to it...
Read 8 tweets
9 Mar
I am thrilled to announce #BloodHoundEnterprise, which will be released in Summer of 2021!

Learn more: specterops.io/bloodhound-ent…
View our announcement webinar: specterops.zoom.us/webinar/regist…

A thread of major points about BloodHound Enterprise: Image
Once an attacker has access to Active Directory, it's virtually guaranteed they can find an attack path resulting in the compromise of a Tier 0 asset (Domain Admin). Owning Tier 0 means owning AD. Owning AD means owning the organization, all its data, users, processes, etc.
The scale, availability, and growth of those attack paths has exposed an enormous gap in how we try to secure Active Directory today. Organizations try (and fail) to fill that gap with technologies, products, and processes.
Read 9 tweets
26 Sep 20
The hardest targets I faced while pentesting/red teaming all had one thing in common: mature, funded, and empowered vuln/patch management programs.

The hardest of all combined vuln/patch management with least privilege enforcement - and inspired the creation of #BloodHound.
Are patch/vuln management and least privilege enforcement sexy? No.

Are they easy? Hell no.

Are they worth the initial and continued investment? Absolutely yes.
The best teams have processes for pretty easily dealing with things like Zerologon. They hear about the new scary vuln, understand its impact, test patch deployment to a subset of affected systems, then deploy to all affected systems, and audit patch deployment/effectiveness.
Read 8 tweets
20 Apr 20
(1/9) My first pentest job was at a company called TrustCC - little-known then and since purchased. We had a tradition whenever got DA: horrible, awful, cringe-worthy puns.
(2/9) We would send internal emails that were half celebratory, half instructive, explaining how we got DA in that particular client environment. But the email subject was REQUIRED to be a pun based on the client name.
(3/9) So if the client was "Sunny Hills Bank", the email subject might be "Walking on the Sunny (Hills Bank) Side of the Street: Path to DA #1".
Read 9 tweets
20 Feb 19
1/n Domain trust boundaries are not, of course, security boundaries; however many organizations effectively treat them as such. #BloodHound's attack graph tells the real story of how isolated our domains are from each other. Take this simple 3-domain forest for example.
2/n The domain trust map is pretty simple. Domain 1 is trusted by Domain 2, and Domain 2 is trusted by Domain 3. (This is real, anonymized data). So principals in Domain 1 can query Domain 2 or 3 for information, but no privileges are implied by default. Image
3/n With #BloodHound we can easily find the shortest attack paths from "Domain Users" in Domain 1 to "Domain Admins" in Domain 3. Pretty easy attack path, and very common situation in the real world: Image
Read 7 tweets
4 Feb 19
1/4 #PrivExchange by @_dirkjan perfectly illustrates how legacy permissions degrade an Active Directory environment's security posture. I want to share three free resources that will help you proactively protect your organization.
2/4 First is part one introducing our Adversary Resilience methodology. Part one covers the high level concepts of this new methodology:

posts.specterops.io/introducing-th…
3/4 Second is part two introducing our Adversary Resilience methodology, and shows the nuts and bolts involved. We've made big improvements to the methodology since its introduction and will be speaking about those publicly at @WEareTROOPERS in March:

posts.specterops.io/introducing-th…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(