One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5
It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:
1. Active Directory is the FOUNDATION upon which all identity and access in the enterprise is built. Your workstation? AD auth. Your CI/CD pipeline? AD via ADFS. Your network devices? AD via RADIUS.
Control the foundation and you control the enterprise.
Control the foundation and you control the enterprise.
2. Active Directory is the UBIQUITOUS directory service used by the vast majority of businesses of all size. AD is ubiquitous, and so are the issues that pop up in almost all AD environments.
Ubiquity means adversaries master attacking AD once and use those skills anywhere.
Ubiquity means adversaries master attacking AD once and use those skills anywhere.
3. What can Active Directory admins do? Anything. If you can imagine it, a Domain Admin can do it. Active Directory is immensely POWERFUL.
Adversaries use that power for their own purposes, accessing any data or system they want.
Adversaries use that power for their own purposes, accessing any data or system they want.
AD remains an attractive target for those three reasons, but also because:
1. Controlling AD offers unmatched payoff compared to controlling anything else.
2. Common weaknesses exist across most AD environments.
3. Effective detection remains out of reach for most orgs.
1. Controlling AD offers unmatched payoff compared to controlling anything else.
2. Common weaknesses exist across most AD environments.
3. Effective detection remains out of reach for most orgs.
4. Controlling AD means the adversary can embed very deep persistence that is very hard to find.
5. Adversaries get unlimited retries when attacking AD. That's not unique to AD, but the more an adversary learns about the environment, the more effectively they can attack it.
5. Adversaries get unlimited retries when attacking AD. That's not unique to AD, but the more an adversary learns about the environment, the more effectively they can attack it.
Ok. So why aren't current solutions solving the problem of attack paths in Active Directory? Put simply: they aren't designed or intended to.
Vulnerability Management doesn't solve the problem of attack paths because vuln mgmt is focused on the impact that bugs or misconfigurations have to one computer, not the impact they have to the entire organization.
Red Team assessments don't solve the problem of attack paths because while they may surface one or two fully fledged attack paths, the unfortunate reality is that millions (even billions) of attack paths remain unseen.
Detection doesn't solve the problem of attack paths because most attack path steps abuse configurations using legitimate administrative protocols and tools. Telling the difference between legit and malicious behavior remains mostly academic.
Ok. So what does Attack Path Management actually DO to solve the problem of attack paths? APM solves the problem of attack paths by leaning heavily into the organizational barriers that prevent most orgs from solving attack paths themselves.
We have *always* had the tools to prevent the emergence of attack paths, but they have *never* been practical to actually implement.
In particular, those two tools are the Principle of Least Privilege and Tiered Administration.
In particular, those two tools are the Principle of Least Privilege and Tiered Administration.
APM is designed to make Least Privilege and Tiered Administration EASY to implement and maintain.
Here's how it works:
Here's how it works:
First we create a comprehensive map of all users, computers, and other abusable objects and the abusable connections between them. You can think of this as being analogous to a map of the United States: 
With this map, we know how the adversary can get from any asset to any other asset. APM creates a sort of "Google Maps" for Active Directory.
Let's talk about how APM makes Tiered Administration easy. In our analogy, our Tier Zero is the island of Manhattan:
Let's talk about how APM makes Tiered Administration easy. In our analogy, our Tier Zero is the island of Manhattan:
Anything INSIDE of Tier Zero is allowed to control anything ELSE inside of Tier Zero. Your Domain Admins can reset each others' passwords. Your Domain Controllers store your Domain Admins' credentials. That's ok!
But anything OUTSIDE of Tier Zero with a connection INTO Tier Zero is a violation of Tiered Administration. In our analogy this would be all of the bridges and tunnels into Manhattan:
In real life the number of tiering violations can number in the hundreds or thousands, and so we must give these violations some risk-based priority. We do this by ranking the connections in descending order of how much of the environment can get to Tier Zero via that path.
In our analogy, consider the Brooklyn Bridge. This bridge connects the whole of Long Island to Manhattan (let's pretend the Whitestone and Throgs Neck bridges don't exist):
But what about the Lincoln Tunnel? That tunnel directly connects New Jersey into Manhattan, but then it also connects *the rest of the country* as well:
In this analogy we'd say the Lincoln Tunnel has a score of 99% and the Brooklyn Bridge has a score of 1%.
In Active Directory we're looking at abusable configurations and user behaviors and ordering the risk those individual issues present to the entire organization.
In Active Directory we're looking at abusable configurations and user behaviors and ordering the risk those individual issues present to the entire organization.
For Least Privilege we do the same thing but in reverse: we find and rank order privileges held that present the greatest risk to the organization.
What is the impact APM has on organizations? We have a commercial product that does APM called BloodHound Enterprise. What we are *typically* seeing is that most customers start off with around 85% or more composite risk rating, meaning 85% of the org can compromise Tier Zero.
Most of our customers are able to reduce that figure to below 15% in their first 30 days.
You can learn more about #BloodHoundEnterprise at bloodhoundenterprise.io
You can learn more about #BloodHoundEnterprise at bloodhoundenterprise.io
• • •
Missing some Tweet in this thread? You can try to
force a refresh
