One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5
It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:
1. Active Directory is the FOUNDATION upon which all identity and access in the enterprise is built. Your workstation? AD auth. Your CI/CD pipeline? AD via ADFS. Your network devices? AD via RADIUS.
Control the foundation and you control the enterprise.
2. Active Directory is the UBIQUITOUS directory service used by the vast majority of businesses of all size. AD is ubiquitous, and so are the issues that pop up in almost all AD environments.
Ubiquity means adversaries master attacking AD once and use those skills anywhere.
3. What can Active Directory admins do? Anything. If you can imagine it, a Domain Admin can do it. Active Directory is immensely POWERFUL.
Adversaries use that power for their own purposes, accessing any data or system they want.
AD remains an attractive target for those three reasons, but also because:
1. Controlling AD offers unmatched payoff compared to controlling anything else. 2. Common weaknesses exist across most AD environments. 3. Effective detection remains out of reach for most orgs.
4. Controlling AD means the adversary can embed very deep persistence that is very hard to find. 5. Adversaries get unlimited retries when attacking AD. That's not unique to AD, but the more an adversary learns about the environment, the more effectively they can attack it.
Ok. So why aren't current solutions solving the problem of attack paths in Active Directory? Put simply: they aren't designed or intended to.
Vulnerability Management doesn't solve the problem of attack paths because vuln mgmt is focused on the impact that bugs or misconfigurations have to one computer, not the impact they have to the entire organization.
Red Team assessments don't solve the problem of attack paths because while they may surface one or two fully fledged attack paths, the unfortunate reality is that millions (even billions) of attack paths remain unseen.
Detection doesn't solve the problem of attack paths because most attack path steps abuse configurations using legitimate administrative protocols and tools. Telling the difference between legit and malicious behavior remains mostly academic.
Ok. So what does Attack Path Management actually DO to solve the problem of attack paths? APM solves the problem of attack paths by leaning heavily into the organizational barriers that prevent most orgs from solving attack paths themselves.
We have *always* had the tools to prevent the emergence of attack paths, but they have *never* been practical to actually implement.
In particular, those two tools are the Principle of Least Privilege and Tiered Administration.
APM is designed to make Least Privilege and Tiered Administration EASY to implement and maintain.
Here's how it works:
First we create a comprehensive map of all users, computers, and other abusable objects and the abusable connections between them. You can think of this as being analogous to a map of the United States:
With this map, we know how the adversary can get from any asset to any other asset. APM creates a sort of "Google Maps" for Active Directory.
Let's talk about how APM makes Tiered Administration easy. In our analogy, our Tier Zero is the island of Manhattan:
Anything INSIDE of Tier Zero is allowed to control anything ELSE inside of Tier Zero. Your Domain Admins can reset each others' passwords. Your Domain Controllers store your Domain Admins' credentials. That's ok!
But anything OUTSIDE of Tier Zero with a connection INTO Tier Zero is a violation of Tiered Administration. In our analogy this would be all of the bridges and tunnels into Manhattan:
In real life the number of tiering violations can number in the hundreds or thousands, and so we must give these violations some risk-based priority. We do this by ranking the connections in descending order of how much of the environment can get to Tier Zero via that path.
In our analogy, consider the Brooklyn Bridge. This bridge connects the whole of Long Island to Manhattan (let's pretend the Whitestone and Throgs Neck bridges don't exist):
But what about the Lincoln Tunnel? That tunnel directly connects New Jersey into Manhattan, but then it also connects *the rest of the country* as well:
In this analogy we'd say the Lincoln Tunnel has a score of 99% and the Brooklyn Bridge has a score of 1%.
In Active Directory we're looking at abusable configurations and user behaviors and ordering the risk those individual issues present to the entire organization.
For Least Privilege we do the same thing but in reverse: we find and rank order privileges held that present the greatest risk to the organization.
What is the impact APM has on organizations? We have a commercial product that does APM called BloodHound Enterprise. What we are *typically* seeing is that most customers start off with around 85% or more composite risk rating, meaning 85% of the org can compromise Tier Zero.
Most of our customers are able to reduce that figure to below 15% in their first 30 days.
"...this case does not meet the bar for servicing by MSRC and we will be closing this case..."
and:
"...This is considered by-design..."
A quick thread on what the "issue" is and why MSRC is right 🧵
While preparing for my @WWHackinFest talk, I was creating demo videos showing Managed Identity abuse primitives in various Azure services. For example, you can remotely extract the JWT for a VM's managed identity like this:
My abuse primitive demo for Logic Apps was a little different: I was using the Logic App to add a secret to another Service Principal, then capturing the output in the Logic App, showing the other Service Principal's new key credential in plain text:
Yesterday in my webinar on ACR Task abuse, I shared this slide with the question, "What privileges are needed to bridge this trust boundary?"
A thread about the differences between Explicit and Emergent IDP Trusts: 🧵
In its default state, an Azure tenant enforces a trust boundary around itself. The Azure Security Token Service (STS) for this tenant will only authenticate principals within this tenant. In other words: only users in your tenant can access anything in your tenant.
"Global Admins" and "External Identity Provider Administrators" can configure various types of Explicit Trusts with other Identity Providers (IDPs), and then allow foreign users to access resources in the tenant:
Users in Azure deserve attention from attackers and defenders. But Service Principals deserve as much attention, and actually maybe deserve much more attention than users. A quick thread on why, and resources for attackers and defenders:
First, the password reset system in Azure has tiered administration baked into it. Only your T0 users can reset T0 users' passwords:
The #BloodHoundEnterprise team's working culture, as explained by Marcus Aurelius, a short thread: 🧵
“The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.”
We are not afraid of challenging the status quo and doing things radically different than what came before.
“If someone is able to show me that what I think or do is not right, I will happily change, for I seek the truth, by which no one was ever truly harmed. It is the person who continues in his self-deception and ignorance who is harmed.”
There are 3 major reasons I see why we should not be blaming the people behind these dangerous configurations:
First: It doesn't help. Honestly, what evidence do we have that screeching at admins to do "the basics" has created positive outcomes?
Second: Don't forget where you came from. No one is born with all the knowledge needed to avoid these mistakes. What you see as "basic", someone else sees as secret arcane knowledge. A little empathy goes a long way here.