Why Active Directory is the Prime Cyber attack Target - and what to do about it!

Thank you very much. Pleasure to being here and just the size of the room and how it's filling up shows that this topic is still of much more interest than you would've maybe thought about 20 years ago when, 23 years ago when Active Directory came to market, my name Guru Grill Meyer, I work as principal technologist for St. Paris and we obviously have commercial products to help secure active directory, et cetera. I'm not gonna talk about those though. I'm gonna talk about why is it a topic that you should care about. Yeah, so I mean we're, we've, this is actually really cool about this conference, this that covers new technologies of how to secure new application, new frameworks, new ways to actually secure your environment for the applications of the future. Now how many still have applications of the past? Yeah, basically legacy applications that are 80 integrated that still authenticate against that.
If you still want legacy infrastructure identity system. Yeah. That's what Active Directory is about. And how many have connected to it one way or another through synchronization, through syncing their idea accounts into the cloud. Often of course Microsoft Azure, but not only, yeah. And which one is the leading directory in your environment? There are efforts of course to get away from the on-prem active directory, but plenty of businesses still rely for many years against the on-prem active directory because that is where the business runs. That's often where manufacturing requires connectivity to their systems, et cetera. So active directory, if that's not secure for many organizations, that means your whole organization is not secure. And I'm not gonna go through these different attack scenarios here. Interesting though, just one probably to highlight here, SolarWinds, we all know or should be aware that that was one of those, let's say, very well known attacks at the end of 2020, where what we do recall is Orion code was updated solar from SolarWinds there.
Their platform to actually protect other customers is the Orion software. And that code was updated, the code was kept in the cloud, Azure DevOps, but the intruders initially to get into that company and then attack the cloud needed to crack the on-prem environment first because that's where they got in. And that's when they breached active directory stole the certificates from their ADFS environment for, from their federation systems that were used to actually connect to the cloud and authenticate you against that. So, you know, there is often that bridge when you're on-prem ad is broken or at least attack that then your cloud applications are also at risk at least. And this lovely slide is basically only there to show you how old is this what we're talking about? We're talking about on-prem active directory that only made, came to market in with Windows 2000 in the year 2000.
Lots of changes have happened over time, but they stopped in 2016. Yeah, 2016 is the latest operating system version and functional level that we have with active directory. And that means since, well seven years you were on your own. Yeah, Microsoft does continue to do patching of course, but no new features. All the development is against the cloud and of course everybody wants to get there with all the apps, but that's a long term transformation for many companies and many are not necessarily on that step to actually move to the cloud so that Microsoft will of course continue to support active directory for years to come at the same time where there's, you know, no new features coming with active directed at the same time you have the bring your own device, sorry, the, the, the whole story of, of Ransomwares that go into your environment and also it's actually not bring your own device here with your bring your own vulnerable driver.
Totally different type of attack phases these days that are actively being used in your environment. It's, it's not just a Microsoft Patches who's doing really good driver patches of your graphic cards, of your network infrastructure cards, the Nicks, whatever the, the interfaces that you have. A lot of them require system level drivers that are not well upkept at the same time when the guy gets in and is able to use any of your system for running command and control system through some of your user clicking on those damn phishing links. Yeah. That are still the phishing males that are still providing a lot of attacks or are used and a lot of those attacks to actually succeed to get inside. The next step for most of those, those attacks is always to perform recon reconnaissance in Neuroactive directory to find out how can I elevate my privileges?
And Microsoft, Microsoft has made that very easy and that's what we're gonna have a look at. Why is that so easy? Because of course for the intruders, they don't really care about your ad. They care about your data, your apps that they can attack with privileges that you brought through Active directory ad is just a mechanism for them, be it on-prem or be it in the cloud. Just think about how you sync accounts into the cloud. That system often Azure AD Connect of course has permissions in both directions and you can attack that also to get to the cloud. And what our company takes care of is of course to monitor that whole system, the whole environment of active directory with its different vulnerabilities pointing out what are the things that you need to take care of. There were plenty of talks now that talked about the vulnerabilities of the relevant technology and active directory is just one of them.
It's not just at the operating system layer, it's obviously inside active directory, how you have configured it and how Microsoft has configured many of the default permissions in it. That's what we're gonna have a look at next. Now, you might not be able to read the slide, especially from the back, but what I'm showing here is from a brand new deployed active directory domain, you know, newly deployed force with a newly promoted domain on a server 2022, the newest release from Microsoft, you still have a particular object as a member in the so-called pre Windows 2000 compatible access group. Just think about that name, pre Windows 2000 and then understand that authenticated user means everybody in your force. Not just people but also machines. Every machine account is a user in active directory. And so is of course all of your users in any part of your force, they're part of the authenticated users and by default they are if you haven't ripped them out, which I recommend anybody to do, but it's a bit tough to do it just now on a Monday morning.
Yeah. Because it, it takes a little bit of a preparation to get there. If you haven't done it, it's, it's, it's work. But if you don't find that in your environment anymore, you're already one step further than many of your competitors because that permission basically brings you back into NT compatibility. Pre Windows 2000 means Windows NT compatible. And one huge advantage of active directories capabilities is of course attribute level permissions, which ENT didn't have. And here this thing gives object level permissions, read permissions for everybody so that everybody can see who's in which groups, who has the must set password flag said, who has kist delegations set all those tentatively sensitive attributes you make available to an intruder to find who to go after. But it gets more fun. And by the way, this is, you know, more details you can find on our blog on that topic.
But it gets more fun because your most privileged users are not part of those, you know, they're protected in a way that they don't get the default permissions synchronized or actually inherited right from the top of the root of the domain. They are protected and inheritance is disabled because they're protected by this so-called admin SD holder object. And the admin SD holder is sort of the template for permissions to give to your most privileged users, domain admins, domain admin group, enterprise admin group, and any members of that. But guess what, by default you again have that pre minus 2000 compatible access group and just in case it's empty in your case, even authenticated users in there. And it's like why? Again, that's part of what makes active directory so easily attackable in that one is really easy to change. None of your users, your normal users and none of your applications truly need to know who are your domain admins.
They don't need to, they don't need to know the, a lot of that sensitive data. And so you can also disable that and basically replace it with a different group to, to add machines and users that you do want to enumerate those accounts. But not every user needs that. I'll show you later what it means if you take that out, that permission and what it really means for an attacker, how it influences them or impacts them in the attack phase. Now again, I'm not gonna talk about our commercial products, but it is actually quite interesting for you to know that we have quite powerful free products for you to use. All of the products that see on this slide are free products. And every second one here is a product from St. Paris Bloodhound, fairly well known, especially also on the hacker side to, to interrogate and do recon reconnaissance in your environment to see how do I get the easiest to the privileged users and how do I, which path of an attack do I need to take?
And Samper has a free tool called Forest Stewart. Been released roughly half a year ago. Very successful. Makes it even easier for the defenders. It's meant for the defenders, not so much for the intruders because this one is UI driven and but you don't need to install anything. You basically download it and run it and have a visualization of the attack path and know what objects are able to get to your tier zero systems. And Pink Castle is fairly well known to scan vulnerabilities in active directory and our product to do the same, just even easier and very, very, let's say explicit about what it finds and explains to you what you should change in your environment is purple night. So again, not gonna, don't have the time to talk much about forest through it, but that is the tool that you'd want to use to understand your privilege defined perimeter.
Basically the perimeter that are objects that need to be protected. If somebody does something to them, you'd want to have a warning bell ring or undo such changes to your privilege accounts or groups just to give you a quick sample of what Purple Night finds in your environment. It's a whole list of things that, that has been nicely shown in a report, didn't show you how the system runs, but easily again, no installation, you just run it, you get a report and then it finds things like this where there are permissions on accounts that, for example, have DC sync permissions and DC sync is one of those permissions that some apps need. You'll find it if you are syncing your accounts to the cloud. Azure Deconnect needs that also. But you should be aware that, and we, we explained that nicely on those pages, that that also means that these accounts can sync out, read out the password hash of each of your accounts, even the very critical one, K B T G T two tech technical, but basically means the account that signs KBU tickets that allows an attacker to create golden tickets.
Yeah. So intruders are gonna be after that. So you need to think about where is that account running? Where is even my Azure AD Connect system running? Yeah. Because that needs to be very well protected even for updates. Don't have some lower level admin manage that system belongs in the hands of your administrator. And here another one that's easily found again by default, even by the intruder. This is all found with no privileges with with just a normal user who can impersonate users in your active directory, for example, through unconstrained delegation, easily found by a normal user and of course an intruder to then go after that machine and have any code then forward tokens from any user that authenticates that environment. And you basically give the intruder the target that he needs to go after. And it doesn't look so difficult in the UI and so dangerous in the ui.
So it's easily something that people do. So when the bloodhound is run by an intruder as a normal user, they don't have any problems gathering fairly powerful intelligence in your environment right from the get-go. Like who's in the domain admin groups and even that attack path, it's right there, right in the system. Well if you take out some of those default permissions, like I mentioned, not allowing every normal user to read the privileged accounts and the privileged groups, those guys are blocked from very important intelligence that they need to gather on how to attack your active directory. It simply isn't readable for the users, for the normal user of course, have they been able to progress somewhere else often when they don't have those permissions. They need to be more visible in your environment and your monitoring tools would hopefully pick that up. And one recommendation.
Last thing that I basically want to mention here in this talk is that it's never too late to invest in proper tier. It's not too late. Even if you want to migrate to the cloud and everything, even if you use the the cloud-based pin management systems, it's not too late because that is how your intruders get in. By having two highly privileged users running, you know, just even for help desk purposes, logged on to lower level systems other than your domain controllers. That is the way that they get easily in that is how they can forward tokens and basically attack you. And that was basically the main thing that I wanted to announce here and I hope this was useful for you today. Thank you.
Thank you Guido, for this very nice and informative presentation. Are there any questions from the audience? Maybe one for one, we have time. Yes,
Yes. Hello? from the Netherland. What's the solution? Cause active direct service will remain there. You can harder and protect them. So what should you do as an organization?
The question is basically how can you protect yourself as an organization? Well if you do vulnerability scans, you of course are seeing what are the things that maybe in your applications or open holes that you must close to basically make your active directory more secure. Partially the reconnaissance part that I showed you. Not only, there's plenty of other things that you can actively do and scan your active directory for any suspicious changes that occur that you can actually act. But let's be, let's be very clear what you also must prepare for, because there is no a hundred percent security. Nobody has that. Nobody can promise that I'll never do that. Prepare for the worst and prepare for that. If somebody does get in and wipe you out that you have a plan for recovery.
Zero trust help in that sense that you get, don't get close to your active directories. So put them outside your organization
If you have, if you have the chance, if you have the chance to basically put your applications in a different network that you then control with some other elements, with some other control for zero trust. Absolutely. That is helpful. Many don't have that option. Yeah. Thanks very much.
Thank you for the question and for this very nice answer for it.