Why bottleneck analysis is essential in Active Directory security



Attackers who wish to steal data, deploy ransomware, or conduct espionage activities must go through a series of stages, from initial access to establishing persistence and lateral movement to exfiltration of data. Abuse of identity attack paths in Microsoft Active Directory (AD) is a popular method for attackers to accomplish many of these steps, including persistence, escalation of privilege, defensive evasion, access to credentials, discovery and lateral movement.

But securing Active Directory is difficult, especially at the enterprise level, because AD environments are so large that they provide attackers with a large number of potential avenues to their goals. Based on my work as a penetration tester and red teamer, I think one of the most practical ways to secure AD is to map and prioritize the “choke points” through which a large number of paths attack must pass. Defensive teams must first focus on these high-value choke points to ensure their most critical assets are protected, before moving on to managing other avenues of attack in the environment.

Here’s why I think it’s a useful approach.

Attackers use attack paths because they are easy to use and difficult to detect. Attack paths are created by poor user behavior, such as domain admins interactively logging into desktops, and configuration errors in AD, such as giving the domain user group “full control. »From the domain manager (yes, we saw that!). Unlike abuse of a software vulnerability, abuse of an attack path often appears to be normal user behavior for defenders (such as resetting user passwords or using tools to run privileged commands on remote systems). Since almost all Fortune 1000s use AD, attackers can use the same techniques against multiple targets with virtually guaranteed success.

The average business will have tens or hundreds of thousands of users and millions or even billions of attack paths that are constantly changing as new users are added and new attack techniques are developed – far too many. for defenders to secure. Removing a single attack path accomplishes very little because there is always an alternate route. Imagine someone driving from Los Angeles to Manhattan – avoiding a specific city or specific section of the freeway won’t stop them from getting there.

The size of most corporate AD environments means defenders are typically overwhelmed if they try to secure them. There are tools that generate configuration error lists in AD, but these tools typically produce hundreds or even thousands of “critical” configuration errors. A busy AD admin or identity and access management team doesn’t have time to work on all of this, and in my experience most won’t even try.

Focusing on bottlenecks addresses this problem by identifying attack paths and configuration errors that will have the greatest impact on the organization’s overall security posture if addressed. To do this, the team must think like a striker. First, identify the priority targets in an environment – the systems that most attackers will want to access. This should include zero-level assets such as domain controllers and other high-value systems unique to that company. Then map the AD environment to determine how the attack paths reach these high-value targets.

There are always bottlenecks – users or systems through which most or all attack paths pass. on the way to those high-value targets. Imagine someone driving from LA to Manhattan again. There are only a few tunnels and bridges leading to Manhattan Island, so whichever route the driver takes, eventually he has to go through one of them. In AD, these bottlenecks are often accounts or groups with direct or indirect administrative control of Active Directory.

A prioritized list of attack paths and misconfigurations is much less intimidating for AD administrators to deal with and knowing how many attack paths go through a choke point can help justify remedial action with a CIO. reluctant. Going through this mapping process also helps security teams measure their overall AD exposure and quantify how their actions will reduce it, which helps engage other IT managers in the changes. Overall, the bottleneck point approach enables security and AD teams to improve AD security more effectively with fewer changes and reduced overall risk.

Free and open source tools Bloodhound (of which I am co-creator) and PingCastle can aid both mapping and AD investigation. AD security is starting to receive more attention in the industry, and I expect more development and tools to emerge in the coming months. Overall, stopping attack paths is a big business-level challenge due to the size and complexity of AD environments, but focusing on high-value targets and bottlenecks can reduce this complexity to a manageable level.


Leave A Reply

Your email address will not be published.