Cyber Defense eMagazine December Edition for 2021

More documents

Recommendations

Info

Getting Started with Active Directory Security Evaluating, Benchmarking and Creating a Strategy By Justin Kohler, Director of BloodHound Enterprise, SpecterOps Over 90% of the Fortune 1000 use Microsoft Active Directory (AD) for identity and access management. This ubiquity makes AD a prime target for attackers because compromising it almost always gives them the access they need to achieve their goals. Additionally, attackers can compromise AD easily by manipulating common errors in user identity and privilege. Consider this scenario: An attacker gets an employee’s credentials through a phishing attack. That user is a member of the “Help Desk” security group in AD with a low level of privilege. But the Help Desk group has been nested inside another group that has privileges over a PCI server. Our hypothetical employee is not supposed to have control over that server, but the group nesting has given them privilege over it accidentally. That server also has a service account logged in, and it’s simple for an attacker to steal those credentials now that they have control over the server. That service account happens to have the “Add Member” privilege to the Domain Administrators group, so now the attackers can make themselves a domain admin. This chain of steps that allows an adversary to escalate privilege and move laterally through Active Directory is an example of an Identify Attack Path (referred to as “Attack Path” for the rest of this article). Multiple Attack Paths just like this exist in nearly every environment my colleagues and I examine. Improving AD security to prevent these attacks requires IT Operations, Security Operations, and Identity and Access Management (IAM) teams to work together since each owns a portion of securing AD. A successful strategy must 1) be understandable and defensible to management, 2) give practical solutions that can realistically be implemented by AD administrators, 3) be measurable so that the organization can track progress over time, and 4) cannot require changes that greatly interfere with normal business operations. Cyber Defense eMagazine – December 2021 Edition 130 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
How can this strategy be implemented? Let’s look at a practical, actionable approach to securing AD security with these four steps: Step One: Define High-Value Assets First, think like an adversary and focus on what they’ll focus on. Define the high-value assets in Active Directory that most attackers will target. A great place to start is the objects in Active Directory that enable full control over the domain. Commonly referred to as “Tier Zero” or “Control Plane” in Microsoft’s new Enterprise Access Model, these include the Domain, Enterprise, and Schema Admins, and Domain Controllers groups, plus the domain head object, and applicable group policies. Adversaries want to get privilege on these assets because they enable additional access required to accomplish their objectives. IT may also consider including other critical systems that would have a significant payoff for attackers, such as privileged access management (PAM) solutions. Step Two: Map Attack Paths Next, map out all of the ways an adversary could compromise those high-value assets. Unfortunately, AD’s interface and built-in tooling do not provide the necessary visibility to audit privilege effectively. This lack of visibility makes it very difficult to see users’ privileges, which groups they are members of, etc., which causes Attack Paths to build up over time. Surfacing these paths will require specialized tools like BloodHound (an open-source Attack Path mapping tool), which gives visibility into AD to map out how attackers can use misconfigurations to control high-value assets. Step Three: Start with Critical Paths An enterprise AD environment can easily have tens of thousands of potential Attack Paths. For an AD security plan to be practical, it must prioritize which ones to fix first. Without the ability to measure the exact risk of each path in your environment, two manageable areas present a significant risk to any environment. 1) attack paths from large groups in the environment to critical assets and 2) Kerberoastable critical assets. Here is a full explanation of how to find and fix these specific issues. These two areas represent a significant risk because each may be executed by effectively any member of the organization through the use or abuse of AD configurations. Another area the security or IAM team may consider reviewing is any permissions granted to the large default groups such as Domain Users, Authenticated Users, or Everyone. These permissions can create large beachheads for attackers to move laterally within the environment, even if they don’t grant full access through a critical asset. Cyber Defense eMagazine – December 2021 Edition 131 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2:
9 Ways Social Media Sabotages Your
Page 3 and 4:
How Do You Secure the Modern Supply
Page 5 and 6:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8:
Cyber Defense eMagazine - December
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
With over 4 billion users, social m
Page 41 and 42:
Unsecure Mobile Networks When using
Page 43 and 44:
However, as concerning as these pra
Page 45 and 46:
Danny Lopez, CEO, Glasswall “Duri
Page 47 and 48:
estoring data. Modern organizations
Page 49 and 50:
When Diplomacy, Finance and Tech Co
Page 51 and 52:
Another way leaders can take initia
Page 53 and 54:
How Covid-19 Changed Advertising Fo
Page 55 and 56:
However, this shift might not be su
Page 57 and 58:
Why MFA Alone Isn’t Enough for Tr
Page 59 and 60:
just highlights how vulnerable most
Page 61 and 62:
on channels like email. This starts
Page 63 and 64:
3 Best Practices to Avoid Inevitabl
Page 65 and 66:
For example, an employee may become
Page 67 and 68:
and outcomes is essential for proje
Page 69 and 70:
Electric Vehicle Charging: The Next
Page 71 and 72:
Going forward, EV dealers, charging
Page 73 and 74:
How does this relate to MFA? Well,
Page 75 and 76:
constant exposure of countries to a
Page 77 and 78:
Why do you need a malware sandbox?
Page 79 and 80: Multi-Cloud Security and Compliance
Page 81 and 82: If security controls are not consol
Page 83 and 84: How Do You Secure the Modern Supply
Page 85 and 86: The case for isolation Supply chain
Page 87 and 88: Don’t Take Yourself Out of The Ga
Page 89 and 90: The U.S. Government Accountability
Page 91 and 92: assessment criteria for the tasks f
Page 93 and 94: the file. This was a great techniqu
Page 95 and 96: the wake of the pandemic where the
Page 97 and 98: Certain communications are protecte
Page 99 and 100: At Salt Communications we work with
Page 101 and 102: And it’s only getting worse. If y
Page 103 and 104: The benefits are great When HDOs ha
Page 105 and 106: 4 Pillars of Privacy-Preserving AI
Page 107 and 108: concern and a desire to be cautious
Page 109 and 110: and stay safe online. That’s why
Page 111 and 112: 2. Enabling over-the-horizon threat
Page 113 and 114: Techniques Used by Hackers to Bypas
Page 115 and 116: Phishing scams avoid email security
Page 117 and 118: ATO Detection Account takeover bene
Page 119 and 120: How To Protect Your Digital Legacy
Page 121 and 122: I worked with cybersecurity experts
Page 123 and 124: Sextortion Email Scams What to Do a
Page 125 and 126: Sextortion attacks are a type of cy
Page 127 and 128: How to respond to a sextortion emai
Page 129: Example 2:'You've been hacked' emai
Page 133 and 134: Surviving The New Era of Terabit-Cl
Page 135 and 136: accompanying shift toward more digi
Page 137 and 138: Survey results show businesses are
Page 139 and 140: Enterprises Cannot Achieve Zero Tru
Page 141 and 142: Capital One breach back in 2019. Ad
Page 143 and 144: Cyber Defense eMagazine - December
Page 161 and 162: CyberDefense.TV now has 200 hotseat
Page 163 and 164: Books by our Publisher: https://www
show all

Cyber Defense eMagazine December Edition for 2021

Create successful ePaper yourself

Delete template?

Save as template?