A

Hello everyone, this is Tom Uren. I'm here with another Risky Business News sponsor interview. Today I have with me Justin Koehler from Spectrops. G' day, Justin, how are you?

B

Hey. Very good. Happy to be here.

A

Great. Today we're going to talk about how to set up your identity architecture, your Azure or your Active directory or what have you. And kind of in a defense in depth way is roughly my way of thinking about it. So, Justin, I guess let's start from the beginning. You have a product called Bloodhound Enterprise. And what does it do in a nutshell?

B

Sure. Yeah. So Bloodhound Enterprise continuously identifies attack paths in your hybrid identity environment, the ones we or adversaries use to take over your environment. So people may be familiar with the free and open source version, the Bloodhound Community edition, where you scan an environment, find an attack path, use that to reach your objective. If you're a penetration tester. That's why we created Bloodhound Enterprise, to give that power back to defenders, squash those attack paths at scale.

A

Yeah, so the way I think about attack paths is that if you're a bad person and you lob up on a network, you get access to a particular box. How do I get from where I am to the keys to the kingdom? And it turns out that it's very difficult to manage your directory and the permissions in there to make that very, very difficult in practice. Is that the sort of 100%?

B

Yeah. So which, which privileges are abusable? What I mean by that is which ones can I take advantage of to move from my current identity context to a different identity context? That's really hard for people to understand. And there's just, they're, they're very complex. Whether it's Microsoft or any identity directory, there's a lot of complexity which creates misconfigurations and allows us as to use those as seems to get to our objective and there's just quite frankly, millions of them.

A

Yeah, yeah, I remember we spoke before and you said that basically it's just a property of trying to manage an organization once it gets to a certain size. It's not a problem with Azure per se or Active Directory. It's just like you've got lots of people doing stuff. And so I guess today we're here to talk about what's a strategy to manage that. Like, I guess in the past when we spoken, my idea was, you know, just be perfect and you'll be fine. Which is like, obviously not very practical. But you've come up with Some sort of way of thinking about it as a. That makes it more manageable.

B

Yeah, absolutely. So today Bloodhound Enterprise is focused on isolating those attack paths from reaching what we call tier zero. So that is the super privileged admins or identities and resources that if, basically if we get there, it's game over. But that's not really what companies, CEOs, you name it, leaders care about. Nobody cares about the domain admin. They only care about it because that domain admin or that global admin on the Azure side, if I get there, I can do whatever I want. And what I want to do is take your data or ransomware the environment. But attack paths are a method that we use to break your architecture or how you think you set up your architecture. So whether you are a subscriber to the tiered administration model IN Active Directory 0012, or just have this concept of crown jewels and VIPs and these like privileged enclaves, like with HIPAA or PCI or you name it, like protected data, you have this concept in your head that you've separated those and maybe you have deployed, let's say network controls. Right. There's micro segmentation. Right. You've deployed micro segmentation to try to isolate the network. But the thing on outside of that is the identity. Right. So what does the identity have access to which can actually honestly route around some of those network controls. So attack paths are really just a visibility layer that shows you that you have not done what you think you have done, if that makes any sense.

A

Right. You think you've set up your armor well, but in fact you've got these maybe small or maybe large holes, correct?

B

Yeah. I mean the whole tiered administration model, going back to like the early 2000 and tens, was created because people were taking advantage of identities and then escalating privilege or elevating privilege. Right. So that's where this, this model, this best practice, like you should administer an environment this way to thwart that. But you never knew if you did it.

A

Right?

B

Right. It was, it was like, okay, well we'll separate these admins, they'll create new accounts, we'll try to do this. But who knew if you could do it? And the frustrating thing is everybody says implement least privilege. If you look at any breach Report or the 20, 25 year in review, I guarantee you it will show up. It will say, to thwart these types of attacks, you should implement the principle of least privilege. And everybody will say how? And that's what we're so excited. We're working on this and it's going to be live this summer is this concept of privileged zones. So we didn't want to use the term tier because tier, maybe not everybody understands what a tier is. So you don't have to subscribe to a tiered model, but you have segmented privilege. And we have created the ability to map that out, create those custom groups and then show you where attack paths are thwarting your kind of defense and death strategy.

A

Okay, so everyone says to implement least privilege. I guess I've got two questions. Do people actually do it in your experience or do they try to do it and they fail? I guess. So that's what you're trying to solve, People who are trying but failing?

B

It's the latter. So yes, absolutely. I mean, if people properly implemented least privilege, 90% of breaches use an attack path of some sort. This problem would not exists if people implemented least privilege. So no, nobody does it, but people try.

A

Yeah. Is that a lot of people try in different ways.

B

Right. So a lot of people have said we separate our admins from users and that's probably the basic context. You know, a lot of people, they understand that their daily driver account that they should use every day to browse the web shouldn't be their global admin account on the Azure side.

A

Yeah.

B

So we've made some progress at least. But. But do people really understand the different layers of this? Like in the new Microsoft Enterprise access model, there's the data plane, the management plane, the user plane, all of that stuff. And that sounds great, but how do you understand if you're doing that? So people are trying, but they have no way of verifying that they're doing it correctly. It's kind of like creating a house and trying to design the interior in the dark. It's like, well, I think I've put up walls. But then you turn the lights on, it's like, whoa. Well, I missed a spot.

A

Right, right, right. That's a nice analogy, actually. I like that one. So how would that actually work? Is it just a sort of magic box that you press a button?

B

No, no, no, no, no, no, no, no. We so it. We have a starter set of, of zones that we can create for you. So that would be like the stereotypical. So zero is already set. That's the super administrative tier, like crown jewel assets. Right. The, the ones that if you reach there, you, you have full administrative access called a privileged access tier. The control plane, however you refer to it, it's those top owners of the identity, the Second layer is those administrators of systems. So in an active directory context that'd be like a server administrator. In a Azure context that'd be a cloud app admin, for example. So those are kind of basic building blocks, but then you can segment those further. So let's say that you have an enclave that's just designed to hold PCI data and an enclave holds HIPAA data. Or maybe you want to see how people can reach your executives, your VIPs. You can create custom zones for those and understand the attack paths that traverse them. And more importantly, where from. So is this a, a user can get can assume an exec identity or is this a user that can assume a tier, like a tier one server, for example, you'll be under understand all that context and understand how to shut it down.

A

Right. Okay. Now shutting it down, does that necessarily mean just removing permissions or are there other things that people would do?

B

Yeah, so it's twofold. It'd be either permissions or user behaviors. So I'll give you two examples. If you have a, let's say a very basic example where Jane is a normal user and Jane has the add member privilege on a domain admin group, that is a privilege that she probably should not have. That is the removal of a privilege. Now a user behavior might be a domain admin logs into their, their daily driver Windows host and that creates a session which I as an attacker can do. So there's two different versions of that. I'll give you one final one. You can also cross privileged zones across identity providers. So this gets a little complicated, but try to, try to go with me. Let's say you have an on prem user ID and an Azure user id, but they're the same human. So my account I have an on prem user ID and I have an Azure user. On on prem context I'm a low privilege user, but in an Azure context I'm a high privilege user because I'm an intune admin. Now if you sync these roles, if you sync that user, that's actually you're not supposed to do that. Microsoft will tell you that you're not supposed to sync on prem user objects with high privileged Azure roles. However, everybody does it. Literally everybody does it. When we released Hybrid Attack Paths last year, one of my curiosities was how many people are doing that because Microsoft says you shouldn't do it. 100% of our accounts were doing it. The cool thing is once we showed them, they were quick to shut it off. But that's what I Mean, in that context, I'm low privilege in one, I'm high privilege in the other one, but I would never know that. And even if I, if I was only analyzing one or the other, I might think that I've done it correctly. Do you know what I mean? Like, if I only understood the Azure context or only understood the Active directory context, then I might think that I'm good, but I'm actually violating that privilege zone because of that sync relationship.

A

Yeah. And pulling on that thread of how you know that you're doing it wrong. Your customers, you said when you tell them that they've set it up wrong, go up, goodness, I'll fix it. But I guess it's just you small startup enterprise coming along essentially, not randomly, but just turning up and saying, hey, I've noticed that you've got this problem and it's not like there's any kind of broader process that's actually fixing that as a problem. Is that how often do you notice that kind of dynamic?

B

I think that gets back to who solves this problem for the organization. Right. So this problem of attack paths, I mean, people have been dealing with attack paths for again, better part of a decade. Right. Any outbreak in an incident scenario or any outbreief from a penetration test, there's going to be findings that come from that and then they're actioned. But it's ad hoc and reactive. There's a repeatable process on the vulnerability management side to scan and understand the vulnerable systems and to patch those, but there really isn't on the identity side, despite the fact that again, we've been saying you should implement and verify least privilege, but how would you do that? So that's what we're trying to provide is that technical verification that you've put in place what you think you've put in place.

A

Right. So I am taking from what you just said that what'll happen is that there'll be a red team test or a pen test and they'll say, we got to the main admin through this path and if they're a good client organization, they'll go, okay, well let's cut off that path. But of course, the red team didn't go through every single possible path. So they've just pruned the tree a little bit. Whereas the idea with Bloodhound is that you can see the whole tree and figure out where, I guess not where the branches are, but where you've architecturally gone wrong.

B

Yep. I shared this in a recent presentation that I did, but we have data on this now across all of our customers. And so we know how big each customer is and how many attack paths they are. So think of those as the individual routes to get to something juicy. Now for a 1,000 employee environment, which might have 5,000 identities. So you think non human service accounts, you name it. Right. There's more than just the human person. They'll have 5 million attack paths. And I feel a little Dr. Evil Pinky raised up when I say that, but I'm serious. And it scales like crazy. So when you get to 40,000 identities, which, you know, let's say 5,000 to 10,000 employees, you're at 752 million on average. So like, so like fixing a single attack path and thinking you did anything to this problem is probably honestly a disservice. So that's why you need to understand the whole picture and focus on like those zones and make sure that you've implemented that separation where you think you have. Have.

A

Yeah. So I think it makes sense that it scales, like, it's got to scale at least exponentially or something like that. Right. Because it's a network rather than a linear thing. But like, is it still possible just to think of it as an architectural solution in the sense that here I set up these different, what did you call them? Privilege zones. Privilege zones, yeah. Or are there. I'm not really fond of the term AI because I don't. But does that play into the. The solution or smart algorithms or something like that?

B

Yeah. So certainly AI can help like identify things that should fit into those zones. And yes, we are working down those paths. But I want to say that like AI is going to change the importance of this or just exacerbate the issue here. What I mean by that is like, let's say you have 5 million attack paths and that's a problem. And adversaries can do what they want. And skilled adversaries, like, you know, the penetration testing company that you might contract with, like us, we try to act like nation state attackers. And so we might have advanced capabilities like unhooking EDR and getting our weight around different controls. The problem is AI is going to make the. No longer are the adversaries limited by skill, they're only limited by creativity. And I'll give you an example. We were going up against a very, very mature client and they had all the bells and whistles and we worked with them for quite some time, but we knew the tools that they had in place and we knew what they weren't looking for. And so think like, very old code, like maybe Perl. What is an EDR not looking for? Maybe a Perl based C2. Now, who knows how to write Perl? Not a lot of people in our company, but, you know, who does know how to write Perl? AI. So, on the fly, we were able to create this C2 framework and execute an attack path that just went completely unnoticed. So that's what I mean. Like, AI is going to make this detection and response game just get harder and harder and harder. So preventing is key. Not that detection is not necessary or not still critical, but you're, you're going to get a lot of adversaries that have just leveled up in terms of capability.

A

Right, Right. Yeah. That's fascinating. Justin Kohler, Chief Product Officer of Spectre Ops. Thank you.

B

Thank you.