Risky Bulletin Podcast: "SpecterOps on Identities at Rest and Identities in Transit"

Host: Catalina Campano (Risky Business)
Guest: Jared Atkinson, CEO of SpecterOps
Date: September 21, 2025

Overview

In this sponsored interview, host Catalina Campano speaks with Jared Atkinson of SpecterOps, the company behind Bloodhound, about their latest advances in attack path mapping—including the rollout of the Open Graph feature. The discussion covers how Bloodhound is expanding to accommodate hybrid cloud environments, the novel concepts of "identities at rest" vs "identities in transit," and practical advice for organizations to prioritize remediation based on Bloodhound’s actionable insights.

Key Discussion Points & Insights

1. Bloodhound's Open Graph: Expanding Beyond Microsoft

• Origin & Purpose:
  Bloodhound initially focused on Active Directory, then expanded to Intra ID. The challenge was engineering effort required to keep expanding the graph. Open Graph allows any user (not just SpecterOps devs) to integrate new platforms and attack paths easily via a standard JSON definition.
• "Bloodhound Open Graph... allows people to add new information into the graph... you can expand the graph to anything."
  — Jared Atkinson [01:50]
• Community Impact:
  Within 24 hours of release, community members contributed extensions for Ansible Tower and VCenter.
• New Insights on Interconnection:
  Mapping these diverse systems reveals intricate security dependencies—gaining control of one platform (e.g., VCenter) could compromise Active Directory, or vice versa.

2. Security Dependencies and the "Clean Source Principle"

• Integrations’ Security Implications:
  Using federated identity (e.g., Entra as SSO for GitHub) means that compromising one platform could grant an attacker access to many others due to these dependency chains.
• "If a dependency is on an Entra user, then control over your Entra tenant... is now representing a new attack surface for your GitHub repository."
  — Jared Atkinson [04:34]

3. Identities at Rest vs Identities in Transit

• Concept Origin:
  Inspired by the well-known "data at rest / data in transit" paradigm—applied to identities instead of just data.
• Identities at Rest:
  Static, established user accounts (e.g., in AD, Entra, Snowflake), not currently active or logged in.
• Identities in Transit:
  Active sessions or access tokens—what attackers increasingly target (Kerberos tickets, browser cookies, SSO tokens)—which can be stolen without needing a password.
• "You have identities at rest... it's potential energy almost... but it's not being used. When a user logs in... you establish a session... attackers can target those sessions differently."
  — Jared Atkinson [06:38 – 07:53]

4. Visualizing Sessions in Bloodhound Graphs

• Has Session Edges:
  Bloodhound uses specific edges to represent "user has a session on this computer" relationships, which opens avenues for impersonation or session hijack.
• Types of Attacks Mapped:
  Includes token impersonation, process injection, and future plans to generically represent browser cookie-based sessions for cloud systems.

5. Hybrid Attacks and Limitations of Bloodhound’s View

• Visibility Gaps:
  Bloodhound might not see all details—some things require logs/context from the target application (e.g., GitHub)—requiring organizations to correlate data from the identity provider (e.g., Entra) and service provider (e.g., GitHub).
• "It's beneficial to collect both sides of the relationship. But... you're constantly in this fog of war... It's kind of like an educated guess and check process."
  — Jared Atkinson [12:17 – 13:46]

6. Prioritization and Remediation Guidance

• Community vs Enterprise:
  • Community Edition: Users ask questions of the graph but get no prescriptive findings.
  • Enterprise Edition: Highlights Tier 0 “keys to the kingdom” accounts/resources and paths attackers could use to reach them.
• Exposure Metric:
  Measures how many principals (users, groups) are exposed to an attack path. 100% exposure paths should take top priority.
• Privilege Zones:
  Enterprises can define their own high-value assets or functional zones to analyze attack paths specifically targeting them.
• "We generally tell people we should prioritize those attack paths that have 100% exposure, because that's kind of the biggest attack surface that you can start to control."
  — Jared Atkinson [16:31]

Notable Quotes & Memorable Moments

• On Bloodhound Open Graph’s Flexibility:
  "We were able to develop... the graph into Bloodhound in two and a half hours. So that's the speed at which Bloodhound Open Graph kind of allows people to add new information..." — Jared Atkinson [01:56]

• On Security Dependencies:
  "You have to understand what the downstream kind of dependencies are. And if a dependency is on an Entra user, then control over your Entra tenant is now representing a new attack surface for your GitHub repository." — Jared Atkinson [04:27]

• Identities at Rest vs In Transit:
  "It's potential energy almost... when a user logs in... you establish a session... attackers can target those sessions differently, right? So it's a matter of figuring out where this session is established, what computer is that session established on, and then you can target that session..." — Jared Atkinson [06:55–07:53]

• On Hybrid Attack Paths and Mapping Limitations:
  "It's kind of like the fog of war in these strategy games to where... I don't know what Justin has access to on the GitHub end, but... now that I have control of that user, I can go and enumerate and say what do I have access to?" — Jared Atkinson [13:08]

• On Practical Remediation:
  "We generally tell people we should prioritize those attack paths that have 100% exposure, because that's kind of like the biggest attack surface that you can start to control." — Jared Atkinson [16:31]
  "Privilege zones... give you the ability to kind of identify what those... resources are... and then you can start to map out the attack paths that target that as kind of like the endpoint." — Jared Atkinson [18:13]

Timestamps for Key Segments

• 00:31 — Introduction to Bloodhound Open Graph and new integrations
• 02:36 — Community and third-party Open Graph contributions, implications for attack paths
• 04:27 — The “clean source principle” and cross-platform attack scenarios
• 05:36 — Explaining "identities at rest" and "identities in transit"
• 08:56 — How identities in transit (sessions) change the attack landscape and Bloodhound’s representation of session edges
• 10:49 — Limits of Bloodhound visibility in complex, hybrid environments (provider vs server logs)
• 14:54 — Community vs Enterprise Edition – how Bloodhound presents findings and prioritizes remediation, including new exposure metric and privilege zones
• 18:13 — Real-world example of attacking a loyalty system and the value of privilege zones

Conclusion

This episode provides a practical and insightful exploration of how attack path mapping is evolving to match modern, hybrid-cloud enterprise environments. The new Open Graph feature democratizes the expansion of Bloodhound’s abilities, while refined attack path analysis and the concepts of “identities at rest” and “identities in transit” reflect a more nuanced reality of contemporary threats. The advice on prioritization using exposure and privilege zones is directly actionable for organizations seeking to reduce their risk.