A

Foreign. And welcome to another soapbox edition of the Risky Business podcast. My name's Patrick Gray. For those who are not familiar, all of these soapbox editions of the show are wholly sponsored. And that means everyone you hear in one of these editions of the show paid to be here. And today we are chatting with the fine folks over at Spectrops, and they, of course, make Bloodhound. So joining me now is Jared Atkinson, who is the CTO and one of the founding team members of Bloodhound, which was spun out of Spectrops, which is a professional services company doing a lot of offensive security testing, things like that. Bloodhound started as a tool that they developed for their own use, and then of course, you know, they spun it all out so that everybody else could enjoy it as well. So for those who are not familiar, Jarrod, today we're going to be talking about Open Graph, right? Which is a big change for Bloodhound. But why don't we just start off by talking about, you know, the origins of Bloodhound, the brief history of Bloodhound, and how we got to the point where Open Graph is now a thing.

B

Sure, yeah. So as you mentioned, we started off as kind of a red team, right? So consulting. And one of the things that you run into as a red teamer is when you're in a network environment, particularly like a gigantic ad domain or maybe ad forest with tons of different domains, you might have an objective and you have an arbitrary starting point. So you fish some user and you get access to their computer. Very rarely is that the place where you want to be. Right. You want to go somewhere else. And so there's, there's almost this kind of. Traditionally there's been this guess and check kind of approach, trial and error to where you get access to the one computer. Maybe you escalate to become system or have root level permissions. And then you would ask who's logged into the computer and what permissions do those users have have. Right. And so like, what computers can they administer and that type of thing. And so then you start to laterally move. The problem is, is that you might have several options at your disposal. And you're going to pick one or two of them and you're going to go down that path. And you're just kind of hoping that five hops down the road, you're getting to the. You're getting closer and closer to where you want to go. In sufficiently large environments, sometimes that doesn't work out the way that you hope. And then you have this kind of conundrum of, do I go all the way back to the beginning, do I go back one hop and try a different option? And there's kind of this enormous selection problem to where you have all these different options and you don't know which one to take. And so Bloodhound came about almost as like Google Maps, the Google Maps equivalent for navigating your way through a domain environment to where you would say, let's get initial access. We can gather a bunch of information about what computers, groups, users are in the domain. All of that any user in the domain can gather. And you can start to build out relationships and understand which path you want to take before you even start moving. Right? So you would understand, okay, the interstate, so to speak, to get from where I'm at to where I'm going is this one. And so I'm going to take that path and kind of follow that direction. And it kind of simplified that problem quite a bit. Now that's, that's kind of like the offensive use case. What we realized is that if attackers are using that and they know kind of where they're starting and where they're going, the defenders can, can do like kind of the inverse, which is, I know the resources that I want to protect. How do I flip that over and say, what are all the different routes that attackers can take from anywhere in the environment to get to this thing that I consider to be really important, right? And then, and then what you would do is you start remediating those permissions, right? So there's a lot of times you would have something like the authenticated users group would have admin over a domain controller, like all kinds of crazy configurations like that. Those configurations may survive in an environment for 15 years, nobody knows about it, and then a red team or finds it, right? What if we can just find that from the get go automatically in one, one quick step? Basically, it's kind of the general idea behind Bloodhound and then Bloodhound Enterprise.

A

Now, of course, when you're talking about moving towards your target, you might say, okay, well we want domain admin, right? You land on a box and it's Sally or Rob in HR or in a call center or whatever, you pop up on that machine, you have a look around. As you point out, you're a long way from that domain admin. So when you talk about actually moving towards them, I'm guessing that means, hey, you might need a shell on this box where there's going to be some juicy stuff or you need to compromise that user account or one of the user accounts is part of this group, which gets you this next thing, which gets you the next thing, which gets you the next thing. I mean, that's basically what you're talking about when you mean when you're talking about moving through the graph, right?

B

That's right. That's right, yep. And. And what we think about is a lot of times we list out, kind of like what we're doing is we're graphing relationships between resources. So imagine you have a user as a resource, a computer as a resource, a group, as you mentioned, there's going to be permission. So, for instance, a user might have the ability to add another user or themselves to a group. Right. They're not a member of the group, but they might have the ability to add themselves to the group. Maybe a user has admin control over a computer. The way that we are able to make inference from that is that if I have admin control to a computer, I can compromise any user that's logged onto that computer. And so if I understand what users are logged on, I now have like, kind of a target list of who I can. Who I can attack and why I might want to move to that computer in the first place. And so you start to build up those relationships of what permissions are, facilitate, we call them, like primitives, escalation primitives. So what, what permissions facilitate my ability to take over additional identities, for instance.

A

Now, of course, Bloodhound, I think it came around about, what, 10 years ago? It's been around for about 10 years.

B

Probably the worst person to ask this, but I think it was probably 2017, 2018 maybe.

A

Yeah. So somewhere, I mean, you know, crazily enough, that's like, it's 2026. So from there, though, I mean, obviously one of the big changes these days is like, okay, there's AD everywhere, right? We all know that AD is everywhere, and it's probably not going anywhere for quite a long time. So it's always going to be useful there. But we are seeing more and more basically every enterprise worth its salt. Now. It's kind of what you would call a hybrid environment where you've got either Entra or Octa plus AD and, you know, connected together with duct tape and bubble gum and like, you know, ice cream sticks, you know, like the whole thing. So at some point you go, guys, realize that you needed to make this about more than just. More than just active directory, right?

B

Yeah. So just kind of a little background. I run the research team at SpectreOps. So they're the team that is kind of building out these different attack paths that kind of like understanding these permissions and that kind of thing. And we started to move into mapping or graphing Azure environments. Right. And so we had ad moved into Azure and one of the problems was is that you would, you would do the research and then you would try to integrate it into the product. And the product wasn't built originally to be super extensible and so it would take quite an effort to actually like add new attack paths or this new environment.

A

And so like, honestly, I'm going to, I'm going to shade you a little bit here and say you guys were a little bit slow with the, with the Azure slash Entra stuff like.

B

Oh, for sure, for sure. Yeah. And like we, we had done a.

A

Research project, but that's because it's hard.

B

Yeah, it's hard. And I don't know that like when we built the original Bloodhound, we, we had the idea of Active Directory in mind. I don't think that we thought that it would go beyond that initially. And so, you know, we didn't plan for it, which.

A

Yeah, it was a tool. It was a tool to use on pen tests. It wasn't like a enterprise like Google Maps for, for, you know, user accounts and entities, kind of for everything.

B

And like.

A

Yeah.

B

And it was also before this whole idea of identity really took off. Like, I, it's interesting because red teamers really have always kind of like targeted identities, so to speak. The idea is always, how can I take control of user accounts or computers which are also identities, to then gain access to more and more resources. Right. So you're. They like, you want to accumulate access throughout the course of your, your operation, right. So that you could then have access to whatever your target is. But at the time, like, there was no idea of identity security in the, in the context of the overarching kind of InfoSec Arena, 100% because the way.

A

You would have done it often was you would get access into. Okay, you know, so that first place of access you were talking about with phishing or whatever, you might try to get, you know, remote code execution, get the user to run something like use your access to their computer to get that computer to run a piece of code or next startup or whatever. And then from there you weren't really necessarily. You wouldn't necessarily have to even touch identities. Right? Because it was all about, it was all about, you know, where, where else you could execute code and sometimes you would Use identities, but not always. Right. Whereas now like these, these identity based attacks, they are, they are pretty exotic these days.

B

Yeah, there's there's maybe, maybe like an argument. So imagine that you have some vulnerability on a system that gets you a system shell. Imagine that a system shell is operating as the computer identity. So like there's maybe an argument that you are always operating as a. In the context of one identity or the other. Or maybe you were just accumulating control over mult. Nobody thought about it that way. Like that's just a fact. Right. And so that wasn't the conception of how everybody approached this problem.

A

Well, because I'm even sitting there like, as you're saying that, going, yeah, kinda, you know what I mean? Like, it's just not the way people thought of it.

B

Right, for sure, for sure. Yeah. So then we looked into GitHub. So we had, let's say we had Active Director, we had Azure, and we took personal interest in GitHub. We had some red teams that we had conducted where that was a, that was a target. These CICD workflows were really interesting to people. Code repositories are where a lot of sensitive information is maintained, especially for these kind of like software companies. And so we decided that we were going to start mapping out the relationships of GitHub and we tried to implement that Will Schroeder and myself and it, it took us like three months just to try to get everything integrated. And we're like, this is not a sustainable plan. And so we had long had this idea that we should try to change this to be more extensible. And that's kind of where this open graph idea came from, which is, what if we create a schema that's kind of like an open schema that everybody understands and then you just output data, you build a collector to query whatever platform you want, you output your data in this specified format and you're able to build arbitrary edges, arbitrary nodes in the graph. And now you could represent permissions or even we've had people that have built open graph extensions that go outside of kind of like this identity security use case. Right. They're just leveraging the overarching system to represent relationships between things. And I could get into that if, if we're interested. But it's a, it's kind of a fun, well, fun experiment of where it could go.

A

Let's just take a step back, right, because you're talking about GitHub. And I guess one of the reasons you want to, you know, extend out to there is because, you know, once upon a time you wouldn't have had unified authentication or a unified directory covering developers logging into a platform like GitHub. Like it would have been a standalone thing that the dev team would manage themselves. And these days it's like there is an entry group or there is a, you know, there's a directory group for those users. Which means that, yeah, I mean, it's great having that centralized kind of control over permissions and authentications and whatnot, right? So like SSO is really cool like that, but it also puts them in, they become nodes on a graph at that point, right? They become targets on a graph, which in many ways, I mean, you're still ahead, right, by using unified SSO for something like GitHub. But that's really why this came about, right, Is the success of SSO extending the directory out into places where it traditionally hadn't been.

B

That's right. And we just ran into this at SpectreOps. So there's a lifecycle management problem, right, which is when somebody leaves the company, for instance, you have to offboard them from access to all these different systems. And how do you do that if you don't have a centralized place to keep track of it? Right. And so SSO is not just useful in like maintaining somebody's, you know, you have one password and you could access everything. It's how do we make sure that when, when we have turnover for whatever reason, we're able to revoke access to these systems that somebody doesn't need or maybe somebody changes within the company to a different position, they don't need access to these, to these different resources. Maybe we can manage that in one place. And so yeah, as we kind of look into it, what we started to realize, especially like in something like GitHub is you have the identity management is actually fairly spread out across different teams. So imagine you have a GitHub administrative team, right? And that GitHub administrative team is different than your active directory administrative team. And what happens is when you stand up your GitHub organization, typically organizations will set up SSO of some kind. Maybe they even use scim, which is the system for cross identity management, which is how do you automatically provision, let's say you have a user in intra and you want to automatically give them access into GitHub. You would use a SCIM provider to be able to generate that user account on the GitHub side, right. And so now I'm able to say, okay, I'm going to have a whole set of groups as you mentioned in Intra, and as I add users to those groups, it's going to A create a user in my GitHub organization, but B, it's going to assign them to certain groups within GitHub as well. There's this like kind of relationship across that and that becomes this. It expands exponentially. What the attack surface is here right now, now you have to worry about. Anybody that can get, get control over your Azure environment now has control over your GitHub environment. But where this really gets crazy is, you know, when Bloodhound first came out, we had this problem of like nested group memberships, right? And so there's this whole idea of like you have to unroll the groups to understand who has access to what or who has what permissions. And there was this, there was this big problem that we tried to unroll. There's almost like this one level up, there's the same problem, which is I have a GitHub organization, I've set up SSO from intra into GitHub, but then I've also federated my Intra into Active Directory. So now there's an Active Directory account that's tied to an Intra account which is tied to a GitHub account. And the GitHub administrator may not even know about that federation between Active Directory and Intra. And so now there's, there's this attack surface that they're not even managing. And it, there's almost.

A

I mean what you're saying is that that GitHub account, which might only be used for logging into GitHub, is now also an Active Directory account on the local network. So if someone gets that GitHub account, they can fish it or whatever. Happy days onwards and upwards through that customer's ad.

B

That's right, yeah. And the inverse direction as well. Right. So that becomes a massive problem. And what we find is that those gaps between systems are. Almost nobody's responsible for it. And so it's this problem that exists to where nobody's really paying attention. You might have somebody who's responsible for Active Directory and they're trying to reduce the attack Paths to Tier 0 in Active Directory. Then you have somebody that's in charge of Intra and they're worried about attack paths to tier 0 and intra. But what they're not paying attention to are what are the attack paths from Active Directory into Entra to where for instance, you might have a non privileged user in Active Directory that is tied to a privileged user in Intra, and then that privileged user now has the ability to compromise any intra account that's tied to GitHub, and now they can access your GitHub repositories as a result of that. So it's just this big mess.

A

Well, it is. And it's funny, just as you were talking about that, and, you know, there's that whole, the, you know, identities of the new perimeter thing, which I actually, you know, I think about like maybe 12 months ago, I actually turned around and said, you know what? That's actually probably right at this point. That, that probably feels right. But you just think how we used to say unmanaged machines were the thing that would get you owned, right? And that's been, you know, a mantra for like 20, 25 years, right? Like an unmanned, an unpatched, unmanaged machine is what will get you, you know, and from what you're saying, you know, it seems like now an unmanaged identity is what's going to get you, right? It seems like a very similar sort of like an improperly managed identity that no one's really responsible for. It's just kind of fallen through the cracks. It can be used in all sorts of ways that it was never intended to be used. And, you know, that's what's going to burn you.

B

You know, we talk about this idea of least privilege. I was doing some research probably six months ago now, but trying to figure out when was least privilege first uttered by somebody in any meaningful context. And I found the first white paper in the academic literature that talked about least privilege. It was from 19. What was it, 1975? So 50 years ago was the first time somebody talked about least privilege. But what ends up happening is least privilege is a negative testing philosophy where you have to validate that you have the privilege to do the thing that you need to do. But then you have to also validate that you don't have any additional privilege beyond that. And so that's a. You have to negatively test that, right? But what we find is that most people are doing enough privilege, which is. And I think people don't appreciate this enough. I think intellectually we all understand this once you start talking about it, but you start off with a certain set of privilege just naturally, right? Like every user is going to have some amount of privilege to begin with, and then you are adding additional privileges so that they can accomplish whatever their job role requires them to accomplish. But then you never go back and say, okay, we finally got them to the point to where they can do what they need to do. Now let's go back and take away everything that they don't actually need. Right. And that's.

A

Yeah. So. So you know Travis McPeak used to work at Netflix a long time ago. He wrote a thing, he open sourced. It was called Repo Kid.

B

Okay.

A

And the whole point of Repo Kid was it was monitor all of like the AWS stuff that they were using at Netflix. I think it was aws. And if, if there were permissions that those accounts weren't using, it would just remove them.

B

Oh, okay. So that was like it's kind of monitoring.

A

Yeah, yeah. Just over time it would chop it back. Right. So it was called. It was called repo, as in like it repossesses the permissions. But it was very cool. So look, let me just ask you another question on that GitHub thing. Right? So we've talked about how you've gone from AD to now Entra. You keep calling it Azure, which is really funny because you're thinking Azure ad, which is why I still call X Twitter. Same thing. So then you've gone off to Azure Ad Entra, and then you're like, well, hang on, we got some cool stuff with GitHub here. And then pretty quickly you could start seeing, oh, well, you know, there's other things I would like to bring into this graph. Like one thing that I'm thinking here, and it's a. It's. I don't know if anyone's done this because I imagine it would be really difficult. But. Okay, say you are looking at a GitHub user. Have a look at the repos they've got access to.

B

Yep.

A

Throw truffle hog at that.

B

Yep.

A

And see if you can find out what secrets they have access to and where those secrets get that person. Now that might be a little bit difficult because sometimes you're going to be finding secrets and you don't know where they belong. However, is this the sort of thing that you can do now with Open Graph, which is the part of Bloodhound that lets people sort of build their own integrations into Bloodhound?

B

Yeah. Okay. So we built the GitHub Open Graph extension. So we call each of these new platforms, we call them extensions. So we built that. And then we had one of our research or one of our consultants, JD Crandall, and he started looking into what he calls Secret Hound. And so this is more of like a generic approach, but he used GitHub as the first example to where he. He used GitHub has a secret scanning interface. So they're looking for kind of secrets that are in plain text in the contents of your repositories. He also used Truffle Hog and there's a few other examples, Nemesis, which is one of the platforms that we built from Spectre Ops to be able to process and look for files that have passwords in them. And so what he's doing is he's integrating that and then he's drawing nodes and edges as a real. As a result. Right. And so one of the problems that comes about with that, that makes it a little bit difficult is you often it's one thing to figure out that there's a secret, it's another thing to figure out what user or what organization or what tenant that secret is associated with.

A

That's literally what I just said then, which is like, I imagine it would be difficult to actually. Okay, well, it's a secret. Great. Where does it go? What does it unlock? And that's going to make it a little bit difficult to put on a graph. But some of them, I'm guessing you could.

B

Yeah. His solution so far, and I think it kind of depends on how you find the secret and what secret it is. But like, for instance, if you find a GitHub pat, for instance, personal access token, you usually can hit the GitHub API and there's like a who am I type aspect. So then it will just return the context that that pat belongs to. So you can do stuff like that. He's also found that what he does is he just draws an arbitrary node. So imagine that each of these graphs, there's, there's the gigantic graph, which is the whole world, right? And then there's like what we call subgraphs or like there's a GitHub subgraph. It's almost like a continent or like a AD sub graph, which is another continent. And so what he's doing is he's just dropping a node from the git. When he scans GitHub with truffle hog, for instance, he'll drop a node in the, in the AD sub graph that's. Or AD doesn't make that much sense. But in the interest subgraph that says, hey, in this GitHub organization, I found a secret. That secret is related to this intra tenant. So like, yeah, I don't know what it does. I don't know what permissions it has. It's not necessarily.

A

You could just call it its own. You can make it its own entity, I guess, which is, you know, path from. And you know, when you're calculating a path, it could be Path from where I am now to secret.

B

Yeah. Of some, this is more, I would say on the Enterprise side there's. That lacks the specificity or like kind of the control that we really want to be able to point people in the right direction. But on the red teamer side that's useful, right? Because it's kind of like a. That's a thread I'm going to go pull at some point if I feel that I need to get over into intra. I can I at least have something that I can start looking into and then I could, I could discern what's.

A

Going on kind of something, something funny occurred to me too there, which is once you start auto validating secrets that you find through this stuff, I imagine you got to set off a few canary alarm bells, right? Because some of these secrets are going to be canary tokens.

B

Yeah, yeah, yeah. It's a good, it's a good, good idea from the kind of the OPSEC perspective of being, being really careful there.

A

Yeah, yeah. So onwards. Right. So what we've talked about is we've talked ad to Entra. Oh my God. To GitHub.

B

Oh.

A

Now to secrets. So by the time you've done this, like just what we've talked about, you're not going to have gotten that far without developing a method, right. For actually building these extensions, as you call them, right. So then the question becomes, well, can you now make a toolkit? And this is Open Graph, right? Can you now make a toolkit that makes it easy for other people to write their own extensions? And that's essentially what Open Graph is. And now you've thrown that out there to the world and said, have at it, have at it. Now I think that was only a few months ago we had one of your people on talking about Open Graph and saying like, go on everybody, go have a play. People have been actually working, working with it, right. So I spoke with HD Moore. I think he's got like, what is it, you know, Run zero hound or. Yeah, Run zero hound and whatnot. But I'm guessing, you know, he ain't the, he ain't the only one. What's interesting when you release a tool like this is the creativity on display when people actually start using it is usually something to behold. What have people been building for? What extensions have people been building themselves?

B

The very first extension was within 24 hours of us releasing it. So the first extension was GitHub, because that was the one that we built as like kind of a test case. But the first kind of Community extension was built 24 hours. We kind of like issued a little challenge for somebody to build it within 24 hours. We gave them some swag or something as a, as a prize for doing that. And some guys from Canada built Ansible Tower Hound, I think it's called. And so it allows you to kind of see your ansible deployments and how things. Granting permissions and management over those different ansible deployments. So that was, that was pretty cool. Some other ones that are, that we built internally are like SCCM Hound. We've also have Ms. SQL Hound. We have one Password Hound. So that's. You can see that we have really great naming creativity, but very creative. Yeah, but One Password Hound was, was pretty fun because we built it in two hours. So that's like, obviously one Password is going to be much simpler than say aws, right? So there's, there's different levels of complexity for the different permission structures and all that kind of stuff. But 1Password Hound was pretty simple and we were able to.

A

Where are you getting, where are you getting the data from 1Password? Right? Because isn't that just like, isn't 1Password like on everybody's desktop or is it centrally managed?

B

I don't, I don't y. Yeah, so there's, there's different versions of 1Password. And 1Password for Business is a cloud, cloud hosted capability. And so everybody has like a secret key that they have on their, on their laptop which gives them access, but then there's kind of like a central management plane that, that you can hit. And so you grant, you grant permissions. We, we built a collector based on One Password, has OP cli, which is their, their CLI program that allows you to query vault and users and groups and all that kind of stuff. And so we were able to evaluate that, build out all the relationships to where we could say this user is a member of this group which has access to this vault which has these, you know, items. Items are kind of like the colloquial term for passwords, logins, SSH, keys, all that kind of stuff. And just imagine, we talked about that Secret Hound. Just imagine what that looks like. That thing will explode. Right.

A

Well, and what's really interesting there is you're going to be seeing stuff that is not SSO at that point, like at all. You might see. I mean, first of all, you're going to get some. Well, I guess 1Password is the thing doing that part. I mean, you're going to get some interesting inventory using something like 1Password in terms of like where accounts are being created, push security, you know, they offer a browser extension as well. It's going to give you that sort of information. But what is really interesting is you can say, well say somebody gets this GitHub account, what's the path from that GitHub account over to this person's consumer grade account with this service where they're obviously putting company data. That's crazy.

B

Yeah, yeah. Oh yeah. There's all kinds of craziness. I mean you talked about the identity as the new perimeter and I think there's some truth to that. I worry that that causes people to take their eye off the ball as far as like on prem attacks kind of. Right. Like and don't get me wrong, like a lot of attackers have an incentive to target these cloud based platforms because we don't have as good of security controls there. And so if I can get what I want without ever going on prem, that's probably advantageous to me as an attacker. However, the idea is that identities are in use in your on prem environment all the time. Right. So imagine you log into GitHub. There's now a browser cookie or a session token there that I can steal as an attacker once I have control of your computer. Right. So it's not just about control of computer indicates the ability to take control of a user that's logged into that computer from an ad perspective. But also imagine that every system, like if you were to dump your cookies on your laptop, the amount of systems that you have cookies for right now is probably would shock you. Right. So like you're logged into all kinds of things and they could be personal or they could be business related. There's, there's all kinds of different, different relationships there. So that I think there's like a identity is the new perimeter and that's going to cause us to really try to lock down things like just like raw Internet access to your snowflake tenant. Right. You probably shouldn't have that. But once you, once you get that locked down sufficiently now that's going to drive attackers back on prem, which is probably a good thing to some degree because you have those security controls there. But they're going to then kind of try to route back through that to get access to these resources as well.

A

Yeah, yeah. I mean identity is the new perimeter. Unless you're like a Fortinet customer. Yeah, right. And then it's like no, Fortinet is your perimeter and it's, it's a bad one. I can't believe it, man. I was out at dinner. Like I go to a pub once a week with a group of friends, have a steak, right. Usually on Wednesdays after the show. And I'm sitting there and there's golf on a screen like over, by the way, right, while we're having dinner. And it just kept distracting me because apparently this tournament is sponsored by Fortinet. So I'm sitting, sitting there trying to enjoy my steak after a show, after putting down an episode of Risky Biz. And there is Fortinet, Fortinet, Fortinet signage. So yeah, thank God to them.

B

Did you know why you were being distracted immediately or was it like in retrospect you realized it was Fortinet that was, that was causing you the angst?

A

Oh no, I knew. It's like I cannot see that logo without becoming annoyed, basically. But I mean, I guess even, even in those cases now, like when a non identity attack becomes one, when you could just trivially pop shell on a domain joined appliance and then. Yeah, you know, then you've got the identities.

B

That's right, that's right, Yeah. I mean once you, once you get through now you have, now you have this whole problem. I mean there are, there are so many different routes that this like whole open graph thing can take. Like I was at the CISO summit at Black Hat and they had the CISO of one of the telcos in Canada that was talking about that. I forget, I forget which threat group did it, but.

A

Salt Typhoon.

B

Yeah, Salt Typhoon Breach of all the TACX plus the routers and all that kind of stuff. And it's like, imagine that you could have a TACX plus hound that would represent the, the permission structure within the like critical infrastructure and routers of these, these telcos. Like that, that's a real thing and like nobody, nobody understands what that looks like. I'm sure it's just this gigantic mess of. And I'm not even sure like one of the hard things would be does one organization sufficiently control those resources to be able to actually put together a coherent cohesive map? Right. Because would we have to get everybody on board to actually understand. I don't even know how the router infrastructure is laid out enough to know what the questions that should be asked are for that.

A

Well, I mean, I think anyone who attempts to understand those relationships is sort of going to wind up with the mental state of Jack Nicholson at the end of, what was that movie the Pledge where he winds up sort of a crazy alcoholic wandering around the streets near a gas station. At the end of the. At the end of the film, for sure. Bit of a deep cut, that one. Sorry. Sorry, everybody. So look, okay, so we've talked now about all sorts of integrations, but these are the ones that you've sort of worked on as well, right? Like, what have customers done? That. That sort of been like, well, that's. That surprised you, right? Because everything that we've spoken about, it's like, yeah, that makes sense. But there must have been some stuff where it's like, you're using it to do what?

B

Yeah, okay, so let me. Let me hit a few that are, like, really, really cool. So one was Run zero Hound, where we. We thought that, like, another vendor trying to visualize their stuff in Bloodhound was super interesting to us. Like, obviously that's advantageous from our perspective. Another one was Ping one or Ping Identity reached out to us to build a graphic for them. And so that was like, they took an interest in trying to help their customers realize where they had made configuration issues. And so that.

A

I mean, every single. Every single identity provider should be doing this.

B

Yes, yes. I mean, we love it because they gave us access to a tenant that we could do the research in. And then they would respond to us when we had questions about, hey, this is what we're seeing. Is this what you actually intended to happen? Some. Some cases it was intentional. Some. Some cases it wasn't. And so that. That was really, really useful. And like, getting access to these platforms is actually quite difficult for spectreops because we a. Are known as a red team. And so a lot of organizations don't want to sell their tool to a red team. And then the alternative is that we're also a small business, and so sometimes it's hard to get salespeople to care enough to sell you a license for like, you know, 10 users or 200 users even. And then we had, like, some really interesting ones. We had a customer that did Cyberark. And so imagine that. Imagine that Cyberark has all these passwords in them for. Especially for privileged users. And these privileged users are accessible from active directory users. So imagine that you now can start to map out, I have control of this active directory user. What privileged accounts do I have access to in Cyberark? So that's pretty interesting. And then a community, one that is really cool is vcenterhound. So understanding, like your virtualization infrastructure, one of the. One of the things that we find is that the same, like, physical computer, or it might. Might not be physical, but the same literal computer might actually Be a node across several different subgraphs. And so imagine that you can have a computer that is an active directory computer. It's an intra device, it's an intune device, it's an SCCM client, it's a VCenter VM, right? And so now what you're doing is you're tying these together because if I get control of that AD computer, I also have control of all these other systems as well. Or you know, if I get control of vcenter, I have the ability to have physical access, so to speak, to a, to an active directory computer. And like a lot of organizations will run their domain controllers in VMware, in ESX.

A

I mean, I'm sort of mildly horrified by, you know, a lot of the stuff that you're saying because you're talking about SCCM and VCenter and I'm just like, oh, unclean, unclean. But you know, people are saying, still running this stuff, you got to meet them where they are, right?

B

All over the place. Yep, yep, it's all over the place. And it's been really. We think of the graph as being representation of entropy. So imagine that a, a clean environment that has very few attack paths is not the natural state of being, right? So like it takes a, takes a lot of work to get there. And then over time what happens is you're making configuration changes and those configuration changes. A lot of times there's this phenomenon to where when you think about a single configuration change, it's very easy for us to conceptualize what the impact of that single configuration change will be. So it's like I add this user to the group, to this group, I now know what, what's going on there. But then you think about the fact that over time you're having millions and millions of these configuration changes and it's very difficult for you to understand what the net effect of that is going to be. And what it is is entropy. So you end up causing all kinds of problems. And that's where these attack paths come from is like imagine that you've been doing that for 30 years and nobody's ever tried to get a, like, get a grasp of what's going on. And so then you clean it up. But then once it's cleaned up, it's not just a one and done thing, it's that you have to maintain it over time.

A

It's like gardening, you know, like it's going to get woolly, it's going to get overgrown, you know, depending on what season it is as well. It's Sunny, it's been raining, a lot of grass. So look, we're heading towards the end of this now. Right. But one of the things that we were going to talk about is red team wins that you've had particularly with since you've extended the graph since you've opened it up and I mean you've alluded to some of them there with like, you know, the 1Password stuff and whatever, but I'm guessing you've got, because you know Spectre up still does offset and well, might I add if you are looking for top tier pen testers, I've sent a few your way, you know, and these, the top tier shops are like sort of thinning out a little bit these days. They keep getting acquired, you know.

B

Yep, that's, that's the danger of the, of the life I guess that's the.

A

Danger of the game. So you know, if you are looking for a top tier pen test crew, Spectre Ops are very, very good. So what are some of the wins that your teams have been able to chalk up with Open graph?

B

Yeah, so imagine that as we build out the graph, the graph is like kind of our, our map, right? So we're trying to map out what, what's going on in your environment. And a lot of times the red teams are able to live within the confines of the map. Right. So like Active directory. There's a lot of, a lot of time spent in Active Directory and it's pretty well mapped out. Right. Like it's pretty well understood. But occasionally the red team has some target that takes them into uncharted territory, so to speak. They're bushwhacking their way through on the research team. We're trying to be as comprehensive as possible when we're building out these extensions because that's going to go into the actual product that, that we sell. But the cool thing about Open Graph from a red team use case is that it's utilitarian. Right. And so you can map only as much as you need to accomplish your goal.

A

Right.

B

You don't have to be comprehensive, you don't have to understand every nook and cranny of the, of the territory to, to really map this out. And so probably the coolest one is we, we were engaged by a company to understand their CICD pipeline and we found that there was a relationship between GitHub and the way that they had configured OIDC into AWS. And we found that we were able to use the GitHub graph to represent what users in their GitHub organization and it actually extended into Okta had access to GitHub repositories. But then the thing that the red teamers found was that if you have the ability based on AWS policies, you were able to. That access to those GitHub repositories would allow you to assume roles in the context of aws. And so we're able to draw those relationships and say these, you know, 20 users have the ability to take over, to be. To, to gain these roles in AWS across like four or five different AWS accounts. And it was like, it was extensive the amount of access that you can get as a result of that. So it's, it's all about kind of that utilitarian. It's like I have this target. Let me, I try to figure it out manually of how I would get there and then it's like, let me go back because I only found one example, but there's almost always more than one example. And so it's like, let me go back and actually build that out and see what it looks like when I do a comprehensive look at what's going on. And so this is. And then that kind of allows us to extend those extensions, I guess as based on real life experience. Like when I built out the GitHub extension, I had no idea that you could even do this configuration with aws. And I would have never figured it out because I was looking at GitHub kind of in a silo.

A

Well, that's the thing and that's what I was just about to butt in there and say, which is that, you know, you can't just surface these types of configuration issues without a graph because they don't. There's no way to see them.

B

That's right.

A

You know, which is 100% but it's, you know, I mean, it's. You do sort of rub your temples a little bit when you realize that these sort of problems can exist.

B

That's right. Yeah, it's, it's one of those things to where we now I think we have like more than 20 extensions. And as you start to see these things kind of like come together, we're really interested in the hybrid aspect. So it's like how, how are these things tied together? And it's a little terrifying. It makes me definitely you, you talked about sso. It makes me second guess whether SSO is a, a good thing for security because once you start seeing how everything is tied in, you're like, oh boy, that's not, that's a little scary.

A

But well, don't forget the problems that we, we've solved. Right. With orphaned accounts and like it was, it was, it's just a new type of horrible, Right?

B

That's right.

A

But I mean my question too is like, you know, there must be cases where you've seen an attacker land on a box and they've had these amazing paths and they just haven't been able to figure them out because maybe they're not using Bloodhound, but like this, this happens all the time. It's a story I tell like basically every single time I talk to you guys, which is I know someone who was ofa with a incident response on a major organization where they discovered that every single entry user had intune admin rights.

B

Oh boy.

A

Across the whole org. And that wasn't actually what got a moment? It was something.

B

Yeah. And there, you know, there's, there's certain primitives I guess that are more familiar to people. Right. And so people are going to tend to use those, well, trodden paths. So like I made, I made a comment about the interstate, right. Imagine that there's dirt roads as well. And yeah, and so like the interstate is the thing that most, most attackers are probably going to use because they built it in their toolkit. It's, it's, it's, it's wide open. Right. And then there's, there's going to be certain targets that attackers or Red teamers are going after that cause them to change their, their tradecraft or maybe as you start to eliminate those interstates, they're going to have to find new trade craft as a result of that. But, but yeah, it's, there's, there's almost always like we're never going to be comprehensive. That's just the nature of the beast. Right. We're trying to show as much as many of these attack paths as we possibly can and hopefully people will remediate those. We give them instructions on what they can do to, to remediate them. We show them where the biggest bang for your buck is as far as like that effort that you can spend. But yeah, over time, like when an attacker has access to a computer, there's probably, there are almost 100% ways for them to gain access to systems that they don't know about, we don't know about that are just sitting there staring them in the face and they're yet to be discovered.

A

Yeah, but they can use Bloodhound. And speaking of, that's the last thing I just wanted to ask. Right, so you've Got, you know, your open source version of Bloodhound, which a lot of red teamers and whatnot use. Then you've got the sort of more enterprise platform type of Bloodhound, which is the more commercial product Open Graph, I'm guessing it's in both, is that right?

B

Yep. Yeah. So currently kind of like the minimum viable product of Open Graph is really targeted at the open source version, although it works in both. The distinction there is that it gives you the ability to put data into the graph and then run cipher queries across, across that data. Right. So you can start to ask questions like I have control of this user account in GitHub. What repositories do I have write access to? So you could ask that question. One of the problems is that Cypher tends to be more of like an expert kind of tool. Right. So a lot of people don't have expertise with Cypher and so asking those questions becomes a little bit difficult if you're not familiar with it. There is an effort currently to expand Open Graph to support things like findings which are an enterprise only feature. The ability to expand it to do pathfinding, which is like the point A to point B, show me the shortest path type approach. So right now it's, it's limited to that cipher query capability which is mainly a feature of the open source product, but it also is present in the enterprise product, although it's not the focus of the enterprise product. But over time, and then probably about the next six months or so, we expect to have like a full complement to where you could do the enterprise level remediation of GitHub, for instance, via Open Graph without using, while using the enterprise product.

A

Yeah, excellent. All right, Jared Atkinson, fantastic conversation about Open Graph. I have a feeling that, yeah, a lot of people are going to wind up using this. I should also point out too that, you know, it's something I've said before when we've had spectrops people on the show, this stuff is actually reasonably priced, right. Considering the bang for buck you get going through some bloodhounding. If you are a organization of any sort of scale, you're kind of nuts if you're not doing this because it will help tighten things up in a way that could save your bacon. So Jarred Atkinson, thank you very much for joining me to talk through all of that. It was very, very interesting. Cheers.

B

Thank you, Pat, Great talking with you as well.

A

Thank you everybody.