The Soft Underbelly of IT Security
Last Thursday CEO Sanjay Tandon “declassified” the “#1 cyber security risk to Active Directory.” When Sanjay contacted me, I wondered if he’d found a new code vulnerability in Windows and whether this was going to be a responsible disclosure so Microsoft would have a chance to fix the problem and give customers time to apply patches.
It’s “Just” Privilege Escalation
Unfortunately, there’s no patch for “privilege escalation,” which turns out to be “#1 cyber security risk to Active Directory.” This is hardly “classified” information! (I’d actually been warning customers about this kind of thing for 15 years and wrote about Sanjay’s Active Directory ACL audit product called Goldfinger in 2008). But the fact that security pros and organizations should have known about this already doesn’t take away from its seriousness. Virtually every Active Directory deployment is exposed to the risk of privilege escalation, or unauthorized access grants.
Nonetheless, Sanjay Tandon’s recent series of posts are very useful for IT user awareness in the industry. The fact is that privilege management is the soft underbelly of IT security in general. In the case of Active Directory, Sanjay maps out the problem in the following figure from his Active Directory Security Blog, which also explains how exploits can occur and why they are so difficult to detect or prevent.
Source: Active Directory Security Blog
Some Kill Chain Analysis
Read this figure from the lower right corner on up. In IT kill chain terminology, the Perpetrator
- Gains access to an insider’s computer (perhaps already being an insider, or perhaps via a phishing exploit)
- Conducts reconnaissance using unauditable read requests on Active Directory
- Gains access to a domain administrator’s account via password reset
- Again through password reset, gains access to a delegated admin’s account with access to the desired resource
- Compromises the desired resource
The figure also notes on the left side that Active Directory controls almost the entire IT infrastructure, or at least the part of it that’s Windows-based, or can be access through users with Active Directory accounts. That’s what makes the domain administrator account all-powerful.
Active Directory has probably been Frequently Exploited
The Active Directory Security blog provides a number of other useful articles or links:
Sanjay’s article about Microsoft’s security guides ominously notes: “Much of the content of [Microsoft’s documents are] derived from the ADSA (Active Directory Security Assessment) and other ACE (Assessment, Consulting and Engineering) Team assessments performed for compromised customers and customers who have not experienced significant compromise…this clearly indicates that there have been enough Active Directory security incidents (compromises) to warrant the issuance of such guidance from Microsoft IT and to provide sufficient content for an entire whitepaper on Active Directory Security.”
I agree with Sanjay’s assessment that not only is privilege escalation a widespread and grave risk that’s difficult to defend against, but also that it’s been frequently exploited. The kill chain, in other words, always leads to the keys to the kingdom (Active Directory or others) in the end. So many infamous breaches – such as those against the New York Times, RSA Security or even the NSA – may in the end come down to weaknesses in the soft underbellies of IT security.
Security pros and pundits often call attackers advanced persistent threats (APTs) as if they had some great skill or ominous capabilities, but in fact attackers don’t have to be APTs to conduct privilege escalation attacks. Edward Snowden was not an APT, for example, just an insider. But in some manner, which to my knowledge hasn’t yet been published, he worked his way through what we could call a real APT’s own soft underbelly to make away with major secrets he wasn’t supposed to have.
If Even NSA and RSA Aren’t Safe, What Should Mere Mortal Enterprises Do?
I’ve got to this point and I almost want to tear up the second half of this post and start over. We must not promote defeatism! But it’s important to recognize that any organization, or business, is going to have vulnerability levels that cannot be reduced to zero. In other words, if you have a belly, you’re vulnerable. You’re probably already compromised, or at least in a compromising situation.
Here are some general recommendations:
- Follow a Systematic, Comprehensive Approach to Security. This is the catch-all recommendation to armor the whole belly and body of the enterprise with a minimum of weak links.
- Separate the most sensitive IT resources from the rest of the body, as I recommended in Restricted Zones Redux.
- Vigorously protect privileged accounts, whether for people such as domain administrators, or network service and management interfaces. In some cases, organizations deploy privileged identity management solutions such as Lieberman Software, or password vaulting solutions for maximum hardening of these accounts.
- For Active Directory specifically, take a good look through the links in this post and Sanjay Tandon’s blog. After you’ve tightened up security policies, reduced the number of domain administrators to the bare minimum and locked down the domain controller environment, Sanjay’s Active Directory auditing products could help you monitor on a continuous basis whether those tightened policies remain in effect, or have lapsed in the face of normal human and organizational activity.