The Soft Underbelly of IT Security
- Gains access to an insider’s computer (perhaps already being an insider, or perhaps via a phishing exploit)
- Conducts reconnaissance using unauditable read requests on Active Directory
- Gains access to a domain administrator’s account via password reset
- Again through password reset, gains access to a delegated admin’s account with access to the desired resource
- Compromises the desired resource
Sanjay’s article about Microsoft’s security guides ominously notes: “Much of the content of [Microsoft’s documents are] derived from the ADSA (Active Directory Security Assessment) and other ACE (Assessment, Consulting and Engineering) Team assessments performed for compromised customers and customers who have not experienced significant compromise…this clearly indicates that there have been enough Active Directory security incidents (compromises) to warrant the issuance of such guidance from Microsoft IT and to provide sufficient content for an entire whitepaper on Active Directory Security.”
I agree with Sanjay’s assessment that not only is privilege escalation a widespread and grave risk that’s difficult to defend against, but also that it’s been frequently exploited. The kill chain, in other words, always leads to the keys to the kingdom (Active Directory or others) in the end. So many infamous breaches – such as those against the New York Times, RSA Security or even the NSA – may in the end come down to weaknesses in the soft underbellies of IT security.
Security pros and pundits often call attackers advanced persistent threats (APTs) as if they had some great skill or ominous capabilities, but in fact attackers don’t have to be APTs to conduct privilege escalation attacks. Edward Snowden was not an APT, for example, just an insider. But in some manner, which to my knowledge hasn’t yet been published, he worked his way through what we could call a real APT’s own soft underbelly to make away with major secrets he wasn’t supposed to have.
If Even NSA and RSA Aren’t Safe, What Should Mere Mortal Enterprises Do?
I’ve got to this point and I almost want to tear up the second half of this post and start over. We must not promote defeatism! But it’s important to recognize that any organization, or business, is going to have vulnerability levels that cannot be reduced to zero. In other words, if you have a belly, you’re vulnerable. You’re probably already compromised, or at least in a compromising situation.
Here are some general recommendations:
- Follow a Systematic, Comprehensive Approach to Security. This is the catch-all recommendation to armor the whole belly and body of the enterprise with a minimum of weak links.
- Separate the most sensitive IT resources from the rest of the body, as I recommended in Restricted Zones Redux.
- Vigorously protect privileged accounts, whether for people such as domain administrators, or network service and management interfaces. In some cases, organizations deploy privileged identity management solutions such as Lieberman Software, or password vaulting solutions for maximum hardening of these accounts.
- For Active Directory specifically, take a good look through the links in this post and Sanjay Tandon’s blog. After you’ve tightened up security policies, reduced the number of domain administrators to the bare minimum and locked down the domain controller environment, Sanjay’s Active Directory auditing products could help you monitor on a continuous basis whether those tightened policies remain in effect, or have lapsed in the face of normal human and organizational activity.