The TAG Cyber team had a lively meeting last week with Paris-based Alsid. Founded by Emmanuel Gras and Luc Delsalle, the company’s tools optimize Active Directory configurations using the graph-theoretic methods that underlie BloodHound. I can tell you that when it comes to AD, the Alsid team really knows its stuff – and they straightened out many of my misconceptions about AD in the context of APT. Here is what I learned:
First of all, our tour guide was Derek Melber, who is generally recognized as one of the world’s leading experts in this area. Derek joined Alsid recently as a technical director for North America. In addition to his ability to communicate high-level concepts with analysts like me, Derek also has the hands-on chops to demonstrate and explain the lowest-level details of AD configuration and administration – which was evident during his Alsid demo.
After the meeting, I pored through the materials recommended – and I can report that things can be somewhat daunting. If you are not an AD expert, then you can get lost quickly. And this is a point worth reflecting on briefly: The responsibility for AD is increasingly being placed within security teams, but it has been my observation that the expertise for AD generally resides within the IT operations group. Derek offered insight on this point:
“When I run a training session,” he explained, “I find that of the couple hundred attendees who might participate, almost every one of them is an Active Directory administrator.” And this made perfect sense to me. But Derek added an important point: “That said, the discussions always include reference to security, and an increasing number of AD teams report to an executive working in the enterprise security team.”
Covering the details of AD security using Alsid is beyond the scope of this note, but I can summarize the main benefits that I see, and they all stem from one core issue – namely, that AD configurations are usually sub-optimal in the enterprise. For example, I asked Derek if Alsid was saving AD administrators valuable time and he chuckled: “Actually, we’re not saving them much time, because they’re usually not optimizing their AD in this manner.”
Let’s go through a couple of the enterprise security configuration issues that Derek shared. First, there is the problem of a server running an enterprise service which has unconstrained Kerberos delegation. (Kerberos is an authentication protocol used frequently to support enterprise single sign-on (SSO). This delegation situation, Derek explained, could be easily hacked – and thus requires preventive administration using tools such as Alsid.
Second, I learned that most AD misconfigurations are created by sloppy administrators for the purpose of keeping things running, which is why the most common use-cases do not include outages stemming from AD administrators. Alsid is thus needed to ensure that loosening of enterprise security constraints to keep processes, services, and applications running does not lead to security compromise.
During the discussion, I questioned whether configuration of AD really reduces APT risk. After all, I offered, “when an APT actor visits the enterprise, they don’t necessarily rely on AD to be misconfigured.” But Derek was correct to point out the importance of privilege escalation and other AD-related tasks that are included in the nation-state attack strategy. Misconfiguring security settings within a group policy object (GPO), for example, can allow expert hackers to increase their ability to laterally traverse an enterprise.
This all might sound obvious to you, but I’d always viewed AD as a simple roadmap for attackers engaged in enterprise APT. Luckily, I know enough to listen to the experts – and Derek’s point is both correct and reasonable. Which leads me to the following summary statement: Proper AD configuration is an absolutely essential requirement for both good IT system administration and optimal prevention of cyber security attacks to enterprise.
Despite this claim, challenges remain: We all know, for instance, that AD security is not viewed as a canonical component of enterprise security like NGFW and SIEM. Executives might thus grumble that Microsoft should take care of this by default – because, after all, they are the vendor. In addition, AD controls are not sexy – and do not lend to great visual demonstrations that produce gasps from an audience when projected on glowing displays.
The result is a tough sales process for solutions such as Alsid. On the one hand, they must convince AD administrators of the value of the tool. This is probably the easiest part of the sale, especially with experts like Derek assisting with detailed demonstrations of how the tool works. The output graphs, for example, look like something an AD administrator would want to use – so this is probably a straightforward part of the sale.
Convincing security teams, however, will be more challenging. The level of understanding amongst CISO-led groups for how AD should be administered is low – probably somewhere between firewall rule optimization and BGP route selection. So, the sales process must address this difficult blind spot – and training security teams on AD will be tough. This is complicated stuff, and security folks (like me) have not traditionally taken the time to learn.
Our advice to Alsid, and to anyone else trying to convince security buyers of the value of proper AD administration for enterprise protections, is that better and simpler analogies are needed. Non-technical AD security analogies using basic language will be necessary to drive massive adoption of this control by security teams. This is especially important, by the way, when the CISO controls the enterprise budget for this type of investment.
In addition, Alsid should develop training collateral that helps connect security experts with APT risk management. I’ve been doing enterprise cyber security for forty years, and frankly was underestimating the security value here for attackers. I’d seen some attackers use perfectly configured AD to create massive havoc – and this had colored my thinking. Alsid is in a good position to help security professionals better understand this important control.
Regardless of where you reside on the IT or security spectrum, I strongly advise that you take some time to learn more about Active Directory in the context of security. Schedule an hour with Alsid as part of this initiative and ask to have Derek Melber give you a run through. Eat your Wheaties before the meeting, however, because this is not easy stuff. Derek might have some reading suggestions to help fill in learning gaps, as he did for me.
In the end, it is our hope at TAG Cyber that more security teams focus on this area. Microsoft is obviously making a large push to improve AD tools for both on-premises and cloud, so this will help quite a bit. But in the end, if you are sloppy in the way AD is configured across your enterprise network, then not only are you increasing the chances of innocent error, but you are also helping hackers navigate your entire organization.
As always, please let us know what you learn – and stay healthy!