Semperis Chief Technologist and Microsoft MVP alumnus Guido Grillenmeier and Director of Sales Dan Bowdrey discuss the Active Directory and cyber attacks
Guido Grillenmeier joined Semperis one and a half years ago and currently works as a Chief Technologist. He helps to provide all sorts of security support for some of the largest enterprise customers and governments. Guido is also a Microsoft MVP alumnus.
Dan Bowdery also works at Semperis. His role as Enterprise Sales Representative the UK and Ireland means he is responsible, alongside Guido, for selling into large accounts. He has a technical background in large scale cloud migrations and has worked with Microsoft, HSBC, HPE, to name but a few.
What is the Active Directory?
It’s not an easy product technology to explain in one minute. Picture somebody having a key in a big hotel or apartment building that allows you to enter your private door where you keep your private stuff and data. And you have somebody that manages those keys. Probably best in hotel scenarios with downstairs concierge and whoever else managing all keys to the rooms. Active Directory does that for the enterprise, managing all those users and passwords that allow you to get somewhere, that allow you to access data, that allow you to even enter a system.
And if that is not there, if the concierge is gone, if that part of the building is burned down, you have a problem. And in this case, the enterprise has a problem that none of the users can log on to their PCs. If things have been fully encrypted, just think the directory is gone. That’s the scenario to best explain it. If it’s not there, people cannot work on the other side.
It’s also a mechanism to be misused, to get to systems, to reap data and to basically extract data and to do harm to the company. So it has two great values to the company and to the intruders once they’re inside a company.
Could you speak about the Colonial Pipeline hack and the Solar Winds attack?
Those were prime examples of the past where Active Directory was misused to take down companies.
Let’s begin with the solar winds. That was in December 2020, just as the year ended, and people were happy to celebrate Christmas and whatnot. So the Winds was breached actually much before that, many months before that, but it basically came out what the attacker did at that time by attacking their Orion software that was updated.
The code was updated to then be spread around to all the customers of Solar Winds, including US Government agencies, to infiltrate those and attack those target environments.
But when you step back a moment and understand where it all began, it wasn’t Orion software that was actually hosted in Microsoft Azure where the code was hosted. The intruders needed a way to get into that Azure environment. And they use the Solo On Prem Active Directory weaknesses to wreak data that they needed, to create their own so-called SAML token.
It’s where the cloud world trusts the On Prem world trusts the company’s Active Directory. And even for your personal sign-in, you would sign in with your On Prem Active Directory account and then have access into the cloud, in this case to the Orion Software management platform, and you go on with your business.
If you’re an intruder, you then fake that log on to the cloud by faking your own tokens. Those SAML Tokens were the first well-known Golden Samuel attack at the time. And that was gained by hacking and compromising the On Prem Active Directory first to get to that stage.
Of course, the biggest part that everybody knows about is that Orion software was distributed to all the clients and then breached. A lot of harm was done.
Colonial Pipeline was much more directed
Colonial Pipeline was much more directed, it’s an interesting story. This is May 2021. So not that long ago, well, still over a year now, but this attack, it’s simple. Somebody had a breached password elsewhere, not even inside the Colonial Pipeline company, but elsewhere. Their passwords were stolen, like on a website and were sold in the darknet. And in the darknet, that’s where some bidders then take those passwords.
There was an open port to remote control system in Colonial Pipeline that allowed log on remotely without a second factor. They used the accounts and that password and they were in. And the rest is history.
They were able to take over the control systems within Colonial Pipeline, but the entry point was a breached Active Directory account. And then from there on, doing reconnaissance in that environment and taking down a few systems and then a lot, of course, precautionary mechanisms inside the company.
When they noticed some of our systems have been reached, they took down the Pipeline, they turned it off. The first time in 57 years. So that was not the hackers that turned it off. That was the operators that turned it off as a precautionary measure because they didn’t know how far the intruder had gone. So those are two good examples where Active Directory was in the middle of those attacks.
How does the Active Directory become compromised and what can we do to prevent this?
So how it becomes or how it becomes compromised is, as Guido has explained, is either stolen credentials, poor administration, and configuration of Active Directory itself.
People giving away their credentials is sometimes used, but ultimately, it’s someone logging in with a set of credentials and then elevating their permissions in order to take over and compromise Active Directory itself.
Because as we know, once you’re in there, then you can move anywhere you want within an organisation. You can look at data, you can go to the cloud, you can look at emails. Pretty much the world is your oyster once you’re in with a set of compromised credentials.
Maybe add to that, if I can, that the problem is: Active Directory is a complex technology, very powerful. But because it’s fairly complicated, lots of special medium-sized companies work with the defaults. And the default permissions, which are fairly, let’s say, extensive from a read perspective. That means that everybody can read a lot and find out a lot of the vulnerabilities that then they use to take themselves further.
An intruder takes it step by step, but they get all the information very easily because Active Directory is very open from a reading perspective. That means they can find the users that they need to go after, those that have high privileges, that are administrators. And if I find one of those guys logged on on one of the other clients that I may be lurking on, then I grab his or her credentials because, once I’ve reached a particular capability with malware, that’s possible. You then pass on that person’s credentials elsewhere, pass the hash attack, and many other technical terms to be used here. But the point is you become that administrator.
Once you’re in, it’s not so hard to elevate to an administrative level. And the classic environment in most companies – and I wouldn’t exclude government agencies here either – is to just work with the defaults. Although the technology does support lockdown, not many people are doing that which segues nicely into your second question around what can people do?
The first port of call, pardon the pun, is to run an assessment on your environment
So, if you think about most of the organisations we talk to, as Guido has said, have just chosen the defaults, or the Active Directory environment is so old, it’s been maintained and managed by lots of different organisations over the years.
So, this is a real mismatch of configuration, people that know what’s in place, people that don’t know what’s in place. The first port of call is really assessing AD and understanding all your gaps today based on the latest and greatest security information that we have.
Because if you have done this a few years ago, you probably wouldn’t have been concerned. But now the bad actors are using lots of different methods to gain entry. You need to really close all those gaps down. The first port of call, pardon the pun, is to run an assessment on your environment.
How are the attacks linked to the Dark Web?
The Dark Web is of course a synonym for the bad guys meet and greet, probably has coffee shops, bars. The Dark Web is where data is exchanged, where even ransomware as a service is sold.
Users get their assignments and actually sell their results. You have to understand that an attack on larger companies, or actually any victim, small or large, as a multifaced approach, somebody gets inside the network.
Others who are more specialised then move inside the network to get further, to get to company data, to hack Active Directory and whatnot.
So there’s one part somewhere as a service starts with one company trying to get in through phishing mails, through malicious websites and whatnot. And then once they’re in, they sell those. Of course, they build a command and control system that allows them to reach inside from anywhere. Then they sell that access literally like goods on the Dark Web. Who bids most to take it further for victim ABCD?
This is a multimillion-dollar business and it’s all driven through the Dark Web
What people don’t realise is that this is a multimillion-dollar business and it’s all driven through the Dark Web. There’s subcontracting out different elements of cyber attacks to different crews who have those specialities.
What can the UK government do to prevent cyber attacks then?
We’ve got the NCSC, they do put out guidance weekly, daily, and monthly, and a lot of that guidance is quite generic.
I think Active Directory specifically is an often overlooked and misunderstood platform. So the way they can help people is to make them more aware of how it’s being compromised, the types of people that are compromising it, and the types of tactics they’re using to get in there and then advise them on what kind of solutions are out there. Today they’re not doing that.
They’re quite mature in other areas like endpoint protection, antivirus, that kind of thing. But for large enterprises running Active Directory environments, they’re not really giving them the type of advice that we would give organisations, for example.
Do you think the government is doing enough?
I probably answered that in the previous answer. I’d say the UK MCC needs to adopt Active Directory skills that I don’t think they have to the maturity level that they need. So yeah, I think they’re not doing enough today.
We’re talking about a technology that’s basically a dinosaur in the industry
We shouldn’t forget that we’re talking about a technology that’s basically a dinosaur in the industry. We’re talking about technology that was released with Windows 2000 in the year 2000, of course, developed quite a few years before that. Let’s just picture that after the release of Nt Four, they begun with Nt Five. And that’s when Microsoft went into the directory design phase. And that’s 25 years ago. That’s a quarter of a century ago. That technology was designed and still is good technology, but is not fit to counterfeit the current cyber attacks.
It’s not the first line of defence, it’s the second line. It’s when somebody gets inside. That’s how they can then take down a company very easily.
Now, I just said the technology is old, but it’s still used in 90% of all enterprises and certainly government agencies, because the alternative is to use cloud directories and that is not doable for everyone, and specifically not doable when you have invested a ton of money into all of your applications. There’s a road map to migrate away from all those business applications that your business literally runs on before you can actually get rid of this aging technology.
And there’s definitely been an awareness shift as well. So if you’ve asked me five years ago what you’re doing to protect Active Directory, I’d have talked about Endpoint, I would have talked about gaining access into the organisation.
I wouldn’t really be talking or concerned about AD itself. And when I first started at Semperis two years ago, that was the sort of conversation I was having with people. Jump to today: August 2022 is a completely different story. People are fully aware that AD is the number one attack vector for cybercriminals, and that’s where the government needs to get to as well. They need to start being aware of that.
So if people can’t rely on the government, what should they do?
Gartner came out with some really good advice recently which is identity, threat detection and response. And that really nails down the topic of AD security. And what that’s really telling people is to go and look at your current systems, backup systems, recovery systems, threat analytic systems, and really understand, are they looking at AS specifically, and are they going to be able to recover AS and to reverse malicious or accidental change in your environment?
I would say the first port of call is to look at that documentation, and then look at the vendors ourselves specialising in this field.
Are there good free tools out there? Semperis Purple Knight is clearly an easy tool to use to scan the Active Directory. You get an understanding of what the bad guys see and use against you and your AD once they’re inside the weaknesses.
Our tool shows that and action points which you can do about it, to actually tighten down your security. That often helps a lot of companies get to a more secure state. Which doesn’t mean that that’s the only thing that they would need to do, but it’s a good starting point.
Discussion about this post