Welcome to Cybersecurity Insights, the podcast for the CyberEd.io Learning Community. Our goal is to bring Cybersecurity practitioners the latest and most relevant education and training to upskill and dive deeper into topics that matter in today's modern Cybersecurity world. Good day, everyone. This is Steve King.
I'm the managing director here at CyberEd.io. And with me today is Justin Kohler, who's the Vice President of Products at Spector Ops. Justin's an operations expert with over a decade of experience in project and program management and development. He began his career in the Air Force and has worked at both Microsoft and Gigamon.
So welcome, Justin. I'm anxious to learn about Spector Ops. Awesome to be here and thank you for having me. Yeah, sure.
So let's beat up on Active Directory for a while to sort of start things up here. Why don't you, and let's assume our audience is unclear about what Active Directory is and what its purpose is and why it is the motherload of all vulnerabilities. Yeah, well, so Active Directory is just a directory service. So Active Directory is what most people know of if they're in any type of enterprise network.
It's kind of what provisions users and access to resources across the enterprise started 1999, I believe, so quite old, but quite reliable. But it's not unique. So Azure Active Directory or EntraID is, they call it today, AWS, IAM, GCP has their own. Okta, so they're all types of directory services.
Active Directory is just the most well-known one and obviously the most prolific. They all suffer from the same problem where you can over privilege users. So you may have intended to give Bob access to X resource where that could be a file share or some system. What you didn't realize is you maybe misconfigured that and gave Bob's entire team that access, or Bob does no longer works in that department and but he still has that access.
Those type of privileges combine to form what we call attack paths. So I'll give you kind of top three things that kind of come to mind. Number one is just the confusion and the unclear application of privilege in Active Directory. So you intend to give, like I just mentioned, you intend to give somebody access, you actually give way more access than you originally intend.
ADUC, the Management Console in Active Directory, is not the most easy thing to decipher. I mean, it really hasn't changed too much in 20 years. And so privileges are buried. Fun fact, you can't even see the full extent of privileges through ADUC.
You actually have to go through like PowerShell or some lower level language to understand the full extent of privileges. So it's confusing. It's not clear. And so you can create again these more granting privileges that end up, you know, I can abuse as an adversary.
The second one is the login, the login threat that kind of exists in enterprise, you know, like in Windows environments. What I mean by that is when you log into a system as a user, interactively meaning like you, you know, like let's say a remote desktop connection, that connection creates some risk. So I can historically, like I could use MimiCats, if people were familiar with that, to dump their credential out of memory and replay that somewhere else. I could, there's also, you know, I don't even need the password.
I could create my own token from that login event or inject into a process. So the whole login activity that takes place within Windows environments can be abused pretty easily. The final one is, and this one kind of blew my mind when I found out about it. So directory services are supposed to be this, you know, source of truth, right?
I grant Bob access to this resource. And if it's not in the directory service, again, challenges aside, let's say I can get to full visibility, whatever has been applied in active directory, then that should be the source of truth, right? I understand that only Bob has access. Well, that's not true.
Because within every Windows endpoint, you can create local groups that have their own rights. So let's give you a, for instance, at the directory level, you could say that this computer has no local admins. Like I have not created anybody that has, you know, rights over that system. However, if you open the computer and you check the local admins group on that computer, somebody could have stuffed the everyone group into that group.
And therefore give everybody in the forest complete control over that asset. But you would never know that. So, so top three are like, in clear privileges, abusive or easily abused, like login, and then, you know, again, lack of visibility within the endpoint. So that just creates a whole bunch of risk.
And I will say that, like, you know, I mentioned the term attack paths that came up. It started back in 2008 with a paper out of Microsoft called Heatray, where they talked about the identity snowball attack. And it's kind of taken off from there. We got on to it via penetration testing.
So Spectorops is historically extremely well known for penetration testing and red teaming. We do that today. It's kind of half of Spectorops's business. But we found it a very reliable way of attacking networks rather than throwing exploits at vulnerable systems.
Well, let's just, if we fish somebody, we just use the overprivileged rights that they already have to move across the network. Now, like all security tools, all this started in Excel, right? Originally, we were trapping, like, who had rights to things in the network. We were telling somebody about this at some point.
And somebody clued us into what's called a graph database. And your listeners may understand a graph database by the most popular implementation of this, which is Google Maps, right? Google Maps is just a big graph database and it just connects roads and cities. Right.
So, you know, I can find directions from A to B. Well, you know, that's what we did. We put all these privileges that linked, you know, users to systems, sort of roads to cities, right? Users to privileged or resources.
And then just said, I want to go from here to here. Is there a connection? And there was. It's kind of mind-blowing.
You know, we, again, basically created Bloodhound, which was Google Maps for Active Directory. And it just became easy mode to, you know, accomplish our objective. It was no matter of question of if it was just a matter of time. Like, we were certain to get to our objective just how long would it take us to do it.
The original customer that we used it on, the first instance of this, we used to hop through six domain trusts to finally reach our objective. So, you know, we had a whole host sort of like extremely well-defended organization. We were able to use attack bath. So, how do you describe Bloodhound?
You know, if nobody, if we weren't having this conversation, I said, what's Bloodhound? What would you say? So, Bloodhound, Bloodhound, the open source tool. So, we make two products, right?
Bloodhound, we created back in 2016. Bloodhound Enterprises, the defender version of that. We released that in 2021. But you asked me what Bloodhound is, which people think of the open source tool.
I just say exactly what I just said. It's Google Maps for Active Directory, right? It's built for penetration testers and red teamers to understand the different privileges that exist within Active Directory that could get me from A to B. What is your view on why Microsoft sort of continues?
I'm trying to phrase this in a way that's positive. It continues to avoid any consequences for not paying close attention to their amazing vulnerabilities that are all over the place. And every day there's a report that, you know, we've discovered, you know, two or three other remote exploits that can be used. So, what is it about those guys?
So, I'll have a similarly general response. So, they are very good about remediating vulnerabilities. When I, like these are, what I'm talking about is behaviors and misconfigurations. Vulnerability is really good about patching.
So, you know, there's been patches, the supply to Active Directory, and Azure, and you name it over the years, when there is something that can be addressed. But what I'm talking about is the lack of visibility into configurations. Now, the system that they created originally and is extremely resilient, you know, there can only be so much that they do to that. Azure is, Azure, they actually learned a lot of really good lessons.
For example, in Active Directory, if you're a domain admin, right, like you're, that basically domain admin is God mode across the directory, you can give somebody, like a random user, the ability to reset the password of a domain admin. In Azure, that same configuration cannot be done. So, they've learned some lessons, which are great. But there's always something, right?
So, and what I mean by that is, in Active Directory, you have this single source of truth with my current, my, you know, my previous, like, blah to that, notwithstanding. You only have one, right? The Active Directory domain controller. You might have that in the same directory replicated across many domain controllers, but you only have to worry about that.
In Azure, you actually have multiple conflicting role-based access controls in privilege-granting systems. So, for example, just a row of a few, you have Azure Active Directory and IntraID, you have Azure Resource Manager, and then you have the Microsoft Graph API. You need to now understand at least three different sources of truth to be able to ascertain who has rights to wear. So, you know, we're all kind of learning, you know, like it's a brave new world, and they do, I will give them some credit, they're really good about, you know, patching vulnerabilities, but, you know, people configure things in weird ways, and you can't plan for everything.
Well, yeah. Right. And then that's probably one of the major, at least top three, vulnerabilities that people exploit is the discontinuation, container misconfiguration. Yeah.
Yeah. AWS is, you know. Oh, same thing. Yeah.
Right. Like, it's user here quite often, right? But, you know, that's not just saying that it's like a user's problem because these systems are extremely complex and they are evolving every day. So, what you learned yesterday, you have to re-learn today.
So, it's just complicated. But what we do on the open-source side is, you know, again, basically show you how those things can be abused. And then on our enterprise side, we show you, like, we search for a long time after we release Bloodhound, you know, the immediate question was, well, can you do something for the defender? And that's way harder.
Yeah, I know what I think is interesting. Yeah. Yeah. So, to put this into perspective, think of Active Directory as kind of a map of the United States, right?
And I can find a route from point A to point B. So, let's say I was trying to get from L.A. to New York. I put in L.A.
to New York. It gives me a few different routes based on distance and time or whatever. But I'm trying to, let's say I'm trying to defend New York against the rest of the country. You know, where do you take action across the United States to shut down the ability to get to New York?
I mean, that's just an order of magnitude, harder. So, that's, we worked on that for years to try to figure out, like, how can we affect that problem? We finally released something in July of 2021. And it's been great.
I mean, like, it took us a long time to get there, but the results kind of speak for themselves for our customers. But how does that work? I mean, you know, that's a great analogy to people who aren't moving from L.A. to New York, but nonetheless.
Yeah. Well, I'll continue it. It's easy to kind of talk through that analogy. So, again, think of that, that, you know, I'm trying to defend New York.
And more specifically, let's, let's pick on the island of Manhattan. In an active directory context, there's, again, those kind of God mode privileges, you know, domain and domain controllers. For reference, we also map the same things in Azure as well. So, global administrator, privilege, auth admin.
There's certain things that if an adversary gets to, it's game over, I can do whatever I want, you know, that you've already lost, right? No, the option event can really stop you or stop us at that point. So, the enterprise product focuses in on those. And let's represent those in this analogy as the island of Manhattan.
Well, previously, a lot of active directory security products would tell you, you know, fix this configuration or this configuration. And from our perspective, that was kind of the equivalent of like, you know, shutting down a road in the middle of Ohio. When you look back at the map of the United States and say, can I get from L.A. to Manhattan?
If you shut up original aisle, like, yeah, absolutely. Right. And that's what we would see on Pentest's year over year. So, our enterprise product kind of focuses down on what matters.
And so, like, you know, I get in that map analogy. Well, I'm trying to defend the island of Manhattan. Why do I care about anything else other than the bridges in Manhattan? You know, everything must focus down into a specific choke point that I can take a specific action on.
Right. So, that's a, you know, like, rather than looking at the million plus roads across the United States, you're looking at like the 12 or so bridges in Manhattan. And those, you can actually affect the problem. So, uh, yeah.
So, when, so when Bloodhound does this, how does the customer or end user, what way, how does that communicate? I mean, Bloodhound doesn't, if using the same analogy, Bloodhound doesn't actually defend the bridge, right? No, yeah. So, we identify all those specific paths.
So, we're extreme, like, one of the most popular, one of the reasons Bloodhound is so popular is because it's so visual. So, it takes very, very complex privileges and visualizes them. If anybody ever wants to see this just like a Bloodhound AD on, like, on Google and you'll get a bunch of results and kind of about what we represent these things, very similar to like, you know, Google Maps. It's funny, like, even the original GUI was modeled after Google Maps because that's so clear.
So, Bloodhound Enterprise does the same thing when we start talking about visualizing defenses. We look at your, you know, crown jewels or those most critical assets. If your listeners are familiar with Active Directory, we call those tier zero assets. And then we just look at all those paths that terminate into those.
We also rank those based on the severity, like the exposure, meaning how many of your users in your domain can get to any one of those paths. So, back to my analogy, how many users can get to the Lincoln tunnel versus the brutal bridge, right? And so, I would want to be proactive prioritize which bridge or which attack path I cut off first. And then again, we go bury in depth on how to shut down each of those paths.
So, yeah, that's what you actually get a little instruction manual. Oh, yeah. This says, here's what you need to do, right? Yes, exactly.
I think, you know, obviously I'm biased, but I think we do a best better than anyone there because you have to. I mean, you have to go so in depth because a lot of Active Directory administrators and experts in every part of Active Directory, it's super complex, right? So, you might be really familiar on really like granting access control entries or granting somebody a right here or there, but you may have no idea how group policy works, right? So, if I tell you to fix something, you're going to look at me back and say, I have no idea, I'm worried about breaking something or whatever.
We go extremely detailed, like there is nothing left out for discussion or question in how to address something. And then the funny thing is in Azure, it's even more important because again, kind of the thing I was referencing earlier, what you learned yesterday, you can have the relearn again today. So, we update that quite often to make sure that people aren't, you know, going on wild use chases to try to research how they would address something. Yeah.
And what's it? But you're, so your revenue model is largely based on the fantast business. Is that correct? This is historically it was.
So, we were slowly reliant on the pentesting and defensive services and training revenue, like the consulting business, right? When we launched Bloodhound Enterprise, that actually changed. So, we have two kind of equal portions of the company. And so like our Bloodhound, like our enterprise customers, I mean, both of them now contribute, if that makes any sense.
Yeah, sure. So, so you charge for enterprise, but you don't charge for the open source version. Is that correct? Correct.
Correct. So open sources is free and will always be free. We just released a massive update to that about a month ago. It's, if you've ever wanted to use Bloodhound or kind of see the problem that we use, I mean, the open source product is amazing to get like initial visibility into this.
It's now faster and easier to use than ever. So historically, like it was built for pentesters, right? And it still is. But it was two hours and maybe 30 different steps to get deployed.
It was, it was a pain. It used a UI that was deprecated like years ago. It was just, it was not fun. It was cool to see, but it was not fun to deploy.
Now it's like five minutes. I mean, anybody could deploy this today. It's a single command. It's all containerized.
It's like, it could not be simpler. So if anybody, like if you're not a pentester, but you want to begin to see this kind of privileges in the attack as an active directory, go download it today. I mean, it's eye opening what you can see with it. Yeah, I did.
In fact, I might just do that. If I could get a break today, because it sounds very cool. And, you know, this is long overdue. And I don't know who you compete with in that space, but I was unaware up until when, you know, we kind of got together that, that anybody had a tool, you know, that was this expansive in that, in that use case.
It was funny. But I mean, we created it because we didn't have a competitor. I mean, like, we were trying to be like a client, so it asked us like, well, what should we do about it? And we would show that like, again, back in the pentesting days, we would execute it in a sack bath and they'd say, well, what should we do?
And we'd say, well, fix that path. But in the back of our head, it was like, I mean, there's so many paths. Like, yeah, you need, we need a different response. And we search for years to try to find something and then we're like, okay, well, we just had to build it.
Like, something has to address this problem. We got thank God for Google Maps. Right. Right.
We had a we came up with the term called attack path management. We put out this big manifesto of like, here's our thinking, how like we address this problem, why we did it the way we did. And so, yeah, it's a relatively new space. A lot of people are now kind of hopping onto this.
We do have some folks that do some similar things, but nobody quite does it like we do. But again, if you want to get started, I download the open source tool. If you're an enterprise company and you, you know, want to see something like this, obviously reach out and we'll show you what the enterprise product can do. But there's no reason to, you know, wait and you can just see it today.
Yeah. Yeah. Okay. That's a sounds like a deal.
Well, you know, congratulations, Justin. It sounds like a cool, coolest product and you're having a lot of fun, I assume. And then, oh, yeah, you must be very well received because you saw the very real and a huge problem. So, yeah, one final note, if you allow me, if you do download the open source tool, there is a very popular article that we put out and I could probably try to get this to you, Steve, so that we kind of know if you could share it in the episode notes, but you can find and fix like, there's some issues that we identify in almost every enterprise client.
You can find those with open source and change those today. Like, you don't need our enterprise product to do that. So, you can, you can affect change today for free and so I'll try to send that over to you. And that's a great way to start.
Yeah, no, that would be great. And yeah, we'll happily do that. So, so once again, folks, we've come to the end of our half hour here, Justin Kohler has been our guest and he's the Vice President of Products and Spector Ops and this is the guy that knows everything that you all ought to know about active directory and the way to identify the attack path management. Is that a category?
Is that a gartner? It's not a gartner category. You know, again, there's nothing that really kind of said this. We just say, okay, well, this makes the most sense.
Creating new categories is a great way to end up the winner and dominate that space. So, all the best of luck to you, Justin, and thank you for taking the time to share with us today. Thank you. Sure.
And thanks to our audience. Hopefully, it was interesting and entertaining to you as well. And until next time, this is your host, Steve King signing off. Thank you for joining us for another episode of Cybersecurity Insights.
You can connect with us on LinkedIn or Facebook or send us an email at social at cybered.io. For more information about the podcast, visit cybered.io or with slash podcast. Until next week, stay safe and secure and we'll see you on the next episode of Cybersecurity Insights.