What is Attack Path Management

Attack Paths are nothing new. Identity-Based Attack Paths (referred to herein simply as Attack Paths) are particularly well-studied. Attack Paths are the chains of abusable privileges and user behaviors that create direct and indirect connections between computers and users.

Microsoft Research published a paper in 2009 describing Attack Paths as “Identity snowball attacks [that] leverage the users logged in to a first compromised host to launch additional attacks with those users’ privileges on other hosts.”¹ The French government presented their work in 2014 to “…highlight [Active Directory] control paths involving non-trivial chains of relations and objects… to measure the effective extent of an account’s power”, titled “Active Directory Control Paths”². In 2016, we created BloodHound to make our jobs as red teamers easier:  (https://github.com/BloodHoundAD/BloodHound).

While Attack Paths are not new, existing defensive literature is too academic to be practical, and practical tools have focused on Attack Paths from the attacker perspective — not the defender’s. Defenders have been plagued by Attack Paths for decades (whether they’ve known it or not), but have never been able to directly deal with the root cause of those Attack Paths.

The primary goal of Attack Path Management (APM) is to directly solve the problem of Attack Paths. Today, the problem of Attack Paths is felt most acutely in the world of Microsoft Active Directory and Azure Active Directory. These platforms provide the greatest payoff for attackers, since taking control of the fundamental identity platform for an enterprise grants full control of all users, systems, and data in that enterprise.

The concepts discussed here will focus on Active Directory (both Microsoft Active Directory and Azure Active Directory), but can be applied to other identity and access management systems, such as AWS and G-Suite.

¹ http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf
² https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/

Microsoft Active Directory and Azure Active Directory are directory service products that provide several critical services to organizations: identity and access management, endpoint management, business application management, and much, much more.

Organizations see Active Directory as:

FOUNDATIONAL

Active Directory is the foundation upon which access is managed for endpoint management services, identity and authentication services, email authentication, and critical business operations are built, making it one of — if not THE most — critical services used by organizations of all sizes.

UBIQUITOUS

Active Directory is by far the most widely used directory service product. Banks, government and military agencies, retailers, small businesses, and the vast majority of the Fortune 500 use Active Directory³. That ubiquity comes with several benefits for organizations, including a rich community to get support, a highly mature Active Directory management and engineering training ecosystem, and a large talent pool filled with thousands of professionals with years (even decades) of experience in Active Directory.

POWERFUL

Active Directory includes several powerful features that simplify user and endpoint management, increase uptime, and streamline the endpoint user experience. Features like security group delegation, Group Policy, and domain trusts enable Active Directory admins to organize and control the IT environment so that it best serves the requirements of the organization.

Adversaries see Active Directory as:

FOUNDATIONAL

Because the entire organization is tied into Active Directory, an attacker can gain control of any computer, any user, any business process by first taking control of Active Directory.

UBIQUITOUS

Because Active Directory is so widely used, an attacker can invest time, money, and effort into developing their skills at attacking Active Directory, and then use those same skills and tools to attack almost any organization.

POWERFUL

The features that make Active Directory so powerful from the administrative side are the very same features that attackers love to abuse. Some of the most widely used tools for attacking Active Directory (BloodHound, Mimikatz, Responder) do not use exploits, but abuse features in Active Directory and Windows instead.

³ https://ww2.frost.com/frost-perspectives/active-directory-holds-the-keys-to-your-kingdom-but-is-it-secure/

Over the past twenty years, Vulnerability Management (VM) has matured into a critical pillar in enterprise IT security. The sheer volume of software vulnerabilities in the 2000s and 2010s necessitated the creation of vulnerability management platforms, and vulnerability management programs to validate the effectiveness of an organization’s patching and secure configuration practices.

Attack Path Management (APM) is a different solution for a different set of problems than Vulnerability Management (VM).

Patches vs. Privileges

Software vulnerabilities have been, are, and will continue to be a big problem. While vendors are getting better at producing software with fewer bugs, they’re never going to produce bug-free code — nor should they be expected to. But new software isn’t the only risk here — old software, or old code that new software is written on top of, can also have exploitable bugs just waiting to be found. For this reason, organizations must be able to react to software vulnerabilities by testing, deploying, and auditing patches, as well as mitigating risks on systems where patches can’t be deployed.

Vulnerability Management (VM) solutions provide specific vulnerability risk using the Common Vulnerability Scoring System (CVSS). While vulnerabilities are an arrow in an adversary’s quiver, they come at a cost. First, each exploit leaves bread crumbs which defenders can find; potentially risking the adversary’s network access, exploit, or both. Second, developing, aggregating, and maintaining an exploit is time consuming for the adversary. Last, the use of exploits to pivot / move through a network is commonly time-consuming.

Attack Paths have plagued organizations for decades. SpecterOps has observed several patterns emerge across hundreds of organizations that explain why they have historically been unable to manage Attack Paths:

The Least Privilege Pipe Dream

When people talk about the “Tough exterior and soft interior”, they are often referring to the fact that while the perimeter controls are hardened and given appropriate attention, the situation inside the perimeter is very, very bad (i.e., full of Attack Paths). Most commonly, this is because the organization has lost control over Windows and Active Directory permissions, which have created critical Attack Paths linking every user and computer in the environment into the most highly sensitive systems and highly privileged principals — a group of assets known as Tier Zero in the Tiered Administration model.

This endless loop of non-starters prevents the vast majority of organizations from ever really achieving effective least privilege enforcement. Yes, an organization may achieve least privilege on a particular set of systems or use logical network rules to mitigate privilege abuse. However, the reality is that Attack Paths persist, grow, and go unmanaged — flying in the face of almost every least privilege accomplishment an organization has.

Red Team Assessments: The Wrong Tool for Mitigating Attack Paths

The goal of a red team assessment as defined by SpecterOps¹¹ is to test the detection and response capabilities (people, processes, and technology) of an organization. Red team assessments are not designed to identify Attack Paths within an organization. However, red team assessments are unique in the professional services arena in their ability to expose how the organization’s defenders respond to realistic, threat-representative attacks. There is often an organizational “A-Ha!” moment when the red team report starts making the rounds. For maybe the first time ever, the organization sees from start to finish the exact steps an adversary took to go from no access to total control of the enterprise. They also clearly see areas where the organization’s response didn’t do enough to prevent it.

Then some familiar questions are asked: “On step 2, you used User X’s password to pivot to Computer 5. But if User X didn’t have admin rights there, you wouldn’t have been able to do that, right?” This kind of thinking is very common — that by taking specific pre-emptive action, the organization would have been free of Attack Paths and, therefore, safe. It’s a comforting — and misinformed — thought. Here’s why:

A “small” organization with around 1,000 endpoints will typically have millions, if not billions of Attack Paths. Attempting to remediate the specific Attack Path presented by the red team assessment would be like trying to stop someone driving from Seattle to New York City by removing a one block stretch of road in St. Louis. It has no effect on the driver’s ability to reach their objective and is likely a waste of resources.

Simply put, the current options for dealing with the risks brought on by Attack Paths fall short because they:

• Don’t or can’t measure the magnitude of the problem.
• Attack the symptoms rather than the problem.
• Ultimately fail to provide practical approaches to resolve risk.

Today, organizations try to deal with Attack Paths in three different ways:

Best Practices Are Often Impractical Practices

In theory, there are two particular methodologies an organization can use to very effectively mitigate the risks brought on by Attack Paths: Tiered Administration and Least Privilege. But for the vast majority of organizations, these methodologies are out of reach.

Tiered Administration sounds simple on paper: split your administrators and endpoints into different “tiers”, and only allow principals and systems in the same tier to access one another. Effectively deployed, this promises to eliminate lateral movement between tiers, so that an attacker with control of a lower-tier principal or system cannot pivot to higher tiers.

Least Privilege Access sounds even simpler: only give users and other principals the privileges they need to do their job, and no more privilege than that. But several factors prevent organizations from deploying Tiered Administration or Least Privilege Access:

1. Opaque and confusing privileges make it too difficult to understand effective permissions against any particular system or object. If you can’t easily audit who has access to one system or object, you can’t determine whether a tier-separation violation exists, or whether a user or principal has the least amount of privilege required.
2. Effectively implementing and maintaining Tiered Administration has historically required architectural changes to several fundamental services, including identity and access management, endpoint management, and even network architecture. This is the biggest reason more organizations didn’t deploy Microsoft’s now-deprecated¹² ESAE, also known as Red Forest.
3. There has historically been no way to accurately predict the real benefit that Tiered Administration or Least Privilege Access would have on eliminating Attack Paths. The inability to demonstrate risk reduction has kept Tiered Administration, Least Privilege, and many other “basic” security controls within the realm of impractical best practice at best, and industry buzzwords at worst.

Existing Products

We have seen some products have an effect on Attack Paths, namely those products in the Privileged Access Management (PAM) category. And some other products, like Anti-Virus (AV) and Endpoint Detection and Response (EDR), can have a positive effect on hindering an adversary’s ability to execute a particular step in an Attack Path. And yet, Attack Paths continue to grow, and Red Teams and adversaries continue to execute Attack Paths. At the end of the day, PAM, AV, and EDR have served more as speed bumps, not roadblocks, when an adversary is executing an Attack Path. Why is this?

The biggest and most obvious reason why existing products do not solve the problem of Attack Paths? They aren’t designed to. Each product within existing categories has been designed, built, and maintained to solve one, or a few specific problems in the information security space. But just as an Attack Path Management solution will not solve the problem of malicious software running on endpoints, EDR solutions will not solve the problem of Attack Paths.

¹² https://docs.microsoft.com/en-us/security/compass/esae-retirement

A Step Forward: Free and Open-Source Software (FOSS) — BloodHound

Almost immediately after BloodHound (https://github.com/BloodHoundAD/BloodHound) was released, the FOSS BloodHound creators and many others realized that the potential for the tool was far more compelling on the defensive side than it was on the offensive. Many organizations have used BloodHound to identify and eliminate Attack Paths in their own networks, to varying degrees of success.

But there are several problems with using FOSS BloodHound as an Attack Path Management solution:

1. Building on top of FOSS BloodHound with custom scripts and methodologies requires a full-time commitment and dedication to mastering graph theory concepts, graph database management, the Cypher query language, and an existing expertise in Active Directory security concepts.
2. FOSS BloodHound offers no way to generate meaningful statistics or measurements. This precludes the possibility of tracking progress over time or demonstrating Attack Path reduction before a remediation is made.
3. FOSS BloodHound’s data collection architecture was designed to facilitate offensive security assessments which take place in a discrete span of time. It was not designed for, nor does it support continuous data collection. This means that the data in the database quickly becomes inaccurate and unusable.

While some organizations, including SpecterOps, have had success with deriving defensive value out of FOSS BloodHound, it is neither good enough nor designed to effectively manage Attack Paths on its own.

Attack Path Management is a fundamentally different, unique methodology designed to help organizations understand, empirically quantify impact, and eliminate Attack Path risks. To achieve this goal, Attack Path Management is based on three fundamental pillars:

Attack Path Management Defined and APM’s Foundational Pillars

Attack Path Management is the continuous discovery, mapping, and risk assessment of Active Directory (on-prem and Azure) Attack Path Choke Points. Organizations can use APM to eliminate, mitigate, and manage Attack Paths, finally achieve effective Tiered Administration and Least Privilege, and significantly reduce the attack surface presented to the adversary by Active Directory. APM does not require fundamental architectural changes, and helps organizations achieve the above benefits without endlessly chasing down misconfigurations, vulnerabilities, and dangerous user behaviors. To achieve these goals, APM is based on three fundamental pillars:

Pillar 1: Continuous, Comprehensive Attack Path Mapping

Continuous Mapping

Enterprise networks are not static. Privileged users log on to different systems every day (leaving behind tokens and credentials that can be abused by an adversary), new applications require newly granted permissions, and security group memberships change to accommodate business requirements. These individual changes and events don’t just affect the principals and objects directly involved — they have far-reaching effects in the creation of Attack Paths. Consider for example the Panama Canal. In its simplest form the canal connects two oceans; however, it opens a pathway for distant nations and economies.
Because the connections and behaviors that form Attack Paths are continuously changing, the Attack Paths themselves must also be continuously mapped.

Comprehensive Mapping

When continuously mapping Attack Paths, every relationship / connection must be charted. From critical servers like Domain Controllers to individual endpoints, comprehensive enumeration of relationships and connections enables full understanding of the real permissions against any given object, computer, user, etc., and also enables the empirical measurement and impact of any particular connection.

Furthermore, ongoing research produces new techniques for abusing legitimate privileges. Those new techniques must be included in the Attack Path Mapping as well. Often, introducing a simple technique to the Attack Path Map can reveal Attack Paths that were always there, but remained hidden for years or even decades.