Try now

Monday, September 7, 2020

We Believe in Tesla

Folks,

I hope this finds you all doing well. Today, I wanted to take a few moments to share a few thoughts about Tesla Inc (TSLA).


But first, in case you're wondering why Tesla merits a mention on a cyber security company's blog, the reason is simple -

While we undoubtedly are a cyber security company, (possibly one of the most innovative, influential and valuable ones,) our employees and leadership team care equally about the safety, well-being and sustainability of all of humanity's home, our unique planet Earth, and we believe that Tesla has made possible, and is leading a defining once in a hundred year transformation, i.e. a transition to sustainable energy.


Thus, as a company that cares as much about caring for our planet as it does about foundational cyber security, I suppose its okay for us to share a few thoughts concerning a company that could potentially make a real difference for our planet.



Climate Change

Over the last 100 years, human activity, business and economic interests have played a significant role in causing climate change, and our dependence on fossil fuels for transportation and energy have materially contributed to this change; over the past 50 years, global CO2 emissions have almost doubled, exceeding 40 gigatons in 2019, which is very concerning.

Climate change and the negative impact of human activity and trade on the environment are now reaching alarming levels, and unless we humans start taking responsibility for our actions and for protecting our environment, it may be too late.



Almost 50%

According to the Global Carbon Project, Carbon emissions resulting from transportation and electricity and heat production account for almost 50% of all Global Greenhouse Gas (GHG) emissions, and are expected to hit a record high in 2020.


Automobiles and auto companies have been around for over 100 years now, and yet, even today billions of people across the world rely on fossil-fuel burning Internal Combustion Engine (ICE) based automobiles to fulfill transportation needs.

While humans have made such remarkable progress over the last century, unfortunately when it comes to transportation and energy production, even 100 years after the first automobile rolled out, we are still vastly reliant on burning fossil-fuels, and this is not sustainable. We cannot and should continue down this path - we must endeavor to change this situation.

There are numerous traditional automobile companies in the world today, many with substantial financial resources at their disposal, and yet for decades now, they have primarily been focused on refining and building ICE based automobiles. If they wanted to, they could have taken a visionary lead to champion the transformation to and production of substantially more environment-friendly, clean and sustainable energy driven automobiles, yet none seem to have done so.

Then comes along a remarkable company, the very purpose of whose existence is "to accelerate the world's transition to sustainable energy!"  Now that folks, is so refreshing, inspiring and truly commendable, and that one company is Tesla!



Tesla - A Brief History


Tesla was founded in 2003, by Martin Eberhard and Marc Tarpenning, who it is believed were influenced to start the company after GM recalled all its EV1 electric cars and then destroyed them! Ian Wright joined a few months later, and Elon Musk, who contributed $ 6.5 Million of the initial (Series A) US $7.5M investment in 2004, became its Chairman.

In 2006, Musk co-led Tesla's third funding round ($ 40M), which included investments from Sergey Brin and Larry Page.

In 2010, Tesla Motors launched its initial public offering (IPO) on NASDAQ, and they were the first American car company to do so in over half a century, since the Ford Motor Company had its IPO in 1956!

That year, Tesla started the production of its flagship Tesla Model S, of which over 250,000 units of which have been sold worldwide, and which went on to win Automobile Magazine's "Car of the Year" 2012, Time Magazine's "Best 25 Inventions of the Year" 2012, Motor Trend "Car of the Year" 2013, Motor Trend "Ultimate Car of the Year" 2019 and other accolades.

In 2016, Tesla unveiled the Tesla Model 3, Tesla's third-generation car. Within a week of its unveiling, 325,000 Model 3s had been reserved, representing $ 14 Billion in sales. By July 2017, the number of Model 3 reservations crossed 500,000.

By October 2018, Tesla had already successfully delivered over 100,000 Model 3s and the Model 3 went on to top plug-in electric car sales in the U.S., making it the very first time that a plug-in car sold more than a 100,000 units in a single year.

In 2018 alone, Tesla's sales represented about 20% of all the all-electric cars worldwide.

In 2019, Tesla had delivered 367,500 all-electric cars, three times the number of cars it sold in 2017.

By 2020, Tesla's Model 3 was the amongst  the Top-10 (8th) best selling cars in Q1, 2020 in the United States.

By January 10, 2020, before the Covid 10 pandemic had brought the world to a proverbial halt, Tesla had already become the most valuable American automaker to ever exist, with a market capitalization of US $ 86 Billion.


In short, in less than two decades, under the leadership of Elon Musk, Tesla Motors went from concept to being the most valuable American automaker to ever exist. Well before its recent stock price increase, it was already worth $ 86 Billion.

As the CEO of a software company, I can tell you that it is no easy feat to take a hardware-software combination product from concept to trustworthy deployment in just a few years. I can tell you from personal experience that it takes years just to architect, develop, thoroughly test and make available innovative, disruptive, high-quality software, so to then do so on a hardware-software combination product (an electric vehicle), especially one involving human safety, is a remarkable feat.

(In weeks to follow, due to an increase in its stock-price, on July 01, 2020, it was worth over $ 200B, surpassing Toyota to become the world's most valuable automaker by market-cap; on August 31, 2020, it briefly crossed $ 450B in market-cap.)



Real, Disruptive Potential

In 2019 alone, Tesla generated over $ 24 Billion in revenue, and many believe that it may very well be just getting started.


Tesla has managed to accomplish in just a few years, what the entire automobile industry, and their substantial resources put together, have not been able to accomplish - successfully developing and delivering a high-quality, all-electric vehicle.

With a ramped-up production capacity, and technical enhancements based on years of development experience, Tesla could likely easily and substantially accelerate the delivery of millions of affordably-priced, high-quality all-electric vehicles, which could begin to replace millions of traditional, age-old, fossil-fuel powered automobiles, across the world.

Based on facts shared above, its clear that there is already incredible substance to and in Tesla, and that ahead of it lies a substantial amount of market-share that it seems poised to earn and establish a commanding lead in, for years to come.

The likely reason that Tesla crossed an $ 86 Billion valuation back in January 2020 alone may very well be that today Tesla already 1) possesses valuable, formidable and licensable intellectual property (IP) in and over a decade's lead in research and development (R&D) in all-electric vehicle production, 2) has a line-up of proven, high-quality, all-electric vehicles that it has already delivered close to half a million units of, 3) currently has the capability to produce hundreds of thousands of these vehicles today, and 4) is already working to substantially increase production capacity (setting up Giga factories), to meet demand not just in the U.S. but overseas, predominantly in China and the European Union, all likely made possible by laser-focused execution and an unwavering commitment to accelerate the world's transition to sustainable energy.

Most importantly, like us, it clearly has a decade's lead in and over the entire industry, and that is immensely valuable.

Based on our own unique experience, I cannot stress this enough - a thousand things can go wrong when you're trying to accomplish something as innovative and complicated as this, so to then be able to successfully develop and deliver a high-quality, world-class product undoubtedly puts you years ahead of anyone who may even want to try and compete with you.

Given its track record, its balance sheet, its ability to raise capital, and its recent capital raise, it shouldn't have difficulty in ramping-up its ability to produce over a million all-electric vehicles a year, and even if it only sold a million vehicles a year, (considering it sold almost 400K vehicles in 2019,) it could soon start generating over $ 50 Billion in annual revenues.

Speaking of which, in addition to the Model S and Model 3, Tesla also sells a Model X (SUV) and a Model Y, and it recently unveiled a Roadster, a Class 8 semi-trailer truck, and a Cyber Truck, so selling a million units a year seems reasonable.

For a company that already generated $ 24 Billion in revenues last year (400K vehicles sold), and that could generate over $ 50 billion (selling 1 million vehicles) in annual revenues in the next two/three/few years, and possibly even a $ 100 Billion in annual revenues within five years, its recent increase in valuation does not seem that unreasonable, especially considering that today there may be millions of investors, small and large alike, who may very likely want to get in on the opportunity to partake in the potentially massive disruptive potential that seems (to many) to lie ahead of Tesla.

From our perspective, we are not primarily interested in the "business" opportunity that lies ahead of it, or in its current or future market cap. We are primarily interested in Tesla's real potential impact on Earth, which I have described below.





Thoughts on Recent Valuation Concerns 

There appear to be concerns regarding Tesla's recent valuation, esp. after news of its not being included in the S&P 500.


In recent weeks, Tesla's valuation has risen from $ 86 Billion to almost $ 400 Billion, and unfortunately part of it seems to have to reportedly do with a certain entity trying to cause an increase in its share price for purely short-term financial gain.

That said, given Tesla's absolutely unique and enviable position, that is now in full spotlight, the cat's out of the bag, in that the entire world has come to learn more about Tesla, as well as come to learn of and appreciate the incredibly real and immense potential that likely lies ahead of it.

Consequently, in a world where investment opportunities that have the potential to grow considerably are far and few, plausibly, millions of investors, both big and small, would likely want to acquire Tesla stock, and when you have millions of investors wanting in on a fixed amount of outstanding shares, considering just how much potential growth lies ahead, the sheer demand for Tesla's shares could lead to what might seem like an unreasonable increase in its stock price.

Tesla clearly may have the opportunity to sell millions of all-electric vehicles in the near future and beyond, so it likely has a substantial amount of runway ahead of itself, so while the current share price may seem unreasonably high, given the sheer demand for it, and the substantial runway for appreciation ahead of it, it does not seem unreasonable for the stock price to be where it is today. In its case, not just technical fundamentals, the sheer demand for it is likely driving its price.

Some rightly point out that competition may be around the corner. That has been true for years now, and by all means it should be, because competition is healthy, but to date many have tried, and it appears none have succeeded, and again, I can tell you from my own experience in having led the development and delivery of one of the world's most innovative and valuable cyber security solutions, that sometimes (no amount of) money alone can compete with you.

There has also been some concern following Tesla's stock surprisingly not being included in the S&P 500 this quarter.

For those who may have been expecting to benefit from that inclusion, it may come as a disappointment, but for those who are focused on the potential that this incredible company has ahead of itself, inclusion in the S&P 500 isn't that big of a deal, because all Tesla has to do is to continue to do what it is doing, and if it does so, likely, from a continued increase in its stock price to the eventual inclusion in the S&P 500, most such things will come to it, automatically.

I am not a financial expert but it seems to me that Tesla has enough room for growth ahead that its shares do not need an S&P 500 inclusion as a catalyst to realize more gains. As is the case with most successful companies, their shares automatically increase in value as long as the company continues to successfully pursue its mission and fulfill its potential.


Finally, an article on CNBC this weekend, with the headline "Tesla could be the most dangerous stock on Wall Street," in which an investment researcher states that 'A more realistic valuation would be far lower than current levels. I think around a 10th of what it is probably appropriate if you look at, you know, kind of a reasonable level of profits" sounded uninformed.

One doesn't have to be a rocket scientist or an investment researcher to realize that considering the simple facts and reasons shared above, it is almost certain that Tesla's stock will likely NEVER go back to a 10th of where it is today. :-)

Look deeper and you'll find that this investment researcher actually first said this three weeks ago, on August 24rd, 2020 (when TSLA was around $ 1500, subsequent to which it rallied up to $ 2500, only to be back to $ 2100), yet it is being spotlighted in the news this weekend, appearing to be a scare-tactic to scare shareholders into selling Tesla's stock.

On a related, partly humorous note, I came across this comment recently - "Those who like Tesla want the shares to go up, those who really like Tesla want the shares to go down (just so, just enough and just until they themselves can get in.)" ;-)

I've also seen some chatter online suggesting that the S&P 500 may have snubbed Tesla this quarter just so some could get in at a lower price, conveniently before it is accepted into the S&P 500 next quarter. As to how true it is, who knows.

What I do know is that those of us who believe in the company and its potential (and there are many, ) do not worry about short-term fluctuations in its share price, and I can almost say with reasonable confidence that neither does Elon Musk.

Tesla very likely has tremendous opportunity ahead of itself, and millions of investors seem to want in on its stock.




Exemplary Leadership

History is witness that behind every great invention, breakthrough, progress or success story was a passionate individual, who believed in him/herself enough to commit oneself to one's cause for years, and stay laser-focused on accomplishing the objective, no matter how difficult and challenging the journey.


Thomas Edison, Henry Ford, Bill Gates and Steve Jobs are just a few of examples that immediately come to mind.

Elon Musk is one such passionate individual, and again, I speak from my own personal experience in building Paramount Defenses, when I tell you that what he has managed to almost accomplish at Tesla and SpaceX is absolutely remarkable.

In just a few years, he has made possible, that which the entire auto industry put together could not accomplish in half a century, because he had the passion to believe in it, the will to succeed and the grit to continue to persevere and succeed.

The world needs more leaders like Elon Musk, who embrace science, who take on truly big challenges in the interest of improving the lives of billions of people, and who make real and meaningful contributions to society, mankind and Earth.

Yes, he may occasionally tweet something eccentric, but Elon's human too. Speaking of tweeting, Elon Musk's intellect, decency, humility, brilliance, professional and business acumen, and integrity are far, far (and I mean exponentially) greater than some who claim that that they may be the greatest leaders in the world.

Under Elon Musk, Tesla is doing great; it seems to be making all the right decisions and is on track to achieve greatness.





A Simple Picture

Sometimes a simple picture can help us crystalize an idea or an opportunity, so allow me to paint a super, simple picture.


In my perspective, Tesla today is like Apple was a few years ago, just before or around the time it shipped the iPhone.

Like Apple, Tesla's products are essentially a tightly-integrated combination of hardware and software, and it develops them both (almost) itself, with virtually unrivaled attention to quality, detail and workmanship, ultimately resulting in a high-quality, trustworthy product that can compelling fulfill a vast global need, measurably and tangibly improving the lives of millions of people, and in the result creating substantial value for its customers, employees, partners and shareholders.

Apple didn't get where it did, overnight. It took Apple a few years to get there, and I think that Tesla today is at where Apple was a few years ago, i.e. it is on the cusp of greatness, and if it continues to do what its doing right, it too should get there in just a few years.

As for the competition, sure there will always be some who will try to compete, and they absolutely should, but/and in the end, it seems to me that the one with the deepest expertise, the most experience, passion, attention to detail, and the best software-and-hardware integration will ultimately prevail substantially and take the majority of market share, and it seems to me that in that regard, Tesla clearly already has a decade's lead.




Tesla's Real Impact

From our perspective, we are interested in the real value and impact that Tesla has the potential to deliver to mankind, which is to lead and commence, possibly for the first time ever in a hundred years, the macro transformation from the widespread use of fossil-fuel powered ICE based automobiles to all-electric automobiles.

Imagine if over the next few years, we could replace millions of fossil-fuel powered automobiles with zero tail emmision all-electric ones, and augment power in millions of homes with clean solar-energy - this is possible today, thanks to Tesla.


This one single transformation alone could have a substantial impact on our ability as mankind to substantially reduce CO2 and GHG emissions, and allow us to start taking care of the only place in the entire Universe that all of us call home.

In fact, as responsible global citizens, across the world, ideally we must all encourage widespread adoption of clean-energy solutions wherever possible, because this is after all our planet, and it is ours to destroy or protect.

Due to paucity of time, I did not have the opportunity to shed light on all that Tesla is doing in the solar, storage and grid spaces, but you'll get the drift - Tesla is driven to make a real, substantial and lasting difference as mankind goes about fulfilling its colossal energy and transportation needs, and by persevering and innovating to help make the shift to renewable sources, it truly has a unique opportunity to have a real, substantial and lasting impact on the environment, and thus on our planet.

In essence, not everything in life is just about money or business or profits. There's far more to life, and yet, it seems that for far too long, humans have selfishly exploited Earth and its abundant natural resources for financial gain, without much regard to its well-being, whether it be mass deforestation, or the pollution of our atmosphere and water bodies (rivers and oceans,) or the massive use of fossil fuels for over a hundred years to meet our ever-growing, insatiable energy needs.

For then to come along a remarkable company, the very purpose of whose existence is "to accelerate the world's transition to sustainable energy" is truly refreshing, praiseworthy, inspiring and commendable, and for it to have actually successfully accomplished the capability needed to begin to make that difference is praiseworthy, and that one company is Tesla!


Now if you'll excuse me, I need to head back to finish work on a version of Gold Finger that is about to democratize cyber security worldwide by opening the world's eyes on who actually has what privileged access (the Keys to the Kingdom) at 85% of the world's organizations.

Best wishes,
Sanjay.

Chairman and CEO,
Paramount Defenses


Full-disclosure: I am a Tesla shareholder because I believe in Tesla's mission and its real impact, and I penned this because I wanted to point out that there's a little more to Tesla than mere profits and money. Speaking of shareholders, over 50% of Tesla's stock is held by institutions, and of the rest of it, much of it by hard-working folks who believe in Tesla.

Standard Disclaimer: This is not financial advice. This is merely an individual's opinion. Please do not rely solely on this to make any financial decisions. You should obtain professional advice for any financial decisions you may wish to make.

Tuesday, September 1, 2020

Built to Last a Hundred Years

Folks,

I hope this finds you all doing well. Today, I just wanted to take a brief moment to share that when you bear a great onus, as we do, you owe it to the world to ensure that you're going to be around long enough to be able to serve the whole world.

Fourteen years ago, cognizant of that, when I founded Paramount Defenses, I made it a priority to ensure that we built the company in such a way that it could last not just a proverbial but a real century, and its my privilege to share that we can.

We can formidably withstand recessions, pandemics and natural disasters because we plan and operate like the military.


After all, in today's digital age, cyber is the new battleground, and capability and resiliency in cyber security are paramount to organizational, business and national security. We understand this unequivocally, and operate accordingly at all times.


Today we possess the wherewithal to be able to simultaneously fulfill the needs of, serve and empower thousands of business and government organizations across one hundred and ninety countries worldwide, without blinking an eye.

Above all, we care deeply, and strive to represent the best of the United States of America, and the best of humanity.

Sincerely,
Sanjay.

Monday, August 24, 2020

What Lies at the Foundation of Cyber Security of the U.S. Government?

Folks,

Today, I wanted to take a brief moment to share another simple fact with you that impacts national and global security.


At the very foundation of cyber security of the entire United States Government lies a single technology - Active Directory.

From the White House to the U.S. Senate and from the Department of Defense to the Department of Justice, virtually every agency in the United States Government operates on Active Directory, as do the CIA, the NSA, the FBI etc. etc.


That's right - virtually every federal, state and local agency in the United States Government operates on Active Directory, and today, collectively hundreds of millions of security permissions specified in the access control lists (ACLs) of millions of Active Directory objects collectively serve to secure and protect the entire United States Government.

Thus, whether it be U.S. President Donald Trump or Speaker Nancy Pelosi, Senator Mitch McConnell or Attorney General William Barr, in all likelihood, they all have an Active Directory domain user account that they login with every day, as do virtually all U.S. Government employees, including all Secretaries (State, Defense, etc.) and Directors (CIA, NSA, etc.)


Today, the vast majority of the U.S. Government's IT assets are protected by its foundational Active Directory deployments.
The adequate protection and defense of the foundational Active Directory deployments of all federal, state and local government agencies, and those of all U.S. Embassies worldwide, is of paramount importance to U.S. National Security.


Here's a two-page Executive Summary - Active Directory Security for the United States Government.


That's all for today.

Best wishes,
Sanjay.

Monday, August 10, 2020

How to Audit Who Can Change Domain Admins' Group Membership?


Folks,

Hello. I hope this finds you all doing well. This post is Day-8 of Active Directory Security for Cyber Security Experts.


Today, I will help you learn how organizations that operate on Active Directory can easily and accurately answer an absolutely essential and paramount cyber security question that impacts their foundational cyber security -


Exactly who can change the membership of the Domain Admins group?


It is extremely important to know how to do so correctly because a single incident involving the unauthorized change of the membership of the Domain Admins privileged security group could instantly result in a massive cyber security breach.





This is Paramount

The Domain Admins privileged group in Active Directory holds the proverbial Keys to the Kingdom and anyone who could change the membership of the Domain Admins group could instantly cause a massive cyber security breach.


Unfortunately, today, most organizations only audit the membership of the Domain Admins group; they do not audit who can change its membership, and those that do usually do so incorrectly, leaving themselves vulnerable to compromise.




How to Correctly Make This 
Paramount Determination -

From a technical perspective, there is only one correct way to find out exactly who can change the membership of the Domain Admins security group and that involves accuratley determining Active Directory Effective Permissions on it.

Specifically, technically speaking, all that one needs to determine is exactly who has Write Property effective permissions to modify the Member attribute on the Domain Admins object, cn=Domain Admins,cn=Users,dc=… in Active Directory.




A Step-by-Step Walkthrough

This is perhaps best illustrated with a simple example, so let us see how to find out who can change the membership of the Domain Admins security group in the lab Active Directory Security VM that everyone can freely download and use.

Consider the Domain Admins security group in the lab VM domain, corp.local -



As one can see, the all-powerful Domain Admins security group contains 3 members, including the default Administrator account, the IT Directory Services Management Team security group and the Privileged Service Accounts security group.

Let us proceed to determine the complete nested membership of the Domain Admins security group in the corp domain -

As seen above, there are a total of 13 accounts that are member of the Domain Admins security group in this domain.

  • Note - Today, at most organizations, security audits are limited to enumerating the membership of the Domain Admins security group. Most organizations do not perform the extra measure of additionally also determining exactly who can change the membership of this group, even though knowing that is equally important.


As indicated above, to find out exactly who can change the membership of the all-powerful Domain Admins security group, we need to find out exactly who has Write Property effective permissions to modify the group's Member attribute.


To do so, let us begin by examining the ACL (access control list) protecting the Domain Admins security group -


As one can see above, there are numerous security permissions granted to numerous security principals in this ACL, and unfortunately it does not appear easy to examine the object's ACL easily using Microsoft's native ACL editor in ADUC.



To help make ACL analysis easier, perhaps we should view the object's ACL using an Active Directory ACL Analyzer -

As seen above, the detailed, easily sortable high-fidelity view makes it so much easier to analyze this object's ACL. We can now easily see that there are a total of 20 security permissions specified in the ACL, including 4 Deny permissions.


A simple examination of the CSV export of this ACL from the tool helps us clearly identify just what we need to analyze -

Specifically, we can now easily see that of the 20 permissions in the ACL, there are only 10 permissions that impact Write Property access on the object, of which 9 grant blanket writes and 1 grants write-property only to the Member attribute.


Equally importantly, notice that of these 10 permissions, 6 allow access and 4 deny access, and as a result, not only will we have to expand the group memberships that are allowed access, but also expand the group memberships that are denied access, and strike off (i.e. remove from) the Allowed list, any accounts that are also on the Denied list.

Here are the 6 security groups/principals that are allowed blanket/member Write Property access -
  1. IT Cyber Security Team - Membership: 5 individual user accounts 
  2. Domain Admins - Membership: 3 nested security groups 
  3. Enterprise Admins - Membership: 3 nested security groups
  4. IT Admin Support Team - Membership: 5 individual user accounts and 1 nested security group
  5. Administrators - Membership: 1 individual user account and 2 nested security groups
  6. System


Similarly, here are the 4 security groups/principals that are denied blanket/member Write Property access -
  1. Spartacus Program - Membership: 6 individual user accounts
  2. IT Local Admin Teams - Membership: 3 nested security groups
  3. IT Help Desk Team - Membership: 10 individual user accounts and 1 nested security group
  4. IT Contractors - Membership: 30 individual user accounts

Thus, in order to accurately make this determination, we will first need to completely expand 13 nested security groups, take into account the direct membership of 50 user accounts, and then meticulously ensure that any user that is both on the Allowed list and on the Denied list is struck off the Allowed list.


In this simple fictional domain, there were only 10 such relevant permissions. In most real-world Active Directory domains, there will easily be many more relevant permissions, and many more groups to expand and conflict resolutions to perform, making this process really difficult, error-prone and time-consuming to perform, and do so with 100% accuracy, each time.


By way of example, if you proceed to meticulously perform all of the security group expansions above in the lab corp.local domain, you will find that there is at least one user, Simon Baker, who is on both, the Allowed and the Denied lists.

Specifically, the IT Admin Support Team, which is allowed the relevant write-property access contains a nested group, IT Admin Support Backup Team, and Simon Baker is a member of this group, so via a nested group membership he does make it on to the Allowed list. However, it turns out that Simon Baker is also a direct member of the IT Help Desk Team, which as one can see above, is denied the relevant write-property access, and so he is also on the Denied list. In effect, the deny will take precedence over the allow, and as a result, even though he is on the Allowed list, Simon Baker will not be able to change the membership of the Domain Admins group!


As clearly illustrated above, the process involved in trying to manually make this determination is substantially complex, error-prone and time-consuming, even when it is essential that there be no mistake, because accuracy is paramount.


It is also worth noting that if we had simply performed Active Directory permissions analysis, even by using a highly capable Active Directory Permissions Analyzer, we would have been making incorrect conclusions, as seen below -

As one can see above, even an advanced Active Directory Permissions Analyzer will report that there are 31 individuals who have been allowed relevant Write Property permissions, including blanket and specific (to the member attribute), and in particular they will report that Simon Baker is also on this list, when in fact Simon Baker is also denied the same access, so he will in fact not actually have the allow access reported by an Active Directory permissions analyzer!


The above example also clearly illustrates why it is not sufficient to merely analyze "Who has what (allow) permissions?" (which incidentally is what most commonly used tools do), because one also needs to correctly intersect deny permissions.

Finally, it is also worth noting that in this specific example, there were no inherited permissions because the ACL protecting the Domain Admins group is a protected ACL. In contrast, the ACLs of most Active Directory objects are not protected, and so there could easily exist both explicit as well as inherited permissions, making the conflict resolution even more complex, because not all deny permissions will negate/override allow permissions. There is a specific order that one needs to know about and take into consideration to correctly perform conflict resolution, and in production domains, this is very difficult.


Now, many folks may point out that there is an Effective Access Tab, accessible via Advanced Security Settings in Active Directory's native tooling that is designed to help calculate effective access/permissions in Active Directory. Yes, there is -


However, if you have ever tried to use it, you know that it is almost useless because of 3 simple reasons - 1) it is not 100% accurate, 2) it can at best calculate an approximation of effective permissions ONE USER AT A TIME, and 3) it cannot pinpoint which underlying security permission in the object's ACL entitles a user to a specific effective permission.

For instance, if you had a 1000 user accounts and a 1000 computer accounts in your Active Directory forest, you would have to use the tab at least 2000 times just to make this one determination, and that too would not be 100% accurate!

  • Note: For the details of these limitations in Microsoft's Effective Access Tab, you may wish to read this post.



So, how are organizations supposed to make this
paramount determination accurately and easily?



We value our time so we use an automated tool that automates the entire process of making this determination for us, reducing the amount of effort involved down to touching a button, and the amount of time required down to seconds -

As seen above, in less than 30 seconds, we were able to accurately determine that there are a total of 30 individuals (i.e. accounts) that in effective have Write Property Member effective permissions on the Domain Admins security group.

[ Solely by way of background, this tool is the world's only accurate Active Directory Effective Permissions Calculator and it can instantly and accurately determine the complete set of effective permissions entitled on any Active Directory object. ]



Now, not everyone tasked with making these paramount determinations (e.g. an IT Auditor, an IT manager etc.) may be proficient in Active Directory, so they may not know how to perform this audit using an effective permissions calculator.

Individuals who may not be proficient in Active Directory could use the following tool to make this determination in simple English without having to know anything about Active Directory (e.g. attributes, permissions, effective permissions etc.) -

As one can see above, this tool, an Active Directory Effective Access Auditor, delivers the same information but in very simple to understand non-technical parlance, making it very easy for non-technical individuals, such as IT auditors, IT managers and IT executives to easily make this determination without knowing anything about Active Directory.



Finally, lets say you wished to find out who can change the membership of not just the Domain Admins security group, but of all security groups that reside in the Users container, such as and not limited to Enterprise Admins, Schema Admins etc.

To fulfill this paramount need, some of the world's top organizations rely on the Active Directory Privileged Access Auditor to make this determination, and do so in minutes. Simply point the tool to the Users container and click a button -

This tool automatically identifies all domain security groups in the specified scope, then automatically determines effective permissions on each one of them, and reveals exactly who can change the membership of every group in the set scope.



Of course, organizations can also make these determinations manually, without using any of the above mentioned tools, by simply having their IT personnel engage in the process outlined above, whenever required. The manual process may be substantially more time-consuming, expertise-reliant and error-prone, but it doesn't require procuring any tools.

Over the last decade some of the most important and valuable organizations in the world, including the U.S. Treasury, have used the tools mentioned above because they save their IT teams a mountain of effort and thousands of hours in time, and because they happen to be the only way to accurately make such determinations without investing a substantial amount of time and effort.



In essence, today organizations can make this paramount
determination both manually, as well as automatically.




Conclusion

The objective of today's post was to help thousands of organizations, their IT personnel, IT Auditors and CISOs learn how to correctly make a paramount determination in their foundational Active Directory deployments.

As we saw above, technically speaking, all that one needs to determine is exactly who has what sufficient Write Property Member effective permissions on the Domain Admins security group.

As we also saw above, in any real-world Active Directory domain, it is not at all easy to manually make this determination with accuracy, even though accuracy us paramount because a single unauthorized user who could enact this task could take over the entire organization in minutes.

Most importantly, as we saw above, albeit there were only 13 accounts that were members of the Domain Admins security group, we were able to identify that there were a total of 30 accounts that could actually change the group's membership!

Thus, organizations that may only be relying on performing basic group membership audits are very likely operating on a dangerously false sense of security today, because as seen above, the number of accounts that can change the membership of the Domain Admins group are far greater than the number of members in the group!

Organizations that do not know exactly how many individuals (employees, contractors, service accounts etc.) can actually change the membership of their all-powerful Domain Admins security group may be at a substantial risk of compromise.


I will conclude this post here. I'll share the next question in a day or so, and answer it on Monday, August 17, 2020.

Thanks,
Sanjay.

Tuesday, August 4, 2020

Who can change the membership of the Domain Admins group?


Folks,

Hello. Today, I thought I would ask yet another very simple, fundamental and paramount cyber security question that impacts the foundational cyber security of over 85% of all business and government organizations worldwide.


Exactly who can change the membership of the Domain Admins group?

Today, at most organizations worldwide, most IT Teams, CISOs and IT Auditors may know exactly who the members of the Domain Admins group are, BUT very few of them know exactly who can change the membership of this all powerful group.





This is Paramount

The Domain Admins group in Active Directory holds the proverbial Keys to the Kingdom and anyone who could change the membership of the Domain Admins group could instantly cause a massive cyber security breach.


Here are 3 simple scenarios that could be instantly enacted
by anyone who could change this group's membership -

  1. Add any account to membership of this group - Anyone who could add any account that they have control over to this group's membership would instantly have escalated their privilege to that of an all-powerful domain admin.

  2. Add Everyone to the membership of this group - Anyone who could add the Everyone well-known security principal to this group would instantly have made all organizational user and computer accounts Domain Admins!

  3. Remove all existing members from this group - Anyone who could remove all existing members could easily and instantly render an organization's existing Domain Admin accounts powerless.

Thus it is paramount that IT Teams, the CISO and IT Auditors at every organization that operates on Active Directory, know at all times, not just who is a member of this group today, but also exactly who can change the membership of this group.




The Answer (and a Simple Challenge)

In my next post on August 10, 2020, I'll share with you exactly how organizations can make this paramount determination.

Until then, here's a simple challenge - here is a simple ready-to-use Active Directory fictional deployment. Can you find out exactly how many accounts can change the membership of the Domain Admins group in this fictional AD deployment ?!

Best wishes,
Sanjay.


PS: Strictly speaking, Domain Admins is merely one of numerous such groups in Active Directory that possess all-powerful organization-wide privileged access. However, in the interest of simplicity, I've focused on the Domain Admins group here.

Wednesday, July 29, 2020

How to Easily Mitigate the Security Risk Posed by Mimiktaz DCSync


Folks,

Hello. I hope this finds you all doing well. This post is Day-7 of Active Directory Security for Cyber Security Experts.

Today, I will share with you how to easily mitigate the serious cyber security risk posed by Mimikatz DCSync hacking tool to Active Directory deployments, as well as walk through a real-world example in our Active Directory Security lab VM.




Overview

Mimikatz DCSync is a hacking tool written by Benjamin Delpy that is often used by perpetrators to swiftly and substantially compromise Active Directory deployments by letting them determine the passwords of all organizational domain accounts.


In short, if a perpetrator could successfully run Mimikatz DCSync against your domain, he/she/they could instantly find out everyone's passwords, from that of all Domain Admin accounts to that of the CEO's account to that of the krbtgt account.

In short, it would be Game Over in minutes, and the organization would have suffered a massive cyber security breach.





Root Cause

The simple reason that Mimikatz DCSync is able to determine the passwords of all domain accounts is that the account being used by the perpetrator has sufficient access so as to be able to request and obtain from Active Directory, the password hashes of all domain accounts, which it can then easily determine the clear-text version of.

To be specific, any user that has (i.e. is granted) sufficient privileged access in Active Directory to be able to replicate secrets from Active Directory can simply request Active Directory to provide it a copy of the entire domain contents, including all secrets i.e. password hashes of all domain accounts.

It logically follows that a perpetrator can only successfully use Mimikatz DCSync against an Active Directory domain if the compromised domain account that he/she is using has sufficient privileged access in Active Directory to be able to request and obtain secrets (i.e. password hashes) from Active Directory.

Speaking of which, the exact privileged access that is required to be able to obtain (replicate) secrets from Active Directory involves two Active Directory extended rights, and an attacker requires both of these permissions to be effectively granted -
  1. Replicating Directory Changes
  2. Replicating Directory Changes All

That's literally all that a perpetrator needs to be able to run Mimikatz DCSync against an organization's Active Directory.




Prevention

Organizations can in fact prevent perpetrators from being able to run Mimikatz DCSync against their Active Directory.

To do so, they need to first accurately identify, and then review and lockdown the list of all personnel who are currently authorized to, i.e. have sufficient privileged access to, be able to replicate secrets from their Active Directory domains.

Specifically, if organizations can accurately determine exactly which domain accounts have these two Active Directory extended rights effectively granted in the ACL protecting the domain root object, then they can easily determine exactly who all can run Mimikatz DCSync agains their Active Directory today.

Once they have done so, a review of this list will instantly identify and reveal all accounts that currently do but that should not have this level of privileged access, and if they can additionally determine the underlying security permissions in the ACL of the domain root object that entitle these accounts to the required privileged access, they can instantly and reliably lockdown those permissions to minimize this number down to virtually zero.

Subsequently, to maintain locked-down access, security conscious organizations will want to periodically (daily, weekly or biweekly) monitor (audit) any changes in privileged access (i.e. Active Directory effective permissions) on the domain root.


In short, a simple three-step process is all it takes to prevent the use of Mimikatz DCSync -

  1. Accurately identify who has sufficient effective permissions to replicate secrets from the domain
  2. Review list and lockdown access, by identifying and then tweaking the underlying entitling permissions
  3. Subsequently, monitor (audit) effective permissions on domain root to identify any changes in privileged access

By following this simple three-step process, organizations can easily prevent the use of Mimikatz DCSync against their foundational Active Directory, and prevent the credentials of the entirety of their user populace from being compromised.





A Classic Mistake

A classic mistake that many organizations often make when trying to determine who has the required privileged access to be able to replicate secrets from Active Directory is that they often only focus on identifying "Who has what permissions?" on the domain root object whereas in fact what they need to be doing is identifying "Who has what effective permissions?"

A simple analysis of "Who has what permissions" may not always include the impact of any deny permissions that may have been specific (directly or indirectly), or the impact of arcane nested group memberships, or the impact of any permissions granted to (dynamically evaluated) well-known security principals, or the impact of Special permissions etc.

Further, in most Active Directory deployments, there are almost always well over a hundred security permissions the ACL of the domain root object, so it is difficult, cumbersome and error-prone to make this determination with 100% accuracy.

Consequently, even organizations that know exactly what privileged access enables perpetrators to use Mimikatz DCSync may not always have the correct picture when it comes to who can actually run this tool in their environment.





The Correct Procedure

The simple and correct procedure to make this paramount cyber security determination involves accurately determining effective permissions on the domain root object to identify all individuals who are effectively granted both, the Replicating Directory Changes and the Replicating Directory Changes All extended rights.

Individuals who are on both the lists are the only ones who can successfully run Mimikatz DCSync against Active Directory.





A Step-by-Step Example

With this in mind, let us proceed to enact the three steps outlined above in our corp.local lab Active Directory domain.

  • Prerequisite: To follow along this example, you will need to download and use the completely free and ready-to-use accompanying lab Active Directory VM, which can be instantly downloaded from here.


Step 1

Let us begin by examining the ACL protecting the domain root object. To do so, simply launch Active Directory Users and Computers snap-in, select and right-click the domain-root object, click the Security tab and then click the Advanced button.

Active Directory security permissions in the ACL of the domain root object

As one can see, there are many Active Directory security permissions specified in the ACL for many security principals, some allowing and some denying access, and it does not seem easy to even just view these permissions in their entirety.


As an alternative, let us try using Microsoft's dsacls command-line utility to get a better picture of this ACL -

Unfortunately, even with dsacls it seems difficult to even just get a simple listing of all the security permissions in this ACL, perhaps because dsacls is more suited to perform Active Directory ACL modifications than it is to perform ACL analysis.



Today there are several solutions available to help make Active Directory ACL/security permissions analysis easier for everyone, and you are welcome to use any tool/solution of your choice to obtain a better picture and follow along.



I am going to proceed with the Microsoft-endorsed Active Directory ACL Analyzer, because it is the simplest, most capable and most trustworthy Active Directory ACL Analyzer that I know of (, and because I architected it) -

I was able to retrieve the object's ACL at a button's touch; status bar indicates that there are 59 permissions in the ACL.


Next, I click the View Details button and the tool now shows me a detailed view of the ACL, with the security permissions field/column broken down into individual, sortable columns, one for each of the 13 Active Directory security permission types, making it easy for me to sort the ACL and hone-in on just those permissions that impact Extended Rights (CR) -

The rich, detailed view (also available in the exportable CSV format) helped me make the following determinations -
  1. Of the 59 permissions in the ACL, there are 33 permissions that specify (allow/deny) extended right permissions
  2. Of these 33 permissions, 19 permissions directly or indirectly specify the two permissions we are interested in
  3. Of these 19 permissions, 13 permissions indirectly specify both the permissions we are interested in 
  4. Of these 19 permissions, 3 permissions directly specify the Replicating Directory Changes extended right
  5. Of these 19 permissions, 3 permissions directly specify the Replication Directory Changes All extended right
  6. Of these 19 permissions, 2 permissions deny access, and the remaining allow access
  7. Finally, altogether, these 19 permissions allow/deny access to 17 unique security principals

As one can see, this information in itself is already helpful because it has helped us determine which of the 59 security permissions in the ACL of the domain root object we need to take into account to make this determination.

In case it helps, here's a snapshot of the output of this tool, exported to CSV and opened in Excel -

Saliently, there are 17 security principals that we need to focus on, almost all of which are security groups that we will need to expand, and perhaps some of them may contain nested groups (of which some could be circularly nested) etc.

This also indicates that we will also have to perform conflict resolution because there are at least 2 security permissions that deny extended rights to 2 different security groups, either of which could be nested (, possibly even circularly nested).

  •  Side-note: Question - Does Bloodhound negate denies? If not, how can it be accurate?


Incidentally, I could also have just used the Active Directory Permissions Analyzer to make this very determination, without having to perform any kind of visual analysis i.e. I could have just specified that I am looking for exactly these permissions, and it would have instantly found them for me, making the task even easier -

However, this still leaves us with 16 security groups to completely expand (the 17th security principal being System itself,) and while we could proceed to do so, it would still involve some work, not to mention meticulously taking into account which permissions grant blanket access and which one grant specific access, negating allows with denies etc. etc.

Let us also keep in mind that in this case, we are looking at a small domain of a fictional organization so there are only 16 security groups to expand. In most real-world production Active Directory domain, there are over 100 security permissions and there could easily be many, many more security groups one may have to manually and meticulously expand!


This may make you wonder that there must be an easier way to do this. After all, can you imagine how much effort it might take us each time we needed to make this determination, and all such determinations in Active Directory.

Indeed, there IS actually an easier way, and in fact it is the only correct way to make this determination, and all such determinations, and that ONE simple, easy and correct way is called "Active Directory Effective Permissions"


In fact, its right there in Microsoft's native ADUC tooling's Advanced Security tab, and its called the Effective Access tab.

The importance of this tab is conveyed by the simple fact that it is one of the three tabs that exist in ADUC's Advanced Security tab, along with Permissions and Auditing, and it has existed since day one, i.e. since Windows 2000.

For years it was called the Effective Permissions tab, until Microsoft recently changed its name to Effective Access tab.


Well, if this tab exists in ADUC, let's just proceed to use it to make this determination, and IF IT CAN FULFILL OUR NEED, then there's no point in wasting our precious time on all that ACL/permissions analysis etc., so lets see if it can help us -


The first thing you'll notice is that you need to enter a user's name. As seen above, I entered the name of a specific user, Peter Jackson, and it showed me an approximation of the effective permissions that Peter Jackson has on the domain root. One can scroll down to see the full list of effective access that Peter Jackson is entitled to on this object.

Therein lies the problem. It can at most determine (approximate) effective permissions ONE USER at a time. :-( In other words, you can specify a particular user, and it will determine and show you the effective permissions for that ONE user.


In this demo Active Directory domain itself, there are over a thousand users and computers, and in most organizations there could be tens of thousands of users and computers, and I don't know about you, but most people do NOT have the time to enter ONE USER AT A TIME and then make a note of his/her effective permissions etc. as this would take weeks!

In short, Microsoft's Effective Permissions/Access Tab is hardly useful i.e. practically useless, and that's so unfortunate.

It is only useful to the point wherein you may want to find out what effective permissions a specific user may have. Further it cannot accurately calculate the complete set of effective permissions, and it cannot pinpoint which underlying security permission in the ACL entitles a user to a specific effective permission, which one needs to know to lockdown access.


Hmm. It seems like after all, even after twenty years, we'll just have to go right back to doing boring, complicated and laborious Active Directory permissions analysis, group membership evaluations, conflict resolutions etc. MANUALLY :-(


As I have said earlier, you can use any tool from any vendor you like to help you ultimately do ALL that is involved (i.e. ACL analysis, group membership expansions, allow vs. deny conflict resolution etc.) to make this determination accurately.


As for myself, I'm going to use this Microsoft-endorsed tool, and I'll be completely done in less than one minute -

This unique tool is the world's only accurate fully-automated effective permissions calculator for Microsoft Active Directory.

It can do, what no other tool or entity (i.e. person or company) in the world can - instantly and accurately determine the complete set of effective permissions entitled on any Active Directory object, identify exactly which accounts have these effective permissions, and pinpoint the underlying permissions that entitle these accounts to these effective permissions, all at the touch of a button.

As you can see above, all I had to do was point the tool to the domain root object, and click a button, and in less than a minute, it accurately determined and revealed the complete set of effective permissions entitled on this object, exactly who has these effective permissions, and which underlying permissions entitle a user to a specific effective permission.


I simply used the What drop-down to locate and select Extended Right - Replicating Directory Changes and it instantly showed me that a total of 40 accounts have this effective permissions on the domain root object -


Next, I used the What drop-down to locate and select Extended Right - Replicating Directory Changes All and it instantly showed me that a total of 40 accounts have this effective permissions on the domain root object -


Then, all I had to do was intersect these two lists, which I easily did by exporting the results to CSV and opening it in Excel.


Here is the list of 40 accounts that can run Mimikatz DCSync in the lab corp.local domain

Administrator, Alexander White, Andrew Cushman, Around Trust, Brandon King, Certify Suite, Control Engine, Darren Baker, David Edwards, DC, Donald Parker, Felix Defense, Frank Collins, George Carter, Greg Baker, Harper Anderson, Henry Moore, Isabelle Woods, James Cushman, Jane Moore, Jason Goodman, Kevin Johnson, Larry Phillips, Lauren Cruise, Lucas Allison, Mary Gates, Michael Young, Nancy Clark, Net Tricks, Nicholas White, Passive Server, Peter Brown, Peter Jackson, Ryan Clark, Simon Baker, Solar Breeze, Susan Douglas, Suzanne Goodman, Tim Young, Victor Branson

  •  Note - The accounts in red are unmanaged service accounts !

Thus, as seen above, it took me just a few minutes to complete step 1, which was to accurately identfy all accounts that possess sufficient privileged access to be able to replicate secrets from Active Directory.



Step 2

Now that we have accurately identified the list of all individuals/users/accounts who possess sufficient privileged access to be able to replicate secrets from Active Directory, its time to review and lockdown this list.


We have identified 40 accounts that possess this level of access. That is about 39 accounts too many if you ask me, and at least 30 accounts to many by most standards, so we need to review and reduce this list.

Perhaps a good place to begin is by reviewing the 7 unmanaged service accounts (from various vendors), on the list.

As seen above, there are 7 unmanaged service accounts that possess this high level of privilege. During an internal meeting this was discussed and it was determined that none of these 7 service accounts actually require the ability to replicate secrets, so we agreed to take away this privileged access from these service accounts.

The only question was how do we find out which one of those 59 security permissions in the ACL of the domain root is the one that entitles these 7 service accounts to this alarmingly high level of privileged access.

Fortunately, with the tool above, all I had to do was click on the names of these service accounts, and it pinpointed the exact security permission in the domain root object's ACL that was responsible for these service accounts having such a high level of privileged access -
Here's the underlying (culprit) permission:  Allow  corp\Administrators  Extended Right - Replicating Directory Changes All


A quick review of the membership of the corp\Administrators security group confirms the finding -


As we can see in the snapshot above, the Domain Admins security group is a member of the Administrators security group, and the Privileged Service Accounts group is a member of the Domain Admins security group.

Thus, it was this nested group membership that was entitling these 7 service accounts to this privileged access.


Incidentally, I actually used the following tool to view the complete nested membership of any Active Directory Security group, because it automatically shows me the complete nested group membership of any domain security group -

But I digress.

Now, to lockdown the privileged access granted to these 7 unmanaged service accounts, I have many options -
  1. I can remove these service accounts from the Privileged Service Accounts group
  2. I can remove the Privileged Service Accounts group from the Domain Admins group
  3. I can remove the Domain Admins group from the Administrators group
  4. I can modify or remove the security permission that grants this extended right to Administrators
  5. I can add an explicit deny permission denying the Privileged Service Accounts group one of these extended rights

In short, once I have enacted the above, these service accounts will no longer possess this privileged access on the domain root, and I will have reduced the number of accounts that can replicate secrets from Active Directory by 7!

Further, to verify that I correctly locked it down, I can simply run the tool again, and it will instantly show me the results.

In this manner, I can proceed to evaluate every account on this list, then make a determination as to whether or not that account requires the privilege to replicate secrets from the domain, and if not, I can lockdown access for each of these accounts, thereby substantially reducing the number of accounts with such a high level of privilege.

Most importantly, I now have complete control, because I have complete and accurate insight into exactly who has this level of privilege, and how i.e. I also know which underlying permission is entitling each such account to this privilege.

In this manner, I can eventually reduce this number down to just 2 - the System and the DC itself!



Step 3

It is important to note that it is not sufficient to merely identify these accounts and then lock the access down just once, but in fact to periodically audit who has this level of privileged access in your Active Directory.



The reason is simple - invariably, at least a few Active Directory admins and service accounts may still possess the ability to modify permissions on the domain root, and thus any action taken by them, whether intentional, accidental or coerced could change the state of access provisioned on the domain root.

In addition, any delegated admin who may be in control of a group membership that is currently granted this level of privilege on the domain root could also easily and indirectly cause the resulting effective access to change.

Thus, it is important to periodically review exactly who possesses this level of privileged access on the domain root, and as seen above, with the right tooling, it only takes a few minutes to make this determination.

We recommend that organizations review this at least on a fortnightly basis, if not on a weekly basis.




Something to Try

The accompanying lab AD Security VM is free to download and follow along this example, and others that I will be sharing.

In addition to what I have shared above, (which you can attempt with any tool of your choice), here's something you can easily try to see how the state of effective access changes, impacting who can run Mimikatz DCSync right away!


Select any existing user account from amongst the 1000+ domain user accounts in the VM and simply add this account to the IT Security Incident Response Team. 

When you do so, you'll find that this account will be able to instantly use Mimikatz DCsync against this domain!

Next, take the same account and this time around, also add it to the Contractors team.

When you do so, you'll find that the account will no longer be able to use Mimikatz DCSync against this domain!

When you add the account to the IT Security Incident Response Team, it ends up effectively getting both the extended rights needed to replicate secrets from Active Directory. Next, when you add the account to the Contractors team, it ends up being denied this very access, because the Contractors team is denied this access, so the explicit deny will override the explicit allow.

  •  Note - After you are done trying, please undo both changes, because otherwise the overall state of access in your copy of the demo AD lab VM will have changed, and the results of all examples that I will be sharing in days to come will differ in your AD, making it difficult to follow future examples.

This simple experiment shows how effective permissions and actually determine privileged access in Active Directory.





Conclusion

The objective of today's post was to show you how to easily mitigate the serious security posed by Mimikatz DCSync.


We began by identifying exactly what privileged access is needed to successfully run this tool against Active Directory, and then by learning how to correctly determine exactly who has this level of privileged access in Active Directory, because once we know that, we can lock it down and be in control, knowing at all times, exactly who could do so, and how.

We also touched upon the fact that it is important to make this determination periodically, because the state of underlying access can change, either directly or indirectly, impacting this in subtle ways that may not be apparent to the naked eye.

It is also very important to understand just how dangerous a threat the use of Mimikatz DCSync poses to Active Directory and to every organization that operates on it. A perpetrator only needs to run the tool ONCE and he/she would have instantly compromised the credentials of ALL your domain accounts, from the CEO to the CISO to the Domain Admin to every employee and every service account, as well as the krbtgt account.

In short, a single occurrence of this threat could result in a massive cyber security breach, that could cost the organization not just millions of dollars to recover from, but serious reputational damage as well, not to mention potentially substantial liability arising from the potential loss of all kinds of organizational data, such as customer PII, financials, trade secrets etc.

In contrast, it takes almost nothing at all to mitigate this serious threat and minimize the possibility of its occurrence, and today from the CEO to the CISO to the Domain Admin, all stakeholders must know what Mimikatz DCSync is.

Towards that end, possibly the single most important thing you could do for your organization today is to bring this to the attention of all stakeholders, and ensure that they understand this threat and how to protect your organization from it.

Here's a post you could share internally - A Massive Cyber Breach at a Company Whilst it was Considering the 'Cloud'

That's all for now.

Best wishes,
Sanjay.
Paramount Defenses Logo

© 2006 - 2019 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.