The American Defense Industrial Complex operates on Active Directory

Folks,

From the U.S. Department of Defense to the Israeli Defense Forces, Microsoft to Nvidia, and Lockheed Martin to Palantir, today virtually the entire American Defense Industrial Complex operates on Microsoft Active Directory.

In fact, the entire United States Government, as well as the Fortune 100 and Wall Street also operate on Active Directory.

For those who may not know, Active Directory is one of the most important and trustworthy foundational technologies ever built, and it provides two paramount imperatives that the Cloud cannot - operational autonomy and organizational privacy.

Consequently, Active Directory lies at the very foundation of national security, defense and corporate security worldwide.

The National Security Agency Agrees

The stated mission of NSA in cybersecurity is to prevent and eradicate threats to U.S. national security systems with a focus on the Defense Industrial Base and the improvement of its weapons’ security.

Active Directory Security is so important to global security, that just last fortnight, the National Security Agency (NSA) and the Australian Signals Directorate (ASD) issued joint guidance on how to mitigate Active Directory attacks, and I quote -

"Active Directory is the most widely used authentication and authorization solution in enterprise Information Technology (IT) networks globally." 

"Like numerous other networks, Active Directory is used in many Department of Defense and Defense Industrial Base networks as a critical component for managing identities and access,” 

“This makes it an attractive target for malicious actors to attempt to steal the proverbial ‘keys to the kingdom. Taking steps to properly defend AD from these common and advanced techniques will detect and prevent adversary activities and protect sensitive data from determined malicious cyber actors.”

To state it as simply as one can, the National Security Agency (NSA) of the United States of America just confirmed not only what we've been saying for years, but also the paramount importance of what it is we do at Paramount Defenses. 

You see, the number one way to steal the proverbial Keys to the Kingdom that the NSA is referring to is Active Directory Privilege Escalation, and in fact we had released the underlying technical facts in The Paramount Brief way back (2014).

I wonder what took the NSA so long. We've been saying this for a decade - 2014, 2015, 2016, 2017, 2018, 2019, 2020.

This is Paramount

The accurate assessment of privileged access in Active Directory is absolutely paramount to organizational cyber security.

As every cyber security professional, Domain Admin and CISO worth his/her salt knows well, the most important (the #1) measure in all of organizational cyber security and in Active Directory security is the attainment of Least Privilege Access (LPA) in Active Directory, which involves accurately assessing and then locking-down privileged access in Active Directory, and one simply cannot do so without the ability to accurately assess privileged access in Active Directory. 

Decision Support (aka Proof)

At the heart of both the SolarWinds Breach and the Colonial Pipeline Hack lay privileged access in Active Directory.

Both these attacks could've been prevented if only organizations had attained and maintained LPA in Active Directory. 

Here's why / consider this - the Top-5 ways of escalating in privilege in Active Directory are i) DC Sync eff-perms / WD eff-perms on domain root, ii) WD eff-perms on AdminSDHolder, iii) CR-Reset Password eff-perms on any AD admin account, iv) WP-member eff-perms on any AD admin group, and v) WP - GP Link and GP Options eff-perms on the default DC OU.

Anyone who has any of these eff-perms in AD owns the organization, and can completely destroy it, should they so desire, so at an absolute minimum*, assessing and locking-down the above eff-perms domain-wide is absolutely paramount.

*Oh, and this is merely the tip of the iceberg. Consider the following - 

Anyone and everyone who has { CR-Reset Password or WD or WO } eff-perms on any AD user account in the domain can own that account in one second, anyone who has { WP-Member or WD or WO } eff-perms on any AD group in the domain can control that group in one second (and access everything it protects), anyone who has { WD or WO } eff-perms on an(y) OU in the domain can own every* object in that OU, easily escalate privilege and/or control and/or destroy everything in it.

Pro Tip for Amateurs - Count the number of times I've said eff perms above, because it is NOT perms, but eff-perms (aka Active Directory Effective Permissions) that control everything in AD. Permissions analysis is almost useless. 

Organizations that do not know who has what eff-perms in their AD are dangerously operating in the proverbial dark.

Extremely Difficult

The accurate determination of access entitlements, i.e. who has what privileged access where and how, in Active Directory is extremely difficult and error-prone, and likely one of the biggest challenges in organizational cyber security today.

It is extremely difficult because it involves analyzing millions of individual access control specifications that cumulatively impact resultant access, and thus is involves meticulously connecting millions of dots with absolutely zero room for error.

There is no room for error, because like performing heart surgery or screening baggage at airports, even a single error could result in an unmitigated privilege escalation path that could be used to completely destroy an entire organization.

The process is akin to finding a thousand unique needles in a haystack the size of One World Trade Center, New York, wherein in order to ensure security, it is paramount that each and every single needle in the entire haystack be found. 

Mission Accomplished

For anyone who may not yet know, there is one and only cyber security solution in the entire world that can accurately assess privileged access in Active Directory - our unique, unrivaled, all-American, Microsoft-endorsed Gold Finger.

Gold Finger is the only cyber security solution in the world that can accurately assess access entitlements i.e. who has what privileged access in Active Directory, based on the accurate determination of effective permissions in Active Directory.

Let there be no ambiguity about that cardinal technical fact, none whatsoever. Although there are over twenty solutions that claim to be able to assess privileged access in Active Directory, not even one of them can do so accurately, because there is one and only correct way to accurately assess privileged access in Active Directory and that involves the accurate determination of Active Directory Effective Permissions, which is extremely difficult, and none of those solutions do so.

Not a single one of them.

As such, the method and system for the accurate determination of who has what access entitlements in Active Directory, including of course privileged access, and privilege escalation paths, is governed by our patent, U.S. Patent 8429708.

The Bible of Access Assessment

I should also mention this is no ordinary patent. It is the Bible of how to accurately assess access in an IT system, wherein access is controlled using ACLs, and today, over 75 patents from many of the world's top cyber security companies cite it, including Microsoft, Amazon, IBM, VMWare, McAfee, CyberArk, FireEye, Dell, VMWare, Palantir and others.

Our patented, Microsoft-endorsed accurate effective access assessment capabilities are embodied in our Gold Finger, Gold Finger Mini and Gold Finger 007G solutions, are unique in their ability to enable organizations to fulfill this paramount objective and over the last decade, from the U.S. DoD to the United Nations and from the U.S. Treasury to several Fortune 100 companies, they have been instrumental in helping so many important organizations attain and maintain LPA in AD.

Simply Unrivaled  (F-35)

To give the world an idea of just how capable and superlative our access assessment technology is, consider this -

Gold Finger can accurately assess exactly who has what privileged access, where and how, domain-wide in any Active Directory domain in the world, comprised of thousands of objects, within just minutes, and at the touch of a button. 

To put that in perspective, in less time than the Generals in the U.S Military can brief the U.S. Secretary of Defense as to the state of cyber security of their respective forces, or for that matter in less time than the CEO of Microsoft has an hourly meeting with his top cyber security experts, Gold Finger can find out exactly who has not just the Keys to the Kingdom, but also who has the keys to every single door in the kingdom, in every Active Directory domain in the U.S. Dept. of Defense.

In fact, we recently offered to give away up to one hundred million dollars in software to any and every organization or professional who could provably show us even one tool in the world that can do what Gold Finger's privileged access assessment capabilities can, and guess how many organizations/professionals have taken us up on the offer thus far? 

Zero! Need one say more?

In Closing

In closing, I will only add that at Paramount Defenses we continue to be laser-focused on Active Directory security because it is absolutely paramount to the national security of the United States of America, and that of 100+ countries worldwide. 

You see, there can be no national security without a government having operational autonomy and organizational privacy, and only Active Directory makes these two imperatives possible. Fortunately, today every organization in the world that wishes to do so can easily attain and maintain least privilege access (LPA) in their foundational Active Directory domains, thereby measurably eliminating 99% of avenues of privilege escalation to the "Keys to the Kingdom" in Active Directory.

That's all for now.

Best wishes,
Sanjay.

Iran COULD launch a cyber attack on Microsoft prior to an attack on Israel

Folks,

I hope this finds you doing well. Today's post will be short, because we strive not to comment on any geopolitical events, but out of an abundance of caution, I felt the need to state that which may/should already be obvious to the entire world.

It is a well-known fact that Israel, like many countries in the western world, is a highly digital nation, wherein thousands of its business and government organizations across all sectors e.g. financial, transport, medical, government, defense etc., have and thus operate a digital IT infrastructure.

For the last two decades, for the most part, most of these organizations have been operating on trustworthy, autonomously (independently) operable "on-premises" Microsoft technologies, primarily, Active Directory, Exchange and Office, which enabled and empowered these organizations to operate securely and autonomously without having to rely on anyone else.

However, over the past few years, under the guise of "modernization", Microsoft has been spending billions of dollars to convince/persuade organizations to transition over to its new subscription-based Cloud offerings, Azure and 365 (Office).

As a result, in all likelihood, today thousands of business and government organizations in Israel are now likely using, i.e. relying on, Microsoft 365 and Microsoft Azure for likely all organizational communications, access, mgmt and security.

To put it in layman terms for the world's populace, today, in all likelihood, communication, productivity and security at thousands of business and government organizations in Israel, today depends on Microsoft Azure and Microsoft 365.

In light of this elemental fact, it would appear that a successful attack on Microsoft Corporation's various Cloud Services could have a disruptive impact on the digital foundation of thousands of business and government organizations in Israel.

For instance, hypothetically speaking, a cyber attack that could result in a successful denial-of-service (DoS) attack on just Microsoft 365 services to thousands of Israeli organizations, could impact many mission-critical services across Israel.

In light of the above, if as is being widely reported, were Iran to launch a strike on Israel, it seems possible that it could try to also launch a cyber attack on Microsoft prior to doing so, to try and disrupt essential services/comms within Israel.

It must be mentioned that Microsoft is a successful American Corporation and likely has many cyber defenses in place. However, it must be noted that, unlike script-kiddies or lone-wolfs, when a nation state decides to wage a cyber attack, it has the financial and operational resources of an entire nation at its disposal, and you have to ask yourself whether the defenses of what is basically a for-profit business, may be adequate against a proficient, nation-state cyber adversary.

It must also be stated that there are many Israeli cyber security companies today, including several prominent publicly-held American Corporations, and there are many Israelis working in cyber security within Microsoft, and yet, logically speaking, no cyber security company can protect an organization from the impact of a successful denial-of-service attack launched against Microsoft 365 i.e. I mean, if there is no service, there is no service, period. (All email, access etc. comes to a halt.)

That's all I wanted to say today. This is all public knowledge, but I felt the need to state it out of an abundance of caution.

Sincerely,
Sanjay.

PS: Please note that the perspective shared above is not unique to Israel. Today, thousands of organizations worldwide have basically taken on a mission-critical dependency on Microsoft Cloud Services, having relinquished operational autonomy for a semblance of better security, and a formidable cyberattack on Microsoft could impact all of them.

The World's Top Cyber Security Companies, including Microsoft (MSFT), Crowdstrike (CRWD), ZScaler (ZS), CyberArk (CYBR) etc. ALL Agree on ONE Fact

Folks,

There is 1 (ONE) simple paramount fact that impacts cyber security worldwide today that virtually ALL of the world's top cyber security companies, including Microsoft (MSFT), CrowdStrike (CRWD), Dell (DELL), Splunk (SPLK), ZScaler (ZS), CyberArk (CYBR) etc. etc. all agree on, and I quote -

"Microsoft Windows Server Active Directory is the foundation of an IT Infrastructure"

- Source: Splunk  Backup-Source (SPLK, acquired by Cisco  Market Cap: $28 Billion)

"Microsoft Active Directory is at the core of your business"

- Source: DellEMC (DELL,  Market Cap: $ 99 Billion)

"Active Directory and Entra ID are the lifeblood of your business"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)

"When AD fails, either from ransomware, cyberattacks or catastrophes, the IT environment grinds to a halt"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)

"Microsoft Active Directory is a collection of services that help you manage users and devices on a network."

- Source: Amazon AWS  (AMZN,  Market Cap: $ 2 Trillion.)

"Start with Active Directory, go everywhere"

- Source: Okta  (OKTA,  Market Cap: $ 15 Billion.)

"Configure GlobalProtect to use Active Directory Authentication profile"

- Source: Palo Alto Networks  (PANW,  Market Cap: $ 106 Billion.)

"A secure Active Directory environment can mitigate most attacks."

- Source: CrowdStrike  (CRWD,  Market Cap: $ 90 Billion.)

"At the heart of every network there are the Domain Controllers and the Active Directory instances that run on them."

- Source: CyberArk  (CYBR,  Market Cap: $ 7 Billion)

"Microsoft Active Directory is used extensively across global enterprises. Even with the migration to Azure Active Directory, companies continue to utilise Active Directory in a Hybrid environment where workstations may be joined solely to AD, or both AD joined and WorkPlace joined to AAD."

- Source: ZScaler  (ZS,  Market Cap: $ 30 Billion)

"Manually maintaining Google identities for each employee can add unnecessary management overhead when all employees already have an account in Active Directory. By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Active Directory."

- Source: Google  (GOOG,  Market Cap: $ 2 Trillion)

"Active Directory provides mission-critical authentication, authorization and configuration capabilities to manage users, computers, servers and applications throughout an organization’s IT infrastructure...

…[it] is critical to secure an organization’s systems and applications."

- Source: Microsoft  (MSFT,  Market Cap: $ 3 Trillion)

"From the White House to the entire U.S. Government, and from the $3T Microsoft (MSFT) to the global Fortune 1000, at the very foundation of cyber security of 85% of all organizations worldwide lies a single technology - Active Directory."

- Source: Paramount Defenses (Privately held)

A  $ 20 Trillion  Fact

Here are just a few corporations on the Standard & Poors 500 (S&P 500) at whose very foundation lies Active Directory   -

Alphabet (GOOGL), Amazon (AMZN), Advanced Micro Devices (AMD), American Airlines (AAL), American Express (AXP), AmerisourceBergen (ABC), AT&T (T),  Baker Hughes (BKR), Bank of America (BAC), Berkshire Hathaway (BRK.B) BlackRock (BLK), Capital One Financial (COF), Caterpillar (CAT), CBRE Group (CBRE), Cisco (CSCO), Citibank (C), Clorox (CLX), Coca-Cola Company (KO), Chevron (CVX), Cisco (CSCO), Comcast (CMCSA), CVS Health (CVS), Costco (COST), Delta Airlines (DAL), Dow Inc (DOW), Dupont de Nemours (DD), Equifax (EFX), Exxon Mobil (XOM), Facebook (FB), Ford Motor (F), Fortinet (FTNT), Fox Corporation (FOX), Gartner (IT), General Electric (GE), General Motors (GM), Gilead Sciences (GILD), Goldman Sachs (GS), Google (GOOG), Hewlett Packard Enterprise (HPE), Hilton Worldwide (HLT), Humana (HUM), IBM (IBM), Intel (INTC), JP Morgan Chase (JPM), Johnson and Johnson (JNJ), Kellogg Co (K), Kroger Co (KR), Lockheed Martin (LMT), Mastercard (MA), McDonalds (MCD), Merck (MRK), MetLife (MET), Microsoft (MSFT), Morgan Stanley (MS), Nasdaq (NASD), Netflix (NFLX), NewsCorp (NWS), Nike (NIKE), Northrop Grumman (NOC), Norwegian Cruise Line Holdings (NCLH), Nvidia (NVDA), Occidental Petroleum (OXY), Okta (OKTA) Oracle Corp (ORCL), PayPal (PYPL), PepsiCo Inc (PEP), Phillip Morris International (PM), Procter and Gamble (PG), Qualcomm (QCOM), Quest Diagnostics (DGX), Raytheon (RTX), Robert Half International (RHI), Royal Caribbean Cruises (RCL), S&P Global (SPG), Salesforce.com (CRM), Schlumberger (SLB), Southwest Airlines (LUV), Sysco Corp (SYY), Target Corp (TGT), Tesla (TSLA), Tyson Foods (TSN), Twitter (TWTR) United Airlines (UAL), UPS (UPS), Verizon (VZ), Walmart (WMT), Walt Disney (DIS), Wells Fargo (WFC), Yum! Brands (YUM) etc. etc.

This Sounds Very Important

If $ 20+ Trillion are riding on Active Directory today, one would have to assume that the security of these foundational Active Directory deployments ought to be one of the highest organizational cyber security priorities worldwide. It is.

In fact, it is paramount. However, there's just one small Trillion $ problem...




Microsoft's #1 Recommendation

As evidenced in the quote above, Microsoft has always highly and sufficiently recommended that every organization operating on Active Directory consider it mission-critical to business and adequately secure and defend it at all times.

In fact, Microsoft recommends that the 1st and most important (paramount) cyber security measure that organizations take to secure (defend) Active Directory is to correctly identify and reduce users who have privileged access in Active Directory:

 "Privileged accounts like administrators of Active Directory have direct or indirect access to most or all assets

in an IT organization, making a compromise of these accounts a significant business risk."

Source

"Cyber-attackers focus on privileged access in Active Directory 

to rapidly gain access to all of an organizations data."

Source

"Securing privileged access is (thus) a critical first step
to establishing security for business in a modern organization."

Source

"Because it can be difficult or even impossible to properly secure every aspect of an organization's IT infrastructure,
you should focus efforts first on the accounts whose privilege create the greatest risk,
which are privileged accounts and groups in Active Directory."

Source

"Implement least privilege. Limit the count of administrators
or members of privileged groups in Active Directory."

Source 1 , Source 2

"Review administrative privileges each quarter to determine which personnel
still have a legitimate business need for administrative access (in Active Directory)"

Source

"An ounce of prevention is worth a pound of detection"

Source

There's Just A Small Trillion $ Problem

Shockingly, the means to implement Microsoft's number #1 recommendation to thousands of its organizational customers, i.e. the means to correctly (accurately) identify who has what privileged access in/across Active Directory just don't exist*.

That's right. The capability that organizations require to correctly identify who has what privileged access in their Active Directory, so they can limit the number of privileged users and review this number every quarter, doesn't exist* today.

As a result, thousands of organizations worldwide do not even have the means to be able to correctly identify, control, minimize or review exactly who has the "Keys to the Kingdom" in their foundational Active Directory deployments.



Here's evidence, from none other than Microsoft  (Source) -

"In assessing Active Directory installations, we (Microsoft) invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work. Mid-sized directories may have dozens of accounts in the most highly privileged groups, while large installations may have hundreds or even thousands."

Simply stated, it means that in most large organizations, today there very likely are hundreds or even thousands of users who possess sufficient privileged access so as to be able to control, compromise or blow up the entire organization!

To put this context, consider the fact that almost all major recent cyber security breaches including JP Morgan, Sony Hack, Target, Snowden, OPM Breach, Anthem, Avast, the U.N. breach, SolarWinds Breach, Colonial Pipeline Hack, Microsoft Hack, Okta Hack etc. ALL involved the compromise and misuse of just ONE Active Directory Privileged User account!

(Recently, it cost shipping giant Maersk a staggering $ 250 Million to recover from a breach involving its Active Directory.)



In short, as it concerns having visibility into exactly who has the all-powerful "Keys to the Kingdom" in an organization, today most organizations are operating in the proverbial dark, and neither their IT groups nor their C-Suite have a clue.

(In fairness to all IT admins, IT managers and CISOs at thousands of organizations, this is a massive problem and a very sophisticated technical subject, so they alone should not be blamed for not sufficiently understanding its vast complexity.)

Unfortunately, with the advent of freely available hacking tools be specifically designed to identify and exploit exactly such excessive access related vulnerabilities in Active Directory, urgently addressing this problem has become paramount.


This should be a serious cause of concern for all stakeholders, including their employees, customers and shareholders.





*All of One

Note the use of  * when referring to the non-existence of the paramount capability that organizations require to adequately defend Active Directory i.e. the ability to correctly (accurately) identify who has what privileged access in Active Directory.

It so happens that there's all of ONE company on planet Earth that possesses this capability today, and its patented, Microsoft-endorsed capability can uniquely enable and empower every organization operating on Active Directory to be able to correctly, instantly and automatically identify exactly who has what privileged access in Active Directory.

Actually, there's a little more to it than "it so happens." Eighteen years ago, Microsoft's top cyber security expert on Active Directory Security established this company and for the last eighteen years, it has been laser-focused on solving just this one single $ 28 Trillion problem for the world, (oh, and $ 28 Trillion only accounts for companies in the United States.)

You've likely never heard of this company, but over the last decade, from the United States Treasury to the United States Department of Defense, many of the world's most important and valuable government and business organizations have used and depended on its solutions to correctly identify and minimize privileged access in their Active Directory.

Today, not a single cyber security or IT company on Earth, let alone those listed on the Nasdaq, can compete with it.

Today this company can uniquely enable and empower the entire world to instantly, effortlessly, and most importantly, accurately identify, minimize and lock-down all privileged access, i.e. the "Keys to the Kingdom", in foundational Active Directory deployments worldwide, thereby helping thousands of organizations worldwide trustworthily attain and maintain Least Privileged Access (LPA), which is not only a cyber security necessity but also a cardinal tenet of Zero Trust.

That ONE company is Paramount Defenses, and perhaps the simplest introduction to it can be found here.


We will be making a small announcement tomorrow or day after, that is likely to impact a Trillion+ $.

That's all for now.

Best wishes,
Sanjay Tandon

Formerly
Program Manager,
Active Directory Security,
Microsoft Corporation.


PS: Please Understand -

 

It is a LITTLE difficult to be humble when your work single-handedly impacts Trillions of $ worldwide, and you're trying to help thousands of organizations understand why they remain substantially vulnerable.

This isn't about petty stuff like money i.e. it isn't about a Million or a Billion or a 100B or a T. It's about doing what's right.

Four years ago, I personally demonstrated how hackers could unleash ransomware onto 1000s of organizational computers using Active Directory. For almost ten years now, I have also been personally warning about the use of Active Directory Privilege Escalation as a top attack vector, and sure enough, in almost every major breach, including the SolarWinds Breach, the Colonial Pipeline Hack and recently the Okta and Microsoft breaches, the defining/cardinal step employed by the perpetrators to gain unrestricted privilege was Active Directory Privilege Escalation. I have also been extensively warning about the use of DCSync, and sure enough, as observed and reported by Microsoft, it is DCSync that LAPSUS$ (DEV-0537) employed to obtain unrestricted access and inflict damage. Need I say more?

It remains my professional opinion as former Microsoft Program Manager for Active Directory Security that attaining and maintaining LPA in Active Directory is the single-most important and effective measure that organizations can take to substantially improve their cyber security posture, and technically, we can help the entire world do so, oh and we can technically do so in less than one day. (To appreciate that, consider that even Microsoft couldn't do so in one decade.)

It is also imperative that the world and Microsoft realize that Microsoft making the entire world signup for and rely on its (now twice hacked) Azure (, renamed to Entra after two hacks) Cloud is NOT the answer to solving such problems, because, simply put, the day that an organization transitions over its primary identity to a third-party Identity Provider (IDP) is the day that it relinquishes its operational autonomy, organizational privacy and dignity to a third-party, forever.

Cyber security isn't that difficult, but it does require basic common-sense. If you don't even know how many users have the "Keys to your Kingdom" how can you even begin to protect your organization? This isn't rocket science, its common sense.

We're Giving Away up to $ 100 Million in Software

Folks,

Hello. Today is our eighteenth anniversary, and to celebrate this occasion, and help thousands of organizations worldwide that operate on Active Directory, today we announced our intent to give away up to $ 100 Million worth of Gold Finger licenses to all organizations that can affirmatively answer just one simply question concerning Active Directory security.

Details on our up to $100 Million software giveaway can be read in our press release - Paramount Defenses Celebrates Eighteen Years in Business, Announces Up To $100 Million Software Giveaway | Business Wire

We cordially invite all organizations worldwide to kindly take us up on our generous offer, and we hope that organizations worldwide will give a serious thought to the one question that we have asked. If you ask me, it's a really simple question and the answer is either a Yes, or a No. If it's a No, then they must ask themselves how secure they actually are today. 

Over the last eighteen years, we have pioneered, perfected and automated the incredibly difficult and sophisticated art of accurate access assessment, particularly in Active Directory and as pioneers and industry leaders in access assessment, we remain committed to helping organizations securely operate their foundational Active Directory infrastructures.

That's all for now. Thank you very much. I wish you well. I'll leave you with this.

Best wishes,
Sanjay 

World, Hello Again

Folks,

Hello. I hope this finds you doing well. It has been almost two years since we last penned a post here on our blog.

The silence was intentional, and now it is TIME to break our silence. We have been hard at work, quietly, working on two new products, GG and TB (, one of which targets the Cloud), and both of which, like GF (Gold Finger) could* easily substantially impact the foundational cyber security of thousands of organizations worldwide, including Microsoft's.

*If the need were to arise, as and when it does, we will unveil them.

For now though, our focus continues to be on Gold Finger, which remains unrivaled and indispensable for Active Directory Security. Today, amongst many organizations worldwide, Gold Finger helps secure and defend $100 Billion+ companies.

Speaking of which, today we announced the availability of Gold Finger Version 8.0 with support for Windows 11.

Active Directory remains Foundational

Microsoft Active Directory is a mature, time-tested and provably trustworthy technology that enables and empowers organizations to autonomously operate the lifeline of their business, their IT infrastructures. Those who claim that Active Directory is not secure, may not know enough about Active Directory security.

Active Directory is one of the most highly securable technologies in the world today, and its powerful security model enables organizations that possess the right capabilities to be able to easily attain and maintain least privileged access (LPA) and independently operate highly resilient foundational IT infrastructures.

In days to come, we will help the world understand how to easily attain and maintain LPA in Active Directory.

Helping Organizations Retain their Operational Autonomy, Privacy and Dignity

Today, we also reiterated our commitment to helping organizations worldwide securely operate Active Directory.

Thousands of organizations worldwide are realizing for themselves what we have been saying for years i.e. the day they relinquish control of their primary identities (such as to an IDP in the Cloud) is the day they will have relinquished their operational autonomy and privacy, forever, and taken on an eternal dependency on a third-party. 

Of course, should such an IDP be compromised, their organization could also instantly be at risk of compromise.

In contrast, organizations that retain control over their primary identities i.e. organizations whose primary identities reside in their Active Directory, will continue to enjoy operational autonomy, safeguard their privacy and preserve their dignity.

In days to come, we will also help organizations worldwide understand how to easily secure Active Directory.

That's all for now. There's a lot we have to share, and in coming days, you can expect us do so.

Best wishes,
Sanjay 

Active Directory - The World's Most TRUSTWORTHY Foundational Technology

Folks,

Today I'd like to share a few thoughts with you on one the most important topics in all of organizational security - i.e. which FOUNDATIONAL technology should organizations be operating upon today? I will make the case of Active Directory (🔺).

Microsoft Active Directory - The World's Most Trustworthy Foundational Technology

For the last twenty years, the entire world has successfully operated on a highly trustworthy foundation - Active Directory.

Indeed, from the entire United States Government to virtually the entire global Fortune 1000, today over twenty thousand government and business organizations in over one hundred and ninety countries operate on Microsoft Active Directory.

Active Directory has stood the test of time and is the most trustworthy foundation that organizations can operate on today.

While some may view Active Directory as merely an Identity Provider (IDP), in reality, it is substantially more than that. 

Active Directory is -

1. An enterprise-grade multi-mastered directory service that offers unrivaled availability, fault-tolerance and resilience. 


2. A Kerberos realm that enables enterprise-wide trustworthy network authentication and seamless single sign-on.


3. The Foundation of Authentication, Authorization and Auditing (AAA) that empowers organizations to precisely control network user authentication, secure authorization to IT resources and auditing for all vital AA actions.


4. The Heart of Identity and Access Management (IAM) considering that the entirety of an organization's identities (and their credentials) and security groups reside in and are secured and managed in Active Directory.   


5. The Heart of Privileged Access and Enabler of Least Privileged Access (LPA) considering that the most powerful privileged accounts are stored, secured and managed in it -AND- that privileged access for all salient aspects of identity and access management can be precisely provisioned/delegated based on the principle of least privilege.    


6. The Control Center for Centralized Host and Security Management that via Group Policy enables organizations to easily, efficiently and comprehensively control and manage all endpoints -AND- their security.


7. The Foundation for Zero Trust considering that Zero Trust is fundamentally about ensuring that all access is provisioned based on the principle of least privilege (i.e. LPA), and in environments powered by Active Directory, access for all aspects of identity and access management is provisioned, controlled and audited in Active Directory.

In addition, Active Directory lets organizations easily enable seamless single sign-on to external systems via federation, and it can be synchronized with secondary IDPs like Microsoft Azure to facilitate SSO access to Cloud based services.

Finally, contrary to popular belief, Active Directory can* in fact be easily, efficiently and reliably operated and secured. 

However, the most important and overlooked strength of Active Directory is that enables and empowers organizations to be able to autonomously and independently operate their IT infrastructures, without any eternal external dependencies, without having to expose the entire organization to the Internet, and without having to incur a dime of additional cost.

Conclusion

In essence, today, an organization's Active Directory deployment is the very foundation of its cyber security, the heart of privileged access and the bedrock of organizational security, which makes it an extremely valuable organizational asset.

Above all, it lets organizations independently operate, highly trustworthy, self-reliant and fixed-cost IT infrastructures, in contrast to having to relinquish all control and transition to relatively new, constantly costing, third-party operated services.

In conclusion, when it comes to cyber security, technical maturity, operational excellence and autonomous operation, today, no technology can rival the trustworthiness, resilience and autonomy that Active Directory offers organizations.

Best wishes,
Sanjay Tandon

Formerly
Program Manager
Active Directory Security
Microsoft Corporation

The Top-50 Active Directory Delegated Administrative Access Reports

 Folks,

Today 85% of organizations worldwide operate on Microsoft Active Directory, and at these organizations, IT departments extensively make use of one of Active Directory's most valuable and powerful capabilities, Administrative Delegation.

Delegation of Administrative (Privileged) Access in Active Directory

Administrative Delegation is a powerful capability wherein administrative (privileged) access can be delegated to various individuals or groups to enable them to carry out various common administrative functions such as account provisioning, password resets, group membership changes, access management, Kerberos settings, group policy management etc.

Active Directory makes is very easy to precisely delegate administrative access, and for years, thousands of organizations worldwide have relied on administrative delegation to secure delegate responsibilities for most aspects of IT management.

Unfortunately, while precisely delegating administrative access in Active Directory is easy, once delegated, trying to precisely identify and lockdown exactly who is delegated what administrative access in Active Directory is very difficult.

As a result, today, at most organizations, there is a substantial amount of delegated administrative access provisioned in their Active Directory, yet organizations do not know exactly who is delegated what administrative access, where and how within their Active Directory, and this lack of precise (accurate) insight leaves organization substantially vulnerable.

In reality, today, these administrative delegations control everything such as who can create domain user accounts, reset account passwords, disabled the use of smartcards, modify group memberships, change Kerberos delegation settings, link group policies to OUs, delegate privileged access etc. and thus they substantially impact organizational cyber security.

The Top-50 Active Directory Delegated Administrative Access Reports

To maintain organizational cyber security, it is extremely important, and in fact paramount, for organizations to accurately identify (audit) and lockdown exactly who is delegated what administrative access, where and how in Active Directory.  

To help organizations worldwide identify what administrative delegations they should have accurate and continuous insights into, we are sharing the list of the Top-50 Active Directory Delegated Administrative Access Reports.

The Top-50 Active Directory Delegated Administrative Access Reports

Organizations that operate on Microsoft Active Directory today are advised to accurately identify and lockdown delegated administrative access, the proverbial "Keys to every door in the Kingdom" in their foundational Active Directory domains.

Best wishes,
Sanjay

The Top-25 Active Directory Privileged Access Reports

Folks,

Today over 85% of organizations worldwide operate on Microsoft Active Directory, and at these foundational Active Directory deployments, privileged access in Active Directory constitutes the proverbial "Keys to the Kingdom."

Privileged access in Active Directory is the most powerful access that an individual can possess in organizations that operate on Active Directory, because it grants complete, instant and unrestricted organization-wide access, including administrative to virtually everything in the Cloud.

Consequently, the need to know exactly who possesses privileged access in Active Directory is absolutely paramount.

The Top-25 Active Directory Privileged Access Reports

To help all organizations worldwide sufficiently identify what constitutes Domain Admin level unrestricted privileged access in their Active Directory, today we are sharing a list of the Top-25 Active Directory Privileged Access Reports. 

Top-25 Active Directory Privileged Access Reports

We highly recommend that all organizations that operate on Active Directory accurately identify and lockdown the number of individuals that possess Domain Admin equivalent privileged access in their foundational Active Directory today.

Best wishes,
Sanjay   

At the HEART of the Colonial Pipeline Hack - Admin Access in Active Directory

Folks,

The Colonial Pipeline Hack may be one of the most high visible impact breaches the world has witnessed yet because it resulted in the shut down of one of America's largest gasoline pipelines for an entire week due to ransomware. 

The Colonial Pipeline attack has been extensively covered by the media (e.g. CNN.) It has also already been the subject of a substantial amount of discussion, including Congressional Hearings, so I am not cover the same high-level details here.

Instead, I am going to shed light on the most important and enabling step in the entire Colonial Pipeline Hack, which is the one that enabled its perpetrators to easily and automatically unleash ransomware enterprise-wide on all its systems.

 

Objective

The Colonial Pipeline Hack occurred between May 06 and May 12, 2021. Since then, there have been several blog posts written on it, notably those by FireEye and Arete, and they describe various aspects of this breach in great detail.

The objective of this post is to pinpoint the most salient (cardinal) part of the Colonial Pipeline Hack i.e. the technical part that actually enabled and empowered its purported perpetrators to easily deploy ransomware company-wide.  

Introduction

Today, from the U.S. Government to the Fortune 1000, including almost all cyber security and cloud computing companies, at the very foundation of IT, cyber security and privileged access at 85% of organizations worldwide lies Active Directory.

I'm Sanjay Tandon, formerly Program Manager for Active Directory Security on Microsoft Corporation's Windows Server Development Team, and today, CEO of Paramount Defenses. These are my observations on the Colonial Pipeline Hack -

Overview

The Colonial Pipeline Hack is the largest cyberattack yet on an oil infrastructure target in the history of the United States. 

In short, perpetrators gained entry in the networks of Colonial Pipeline through a virtual private network account (which allowed employees to remotely access the company's computer network) and they subsequently and ultimately deployed ransomware across the company's entire computer network, resulting in Colonial Pipeline having to shut down its pipeline for an entire week (, causing gas shortages nationwide,) and having to pay millions of dollars in ransom (via Bitcoin.) 

The Salient Step

The most important, enabling and salient (cardinal) step in the entire Colonial Pipeline hack was the following one -

The perpetrators first gained privileged access in Active Directory and then leveraged the ability to deploy group policies to domain-joined computers via Active Directory to automatically deploy their ransomware across Colonial Pipeline's network!

In fact, they seem to have used the exact technique I had warned about and described in sufficient technical detail last year  - How Attackers Could Unleash Ransomware on Thousands of Computers in an Organization using Active Directory

   

Evidence

Both FireEye and Arete seemed to have researched the Colonial Pipeline Hack and published detailed blog posts.

The evidence lies in this snippet from Arete's post Darkside Ransomware: Caviar Taste on your Big-Game Budget  -  

"We observed Darkside payload (e.g. azure_agent.exe.exe) staged on the domain controller in a network shareable folder (e.g. C:\Windows\IME\azure), followed by the establishment of a scheduled task (e.g. \Windows\SYSVOL\domain\Policies\{L0NGMGU1D}\User\Preferences\ScheduledTasks) set with Group Policy and instructing hosts to obtain and execute the payload. This resulted in a fully automated enterprise-wide deployment in less than 24 hours after data was exfiltrated."

There you have it! Its clear that the perpetrators first* gained privileged access in Colonial Pipeline's Active Directory and once they had done so, they used that gained privileged access to leverage Active Directory integrated group policy to automate the effortless deployment of ransomware domain-wide (, eerily similar to as described here over a year ago.)

*It should be clear to most that in order to perform the above, one requires privileged access in Active Directory.

Active Directory - The Heart of Privileged Access Worldwide

Today, from the entire United States Government to the global Fortune 1000, Active Directory is the very foundation of IT, bedrock of cyber security and heart of privileged access, at 85% of all government at business organizations worldwide.

Here's why -

1. The entirety of an organization's user accounts and their credentials reside in Active Directory


2. The entirety of an organization's computers are joined to and have a secure channel with Active Directory


3. The entirety of an organization's IT assets (files, folders etc.) are protected by Active Directory security groups


4. The entirety of an organization's end-point management and security policies are deployed from Active Directory


5. The credentials of the entirety of an organization's Active Directory accounts are synced with Azure AD in the Cloud

Further, to facilitate the management and protection of these organizational user and computer accounts, security groups and policies, OUs and containers, an ocean of privileged access is delegated and provisioned inside Active Directory.

Finally, the most powerful administrative (privileged) accounts and groups, i.e. all Domain Admin equivalent accounts and groups, that possess unrestricted organization-wide access, are all stored, managed and protected in Active Directory.

In other words, worldwide, not just the Keys to the Kingdom, the keys to every door in the kingdom lie in Active Directory.

(As such, in Windows based networks, Active Directory is the account/credential database used by Kerberos, the native authentication protocol in Windows, and every domain controller is a Kerberos Key Distribution Center (KDC). Based on this fact alone, Active Directory is also the foundation of cyber security in a Windows Server based IT infrastructure.)

Thus, factually speaking, an organization's Active Directory is the single most valuable IT and corporate asset, worthy of the highest protection, because it is the heart of privileged access and the foundation of an organization's cyber security.

No Mention of Active Directory in the Mainstream Media

To date, most major cyber security breaches in the last decade, including the Sony Hack, Target Breach, JP Morgan, Snowden, OPM Beach, UN Breach, SolarWinds Breach, and now the Colonial Pipeline Hack and others, all involved Active Directory and specifically involved the compromise and misuse of an Active Directory Privileged User Account.

In fact, as I have had also stated in our blog post on the SolarWinds Breach, the perpetrators in the SolarWinds Hack only targeted Active Directory environments, and here's proof based on additional research published by FireEye - 

 

"The backdoor also determines if the system is joined to an Active Directory (AD) domain, and if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain." 

This is how important, pervasive and mission-critical Active Directory is today at thousands of organizations worldwide.

Yet, there is virtually no mention of Active Directory in any coverage of cyber security breaches in the mainstream media!

Here are 10 prominent news items on the Colonial Pipeline Hack and even if you were to read each and every single one of them in their entirety, you won't find a single mention of the word Active Directory in them -

1. Bloomberg - Hackers Breached Colonial Pipeline Using Compromised Password


2. CNN - Cyberattack forces major US fuel pipeline to shut down


3. Wall Street Journal - U.S. Pipeline Cyberattack Forces Closure


4. New York Times - Cyberattack Forces a Shutdown of a Top U.S. Pipeline


5. Forbes - The Colonial Pipeline Attack Is A Major National Security Incident


6. FBI - FBI Statement on Compromise of Colonial Pipeline Networks


7. CrowdStrike - DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape


8. FireEye - Shining a Light on DARKSIDE Ransomware Operations 


9. KrebsOnSecurity - A Closer Look at the DarkSide Ransomware Gang


10. ZDNET - Colonial Pipeline attack - Everything you need to know

 

Clearly, there is more that the world needs to know than they are currently being told by the media and others out there.

The reason this is SO very important is that unless organizations worldwide realize that it is their foundational Active Directory deployments, and specifically privileged access in Active Directory that is at the heart of virtually all breaches, the situation is NOT going to improve, because the ultimate enabler of all breaches will still be left inadequately protected.

Privileged Access in Active Directory

Speaking of privileged access in Active Directory, there exists an ocean of privileged access in every Active Directory.

Specifically, from the CEO's domain user account to the all-powerful Domain Admins security group, and from the domain computer account of every domain-joined computer to every domain security group that is used to protect millions of IT resources company-wide, literally everything in Active Directory is an object, protected by an ACL (access control list), within which reside hundreds of Active Directory security permissions, each one of which allows or denies one of over eighty different kinds of permissions to some user, service account, group, nested group, well-known security principal etc. etc., and it is together, i.e. collectively that millions of Active Directory security permissions in the ACLs of thousands of Active Directory objects, ultimately determine exactly who has what privileged access, where and how in Active Directory.

Avenues to Gaining Privileged Access in Active Directory

Obtaining privileged access in Active Directory is the new holy grail for perpetrators, and the #1 target today, because once such access is obtained, the perpetrator can obtain access to just about everything, on-premises, and in the Cloud.

It remains a less known fact that virtually all major recent cyber security breaches of the last decade, including JP Morgan, Sony Hack, Anthem Breach, the OPM Breach, Snowden, the United Nations Breach and now the SolarWinds Breach, involved the compromise and misuse of a single Active Directory privileged user account.

Traditional Techniques

Novice and intermediate perpetrators generally employ traditional techniques such as password guessing/brute-forcing, Kerberoasting and Pass-the-Hash (PtH) in their attempts to compromise Active Directory privileged user accounts. 

Fortunately for defenders, advances in protection measures have reduced the likelihood of success with such measures.

Advanced Techniques

Professional perpetrators seem to prefer employing advanced techniques that involve escalation of privilege based on the identification and exploitation of excessive access on privileged accounts, groups, and certain objects in Active Directory. 

Here are the Top-5 advanced techniques to gain privileged access in Active Directory -

1. Use Mimikatz DCSync to replicate secrets (i.e. password hashes) from an Active Directory domain 


2. Reset the password of any existing Active Directory Privileged User account e.g. the Administrator account


3. Change the membership of any existing Active Directory Privileged Group e.g. the Domain Admins group


4. Modify the ACL (access control list) protecting the special AdminSDHolder object in Active Directory


5. If Smartcards are in use, disable use of Smartcards on an AD Privileged User's account, then reset its password

The novelty of these five advanced privilege escalation techniques is that their use only requires the perpetrator to have sufficient Active Directory Effective Permissions to be able to enact these administrative tasks in a target Active Directory.

Specifically, the use of these advanced techniques does not require perpetrators to attempt a single move that could raise suspicion or be easily detected, such as moving laterally, compromising DCs, Kerberoasting, PTH etc. All a perpetrator needs to do is avail of the already gained Authenticated User level access to correctly analyze the ocean of security permissions that exists in Active Directory and identify privilege escalation paths leading to Domain Admin accounts.

Note: The risk posed by the use of these advanced techniques is adequately described in The Paramount Brief.  

These advanced techniques are already in use today, and often rely on the use of an inaccurate but freely available tool called Bloodhound. The only tools that can make such determinations accurately are Gold Finger and Gold Finger Mini.

I cannot emphasize this enough - "The compromise of a single Domain Controller or that of a single Active Directory Privileged User Account is tantamount to a complete Active Directory Forest-wide compromise."

 

Concluding Thoughts

The sole purpose of penning this blog post was to help organizations worldwide understand that in fact what enabled the perpetrators of the Colonial Pipeline Hack to be able to easily deploy ransomware system-wide (aka domain-wide) was their ability to compromise and then misuse a single Active Directory Privileged User account.

In the case of the Colonial Pipeline Hack, its perpetrator's intentions were to unleash ransomware for monetary gain. 

Likewise, a perpetrator could easily accomplish virtually any objective of choice, whether it be data exfiltration, automated asset destruction, tampering a highly sensitive asset (e.g. software source-code, blue-prints of a highly sensitive project, such as a Nuclear Reactor,) taking over the energy grid of a city/state, compromising a government agency (e.g. an embassy or a military deployment), stealing data (e.g. financial details, customer PII etc.) from a Fortune 100 company etc., if he/she could simply compromise ONE Active Directory Privileged User account. 

I cannot emphasize this enough, so I will say it once more, for the umpteenth time - the compromise of a single DC or a single Active Directory Privileged User account is tantamount to a complete, colossal, organization-wide breach, that can not only result in substantial damage, it can cost millions of dollars and weeks to recover from.

Securing DCs is easy for we know exactly how many we have; unfortunately, the same isn't true of privileged users in AD.

In that regard, it is my professional opinion as former Microsoft Program Manager for Active Directory Security that the accurate identification and subsequent reduction in the number of individuals that possess privileged access in Active Directory is the single most important step organizations can take to protect themselves from such colossal breaches.

I will also tell you that today, while there exist over a thousand cyber security companies in the world, including numerous prominent ones such as Palo Alto Networks (PANW), Palantir Technologies (PLTR), CyberArk (CYBR), FireEye (FEYE), CrowdStrike (CRWD), Check Point Software (CHKP), ZScaler (ZS), Splunk (SPLK), CloudFlare (NET), NortonLifeLock (NLOK), Sophos Group (SOPH), SolarWinds (SWI), Tenable (TENB), Varonis (VRNS), VMWare (VMW), Cisco (CSCO), IBM, Intel (INTC), Microsoft (MSFT) etc., today not one cyber security company in the world possesses the capability to help organizations accurately* identify and lockdown privileged access in their foundational Active Directory deployments.

Well, I shouldn't say not one, because there is one. The only company in the world that can do so is Paramount Defenses ; it can empower organizations to instantly and accurately identify privileged users/access, domain-wide, at a button's touch.

Note: This is not about pride or competition. We do not do what the other thousand cyber security companies do, and they do not and cannot do what we do. This is about collaboration and helping make the world a safer place. 

In summary, today's post was about helping the world understand that if you actually take a close (detailed) look at what happened in the Colonial Pipeline Hack, you'll find that the defining step that actually enabled the perpetrators to inflict substantial damage was their ability to compromise and misuse a single i.e. just one Active Directory privileged user account - without it, they could not have been able to unleash ransomware system-wide (i.e. domain-wide.)

By the way, if you liked this post, you may very likely also like my substantially detailed post on the SolarWinds Breach. 

Lastly, as I have adequately described by now, at the heart of both these breaches lay Active Directory. 

Best wishes,

Sanjay