The American Defense Industrial Complex operates on Active Directory

Folks,

From the U.S. Department of Defense to the Israeli Defense Forces, Microsoft to Nvidia, and Lockheed Martin to Palantir, today virtually the entire American Defense Industrial Complex operates on Microsoft Active Directory.

In fact, the entire United States Government, as well as the Fortune 100 and Wall Street also operate on Active Directory.

For those who may not know, Active Directory is one of the most important and trustworthy foundational technologies ever built, and it provides two paramount imperatives that the Cloud cannot - operational autonomy and organizational privacy.

Consequently, Active Directory lies at the very foundation of national security, defense and corporate security worldwide.

The National Security Agency Agrees

The stated mission of NSA in cybersecurity is to prevent and eradicate threats to U.S. national security systems with a focus on the Defense Industrial Base and the improvement of its weapons’ security.

Active Directory Security is so important to global security, that just last fortnight, the National Security Agency (NSA) and the Australian Signals Directorate (ASD) issued joint guidance on how to mitigate Active Directory attacks, and I quote -

"Active Directory is the most widely used authentication and authorization solution in enterprise Information Technology (IT) networks globally." 

"Like numerous other networks, Active Directory is used in many Department of Defense and Defense Industrial Base networks as a critical component for managing identities and access,” 

“This makes it an attractive target for malicious actors to attempt to steal the proverbial ‘keys to the kingdom. Taking steps to properly defend AD from these common and advanced techniques will detect and prevent adversary activities and protect sensitive data from determined malicious cyber actors.”

To state it as simply as one can, the National Security Agency (NSA) of the United States of America just confirmed not only what we've been saying for years, but also the paramount importance of what it is we do at Paramount Defenses. 

You see, the number one way to steal the proverbial Keys to the Kingdom that the NSA is referring to is Active Directory Privilege Escalation, and in fact we had released the underlying technical facts in The Paramount Brief way back (2014).

I wonder what took the NSA so long. We've been saying this for a decade - 2014, 2015, 2016, 2017, 2018, 2019, 2020.

This is Paramount

The accurate assessment of privileged access in Active Directory is absolutely paramount to organizational cyber security.

As every cyber security professional, Domain Admin and CISO worth his/her salt knows well, the most important (the #1) measure in all of organizational cyber security and in Active Directory security is the attainment of Least Privilege Access (LPA) in Active Directory, which involves accurately assessing and then locking-down privileged access in Active Directory, and one simply cannot do so without the ability to accurately assess privileged access in Active Directory. 

Decision Support (aka Proof)

At the heart of both the SolarWinds Breach and the Colonial Pipeline Hack lay privileged access in Active Directory.

Both these attacks could've been prevented if only organizations had attained and maintained LPA in Active Directory. 

Here's why / consider this - the Top-5 ways of escalating in privilege in Active Directory are i) DC Sync eff-perms / WD eff-perms on domain root, ii) WD eff-perms on AdminSDHolder, iii) CR-Reset Password eff-perms on any AD admin account, iv) WP-member eff-perms on any AD admin group, and v) WP - GP Link and GP Options eff-perms on the default DC OU.

Anyone who has any of these eff-perms in AD owns the organization, and can completely destroy it, should they so desire, so at an absolute minimum*, assessing and locking-down the above eff-perms domain-wide is absolutely paramount.

*Oh, and this is merely the tip of the iceberg. Consider the following - 

Anyone and everyone who has { CR-Reset Password or WD or WO } eff-perms on any AD user account in the domain can own that account in one second, anyone who has { WP-Member or WD or WO } eff-perms on any AD group in the domain can control that group in one second (and access everything it protects), anyone who has { WD or WO } eff-perms on an(y) OU in the domain can own every* object in that OU, easily escalate privilege and/or control and/or destroy everything in it.

Pro Tip for Amateurs - Count the number of times I've said eff perms above, because it is NOT perms, but eff-perms (aka Active Directory Effective Permissions) that control everything in AD. Permissions analysis is almost useless. 

Organizations that do not know who has what eff-perms in their AD are dangerously operating in the proverbial dark.

Extremely Difficult

The accurate determination of access entitlements, i.e. who has what privileged access where and how, in Active Directory is extremely difficult and error-prone, and likely one of the biggest challenges in organizational cyber security today.

It is extremely difficult because it involves analyzing millions of individual access control specifications that cumulatively impact resultant access, and thus is involves meticulously connecting millions of dots with absolutely zero room for error.

There is no room for error, because like performing heart surgery or screening baggage at airports, even a single error could result in an unmitigated privilege escalation path that could be used to completely destroy an entire organization.

The process is akin to finding a thousand unique needles in a haystack the size of One World Trade Center, New York, wherein in order to ensure security, it is paramount that each and every single needle in the entire haystack be found. 

Mission Accomplished

For anyone who may not yet know, there is one and only cyber security solution in the entire world that can accurately assess privileged access in Active Directory - our unique, unrivaled, all-American, Microsoft-endorsed Gold Finger.

Gold Finger is the only cyber security solution in the world that can accurately assess access entitlements i.e. who has what privileged access in Active Directory, based on the accurate determination of effective permissions in Active Directory.

Let there be no ambiguity about that cardinal technical fact, none whatsoever. Although there are over twenty solutions that claim to be able to assess privileged access in Active Directory, not even one of them can do so accurately, because there is one and only correct way to accurately assess privileged access in Active Directory and that involves the accurate determination of Active Directory Effective Permissions, which is extremely difficult, and none of those solutions do so.

Not a single one of them.

As such, the method and system for the accurate determination of who has what access entitlements in Active Directory, including of course privileged access, and privilege escalation paths, is governed by our patent, U.S. Patent 8429708.

The Bible of Access Assessment

I should also mention this is no ordinary patent. It is the Bible of how to accurately assess access in an IT system, wherein access is controlled using ACLs, and today, over 75 patents from many of the world's top cyber security companies cite it, including Microsoft, Amazon, IBM, VMWare, McAfee, CyberArk, FireEye, Dell, VMWare, Palantir and others.

Our patented, Microsoft-endorsed accurate effective access assessment capabilities are embodied in our Gold Finger, Gold Finger Mini and Gold Finger 007G solutions, are unique in their ability to enable organizations to fulfill this paramount objective and over the last decade, from the U.S. DoD to the United Nations and from the U.S. Treasury to several Fortune 100 companies, they have been instrumental in helping so many important organizations attain and maintain LPA in AD.

Simply Unrivaled  (F-35)

To give the world an idea of just how capable and superlative our access assessment technology is, consider this -

Gold Finger can accurately assess exactly who has what privileged access, where and how, domain-wide in any Active Directory domain in the world, comprised of thousands of objects, within just minutes, and at the touch of a button. 

To put that in perspective, in less time than the Generals in the U.S Military can brief the U.S. Secretary of Defense as to the state of cyber security of their respective forces, or for that matter in less time than the CEO of Microsoft has an hourly meeting with his top cyber security experts, Gold Finger can find out exactly who has not just the Keys to the Kingdom, but also who has the keys to every single door in the kingdom, in every Active Directory domain in the U.S. Dept. of Defense.

In fact, we recently offered to give away up to one hundred million dollars in software to any and every organization or professional who could provably show us even one tool in the world that can do what Gold Finger's privileged access assessment capabilities can, and guess how many organizations/professionals have taken us up on the offer thus far? 

Zero! Need one say more?

In Closing

In closing, I will only add that at Paramount Defenses we continue to be laser-focused on Active Directory security because it is absolutely paramount to the national security of the United States of America, and that of 100+ countries worldwide. 

You see, there can be no national security without a government having operational autonomy and organizational privacy, and only Active Directory makes these two imperatives possible. Fortunately, today every organization in the world that wishes to do so can easily attain and maintain least privilege access (LPA) in their foundational Active Directory domains, thereby measurably eliminating 99% of avenues of privilege escalation to the "Keys to the Kingdom" in Active Directory.

That's all for now.

Best wishes,
Sanjay.

The World's Top Cyber Security Companies, including Microsoft (MSFT), Crowdstrike (CRWD), ZScaler (ZS), CyberArk (CYBR) etc. ALL Agree on ONE Fact

Folks,

There is 1 (ONE) simple paramount fact that impacts cyber security worldwide today that virtually ALL of the world's top cyber security companies, including Microsoft (MSFT), CrowdStrike (CRWD), Dell (DELL), Splunk (SPLK), ZScaler (ZS), CyberArk (CYBR) etc. etc. all agree on, and I quote -

"Microsoft Windows Server Active Directory is the foundation of an IT Infrastructure"

- Source: Splunk  Backup-Source (SPLK, acquired by Cisco  Market Cap: $28 Billion)

"Microsoft Active Directory is at the core of your business"

- Source: DellEMC (DELL,  Market Cap: $ 99 Billion)

"Active Directory and Entra ID are the lifeblood of your business"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)

"When AD fails, either from ransomware, cyberattacks or catastrophes, the IT environment grinds to a halt"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)

"Microsoft Active Directory is a collection of services that help you manage users and devices on a network."

- Source: Amazon AWS  (AMZN,  Market Cap: $ 2 Trillion.)

"Start with Active Directory, go everywhere"

- Source: Okta  (OKTA,  Market Cap: $ 15 Billion.)

"Configure GlobalProtect to use Active Directory Authentication profile"

- Source: Palo Alto Networks  (PANW,  Market Cap: $ 106 Billion.)

"A secure Active Directory environment can mitigate most attacks."

- Source: CrowdStrike  (CRWD,  Market Cap: $ 90 Billion.)

"At the heart of every network there are the Domain Controllers and the Active Directory instances that run on them."

- Source: CyberArk  (CYBR,  Market Cap: $ 7 Billion)

"Microsoft Active Directory is used extensively across global enterprises. Even with the migration to Azure Active Directory, companies continue to utilise Active Directory in a Hybrid environment where workstations may be joined solely to AD, or both AD joined and WorkPlace joined to AAD."

- Source: ZScaler  (ZS,  Market Cap: $ 30 Billion)

"Manually maintaining Google identities for each employee can add unnecessary management overhead when all employees already have an account in Active Directory. By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Active Directory."

- Source: Google  (GOOG,  Market Cap: $ 2 Trillion)

"Active Directory provides mission-critical authentication, authorization and configuration capabilities to manage users, computers, servers and applications throughout an organization’s IT infrastructure...

…[it] is critical to secure an organization’s systems and applications."

- Source: Microsoft  (MSFT,  Market Cap: $ 3 Trillion)

"From the White House to the entire U.S. Government, and from the $3T Microsoft (MSFT) to the global Fortune 1000, at the very foundation of cyber security of 85% of all organizations worldwide lies a single technology - Active Directory."

- Source: Paramount Defenses (Privately held)

A  $ 20 Trillion  Fact

Here are just a few corporations on the Standard & Poors 500 (S&P 500) at whose very foundation lies Active Directory   -

Alphabet (GOOGL), Amazon (AMZN), Advanced Micro Devices (AMD), American Airlines (AAL), American Express (AXP), AmerisourceBergen (ABC), AT&T (T),  Baker Hughes (BKR), Bank of America (BAC), Berkshire Hathaway (BRK.B) BlackRock (BLK), Capital One Financial (COF), Caterpillar (CAT), CBRE Group (CBRE), Cisco (CSCO), Citibank (C), Clorox (CLX), Coca-Cola Company (KO), Chevron (CVX), Cisco (CSCO), Comcast (CMCSA), CVS Health (CVS), Costco (COST), Delta Airlines (DAL), Dow Inc (DOW), Dupont de Nemours (DD), Equifax (EFX), Exxon Mobil (XOM), Facebook (FB), Ford Motor (F), Fortinet (FTNT), Fox Corporation (FOX), Gartner (IT), General Electric (GE), General Motors (GM), Gilead Sciences (GILD), Goldman Sachs (GS), Google (GOOG), Hewlett Packard Enterprise (HPE), Hilton Worldwide (HLT), Humana (HUM), IBM (IBM), Intel (INTC), JP Morgan Chase (JPM), Johnson and Johnson (JNJ), Kellogg Co (K), Kroger Co (KR), Lockheed Martin (LMT), Mastercard (MA), McDonalds (MCD), Merck (MRK), MetLife (MET), Microsoft (MSFT), Morgan Stanley (MS), Nasdaq (NASD), Netflix (NFLX), NewsCorp (NWS), Nike (NIKE), Northrop Grumman (NOC), Norwegian Cruise Line Holdings (NCLH), Nvidia (NVDA), Occidental Petroleum (OXY), Okta (OKTA) Oracle Corp (ORCL), PayPal (PYPL), PepsiCo Inc (PEP), Phillip Morris International (PM), Procter and Gamble (PG), Qualcomm (QCOM), Quest Diagnostics (DGX), Raytheon (RTX), Robert Half International (RHI), Royal Caribbean Cruises (RCL), S&P Global (SPG), Salesforce.com (CRM), Schlumberger (SLB), Southwest Airlines (LUV), Sysco Corp (SYY), Target Corp (TGT), Tesla (TSLA), Tyson Foods (TSN), Twitter (TWTR) United Airlines (UAL), UPS (UPS), Verizon (VZ), Walmart (WMT), Walt Disney (DIS), Wells Fargo (WFC), Yum! Brands (YUM) etc. etc.

This Sounds Very Important

If $ 20+ Trillion are riding on Active Directory today, one would have to assume that the security of these foundational Active Directory deployments ought to be one of the highest organizational cyber security priorities worldwide. It is.

In fact, it is paramount. However, there's just one small Trillion $ problem...




Microsoft's #1 Recommendation

As evidenced in the quote above, Microsoft has always highly and sufficiently recommended that every organization operating on Active Directory consider it mission-critical to business and adequately secure and defend it at all times.

In fact, Microsoft recommends that the 1st and most important (paramount) cyber security measure that organizations take to secure (defend) Active Directory is to correctly identify and reduce users who have privileged access in Active Directory:

 "Privileged accounts like administrators of Active Directory have direct or indirect access to most or all assets

in an IT organization, making a compromise of these accounts a significant business risk."

Source

"Cyber-attackers focus on privileged access in Active Directory 

to rapidly gain access to all of an organizations data."

Source

"Securing privileged access is (thus) a critical first step
to establishing security for business in a modern organization."

Source

"Because it can be difficult or even impossible to properly secure every aspect of an organization's IT infrastructure,
you should focus efforts first on the accounts whose privilege create the greatest risk,
which are privileged accounts and groups in Active Directory."

Source

"Implement least privilege. Limit the count of administrators
or members of privileged groups in Active Directory."

Source 1 , Source 2

"Review administrative privileges each quarter to determine which personnel
still have a legitimate business need for administrative access (in Active Directory)"

Source

"An ounce of prevention is worth a pound of detection"

Source

There's Just A Small Trillion $ Problem

Shockingly, the means to implement Microsoft's number #1 recommendation to thousands of its organizational customers, i.e. the means to correctly (accurately) identify who has what privileged access in/across Active Directory just don't exist*.

That's right. The capability that organizations require to correctly identify who has what privileged access in their Active Directory, so they can limit the number of privileged users and review this number every quarter, doesn't exist* today.

As a result, thousands of organizations worldwide do not even have the means to be able to correctly identify, control, minimize or review exactly who has the "Keys to the Kingdom" in their foundational Active Directory deployments.



Here's evidence, from none other than Microsoft  (Source) -

"In assessing Active Directory installations, we (Microsoft) invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work. Mid-sized directories may have dozens of accounts in the most highly privileged groups, while large installations may have hundreds or even thousands."

Simply stated, it means that in most large organizations, today there very likely are hundreds or even thousands of users who possess sufficient privileged access so as to be able to control, compromise or blow up the entire organization!

To put this context, consider the fact that almost all major recent cyber security breaches including JP Morgan, Sony Hack, Target, Snowden, OPM Breach, Anthem, Avast, the U.N. breach, SolarWinds Breach, Colonial Pipeline Hack, Microsoft Hack, Okta Hack etc. ALL involved the compromise and misuse of just ONE Active Directory Privileged User account!

(Recently, it cost shipping giant Maersk a staggering $ 250 Million to recover from a breach involving its Active Directory.)



In short, as it concerns having visibility into exactly who has the all-powerful "Keys to the Kingdom" in an organization, today most organizations are operating in the proverbial dark, and neither their IT groups nor their C-Suite have a clue.

(In fairness to all IT admins, IT managers and CISOs at thousands of organizations, this is a massive problem and a very sophisticated technical subject, so they alone should not be blamed for not sufficiently understanding its vast complexity.)

Unfortunately, with the advent of freely available hacking tools be specifically designed to identify and exploit exactly such excessive access related vulnerabilities in Active Directory, urgently addressing this problem has become paramount.


This should be a serious cause of concern for all stakeholders, including their employees, customers and shareholders.





*All of One

Note the use of  * when referring to the non-existence of the paramount capability that organizations require to adequately defend Active Directory i.e. the ability to correctly (accurately) identify who has what privileged access in Active Directory.

It so happens that there's all of ONE company on planet Earth that possesses this capability today, and its patented, Microsoft-endorsed capability can uniquely enable and empower every organization operating on Active Directory to be able to correctly, instantly and automatically identify exactly who has what privileged access in Active Directory.

Actually, there's a little more to it than "it so happens." Eighteen years ago, Microsoft's top cyber security expert on Active Directory Security established this company and for the last eighteen years, it has been laser-focused on solving just this one single $ 28 Trillion problem for the world, (oh, and $ 28 Trillion only accounts for companies in the United States.)

You've likely never heard of this company, but over the last decade, from the United States Treasury to the United States Department of Defense, many of the world's most important and valuable government and business organizations have used and depended on its solutions to correctly identify and minimize privileged access in their Active Directory.

Today, not a single cyber security or IT company on Earth, let alone those listed on the Nasdaq, can compete with it.

Today this company can uniquely enable and empower the entire world to instantly, effortlessly, and most importantly, accurately identify, minimize and lock-down all privileged access, i.e. the "Keys to the Kingdom", in foundational Active Directory deployments worldwide, thereby helping thousands of organizations worldwide trustworthily attain and maintain Least Privileged Access (LPA), which is not only a cyber security necessity but also a cardinal tenet of Zero Trust.

That ONE company is Paramount Defenses, and perhaps the simplest introduction to it can be found here.


We will be making a small announcement tomorrow or day after, that is likely to impact a Trillion+ $.

That's all for now.

Best wishes,
Sanjay Tandon

Formerly
Program Manager,
Active Directory Security,
Microsoft Corporation.


PS: Please Understand -

 

It is a LITTLE difficult to be humble when your work single-handedly impacts Trillions of $ worldwide, and you're trying to help thousands of organizations understand why they remain substantially vulnerable.

This isn't about petty stuff like money i.e. it isn't about a Million or a Billion or a 100B or a T. It's about doing what's right.

Four years ago, I personally demonstrated how hackers could unleash ransomware onto 1000s of organizational computers using Active Directory. For almost ten years now, I have also been personally warning about the use of Active Directory Privilege Escalation as a top attack vector, and sure enough, in almost every major breach, including the SolarWinds Breach, the Colonial Pipeline Hack and recently the Okta and Microsoft breaches, the defining/cardinal step employed by the perpetrators to gain unrestricted privilege was Active Directory Privilege Escalation. I have also been extensively warning about the use of DCSync, and sure enough, as observed and reported by Microsoft, it is DCSync that LAPSUS$ (DEV-0537) employed to obtain unrestricted access and inflict damage. Need I say more?

It remains my professional opinion as former Microsoft Program Manager for Active Directory Security that attaining and maintaining LPA in Active Directory is the single-most important and effective measure that organizations can take to substantially improve their cyber security posture, and technically, we can help the entire world do so, oh and we can technically do so in less than one day. (To appreciate that, consider that even Microsoft couldn't do so in one decade.)

It is also imperative that the world and Microsoft realize that Microsoft making the entire world signup for and rely on its (now twice hacked) Azure (, renamed to Entra after two hacks) Cloud is NOT the answer to solving such problems, because, simply put, the day that an organization transitions over its primary identity to a third-party Identity Provider (IDP) is the day that it relinquishes its operational autonomy, organizational privacy and dignity to a third-party, forever.

Cyber security isn't that difficult, but it does require basic common-sense. If you don't even know how many users have the "Keys to your Kingdom" how can you even begin to protect your organization? This isn't rocket science, its common sense.

Question Zero - Who can reset the CISO's password?

Folks,

Today, I'm going to ask possibly the most simple and fundamental question one could possibly ask in all of cyber security.

Who can reset the CISO's password today?

From the Fortune 100 to every government agency in every country in the world, and at 85% of organizations worldwide that operate on Active Directory today, this is the #1 question that investors, customers and employees should be asking.


Here's why - Today cyber security undoubtedly plays a paramount role in corporate and national security, and even though organizations are collectively spending billions of dollars on cyber security, the truth is that most organizations still don't even have answers to the simplest and most fundamental of cyber security questions, and remain vastly vulnerable.

Just think - If $ Billion organizations don't even know who can reset the password of their CISO, how could they possibly know who can reset the passwords of the accounts of thousands of their employees, contractors and privileged users?


Oh, and if you don't know just how powerful a password reset is, just look at what happened in the massive Twitter breach.


You may get this response - "We don't worry about password resets because we have multi-factor authentication (MFA)."

No problem. Just ask - "Wonderful, do you know who can disable the use of MFA on your Active Directory account(s)?"
After all, all it takes is the flip of a bit on the user account, after which authentication falls back to being password based.


I ain't kidding you - Today, most CISOs most likely will NOT be able to tell you EXACTLY who can reset their passwords, or disable the use of multi-factor authentication on their accounts, or for that matter, on any of their internal user accounts, or for that matter exactly who can create, delete and manage domain accounts, computers, groups etc. in their organization.


Let me repeat that - Today, the CISO's of most organizations in the world cannot answer this question with exactness.


Here's proof - Let alone their production foundational Active Directory deployments, here is a simple lab Active Directory deployment of a fictional organization with a 1000 accounts, a 100 IT personnel, an executive team, and a CISO account.

All you have to do is ask them if their IT teams even possess the capability to correctly determine and tell you exactly how many users can reset the password of the CISO in this lab Active Directory. If they can, great, insist that they determine and tell you so, but if they can't, be very concerned, because know you too now just how little these organizations know.


Finally, ask yourself - would you invest in or trust an organization whose CISO cannot even answer such a basic question?


We're all in this together.

Best wishes,
Sanjay

Chairman and CEO,
Paramount Defenses

[Also a customer of and an investor in some of the world's largest financial institutions,
cloud computing companies, cyber security companies, airlines and other companies.]


PS: If you want to know the answer to that question, feel free to ask. i.e. feel free to first follow and then DM me on Twitter.

PS2: If you don't think exactness matters, ask yourself this - would you board a plane if I told you that the metal detector at the security checkpoint was not entirely accurate, so there's a good chance that someone onboard may have an explosive.