Active Directory - a clear and present danger

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

So I definitely have a different mental history of active directory than
most people, and recently I was doing a Glasshouse podcast with Pablo Breuer
<https://www.linkedin.com/in/pablobreuer/> and here
<https://youtu.be/Z0d6qNLevUY?t=2714> he says basically the same thing
everyone says, which is that it's impossible to move off of technology even
when that technology has a history of severe flaws, or a design flaw that
means it cannot be secured.

This is the current mental stance among CIOs familiar with large companies,
or even medium size companies! And I get it! But if leopards keep eating
your face, and every hacker in the world keeps recommending you stop giving
them a cuddle, and you say "I can't, I have legacy systems in my head that
love to hug large dangerous cats" then that stops being the government's
problem, in a way. Like when people ask why Cyber Insurance Markets are
obvious catastrophic failures, and we point at how they can't really change
any meaningful behavior, and they have to insure the total market value of
whatever company they are insuring because the cost of risk is basically a
sliding scale of whatever the Russian ransomware team thought up that
morning over kasha, then everyone gets that surprised face and it's all
very annoying.

So anyways, that brings us back to AD. AD is a system where any time you
hack any computer on the network, you can become the domain controller, and
own the whole company. That's just how it works. Every hacker/penetration
tester has known that for two decades and the specific incantation on how
you do that changes slowly over time, but it's always true. And then at
INFILTRATE one year two Microsoft Research team members demonstrated an
automation of the lateral movement piece which is now what Bloodhound
<https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx#:~:text=BloodHound%20is%20an%20application%20developed,their%20privileges%20within%20the%20domain.>is.
So in theory everyone knows this right now, even though they like to blame
EternalBlue for all their problems in life.

But when you point that out on Twitter
<https://twitter.com/dinodaizovi/status/1418909301746327559?s=20>, people
ask you what the alternative is, and I have to admit I disagree with DDZ
that it's "Zero Trust". That sounds like adding more complexity to a system
that is already SO COMPLEX even lifetime specialists not named James
Forshaw don't understand the BASICS of the authentication system.

Like here's a paper
<https://twitter.com/DebugPrivilege/status/1418884269376671755?s=20> that
came out today that's in my queue all about Service credentials, and look -
no matter how many new auditing tools or visualization thingies or AI
anomaly detection alerts you deliver to your customers, if the underlying
system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I
guarantee you that about 80% of the Russian ransomware affialiates
understand Service Credentials and delegation better than your current AD
management lead. Most of the time your AD ACLs are just you fooling
yourself that you have a security boundary where you, in fact, don't.

Also, the problem is not NTLM. Everyone stop talking about NTLM. It
wouldn't matter if AD was re-implemented to use purely quantum key exchange
because only Gandolf can mentally visualize the transitive trust structures
implicit in how you configured your AD Forests.

Ok so that brings us back to: What do you do instead? And honestly, I don't
know. I've enjoyed reading the snippets that Grapl Security
<https://www.graplsecurity.com/> has been posting about their setup. As far
as I can gather, the TL;DR is just use Google as your directory server and
use Chromebooks as much as possible.

This is what I do right now - but I'm not sure how scalable this is. Maybe
y'all can pitch in on this thread and suggest a solution?

Thanks,
Dave Aitel

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org