00:00:05 Hi, my name is Clare Kearney.

00:00:08 >> My name is Zaid Arafeh.

00:00:09 >> And this is Defending ActiveDirectory Against Cyberattacks.
00:00:15 In this session,we're going to cover Part I,
00:00:18 Understanding Active Directorysecurity.
00:00:21 In the coming sessions,we're going to Part II and III,
00:00:24 Understanding the adversariesand
00:00:26 looking at Strategic defense.
00:00:30 >> All right, I'll go ahead andstart Part I,
00:00:33 understanding Active Directorysecurity.
00:00:37 So why should you careabout Active Directory
00:00:39 security, right?
00:00:42 At the end of the day,in isolation Active Directory by
00:00:45 itself, it's a network service,right, that provides a number of
00:00:50 services but it's not a corepart of the business, right.
00:00:53 It's not like a line ofbusiness application
00:00:56 that keeps the lights running.
00:00:58 So if you were to ask a CEOof a company, let's say,
00:01:01 about the top five applicationsin their Enterprise,
00:01:06 they would probably not mentionActive Directory as one of
00:01:08 the top five.
00:01:10 However, there are some factsthat we wanna talk about in this
00:01:14 presentation, that might kindachange this and show that
00:01:17 Active Directory is verycentric to the organization.
00:01:23 So this gentleman here,Socrates, is one of the ancient
00:01:29 Greek philosophers andhe says, know thyself.
00:01:34 And this is great advice fordefenders who wanna protect
00:01:38 their organizationfrom cyberattacks.
00:01:41 Because you need to start withknowing your weaknesses and
00:01:45 your strengths and just asimportantly, knowing where
00:01:48 the center of gravity foryour environment is and
00:01:51 this is what we're aboutto discover together.
00:01:57 So here's a question for you.
00:02:00 Which of your organization'sdigital assets
00:02:04 have a security dependencyon Active Directory?
00:02:08 Take a minute, pausethe video and think about it.
00:02:10 This is a very importantquestion, all right?
00:02:13 Good, so here are some ofthe common ones that we see.
00:02:18 So core business applications,
00:02:20 this is really gonnadepend on your business.
00:02:22 So things like, let's say, ifyou're into the retail industry,
00:02:26 this would be somethinglike pulling up sale.
00:02:30 Or if you are in manufacturing,this would be the controller for
00:02:34 your machinery andthings like that.
00:02:36 Normally those things dependheavily on Active Directory.
00:02:39 Productivity, very common,right?
00:02:41 Email, IM,instant messaging, and
00:02:45 I don't know,document repositories, right.
00:02:47 Those are all things that arevery centric to the business and
00:02:50 they normally dependon Active Directory.
00:02:52 Financial information likethe general ledger and
00:02:56 let's say the payroll andall that fancy talk
00:02:59 related to financial stuffthat I don't know much about.
00:03:02 But this is normally verydependent on Active Directory
00:03:06 and you wanna make sure that.
00:03:08 And by the way, what I mean bydependent on Active Directory,
00:03:12 it means that it'sjoined to a domain
00:03:15 that's part of Active Directoryand it depends on it for
00:03:18 the security context, right.
00:03:20 So, the next one hereis SLA-bound services.
00:03:22 So, let's say you're a hoster,providing services to third
00:03:25 parties, or any form of serviceprovider, really, aAnd you have
00:03:31 contracts to deliver accordingto a service level agreement.
00:03:35 And what happens in that caseis that any disruption to
00:03:38 the Active Directory servicecan cause a disruption to your
00:03:42 service and therefore, you couldpotentially break the SLA and
00:03:46 have some consequencesbased on that.
00:03:48 Critical infrastruction,
00:03:49 this is probably the scariestone in my opinion,
00:03:52 where the impact is actuallypropagated to the public, right.
00:03:57 There was an attackrecently in Ukraine for
00:04:00 example, against oneof the power grids.
00:04:03 And I would say, I don't know,I think over 250 million
00:04:08 people were in the dark forquite sometime because
00:04:11 of a cyberattack onone their power grids.
00:04:14 So there's one example ofa critical infrastructure.
00:04:17 It can get a little nastier,too.
00:04:19 There've been somebad incidents.
00:04:23 Finally, and
00:04:24 this is probably the most commonone, trade secrets and IP.
00:04:27 Well, most common In relevanceto the type of attackers that
00:04:31 we're discussing today, becausethis is where you're storing
00:04:36 the outcome of years and yearsof research and development
00:04:41 onto machines on your networkin hopes of protecting them.
00:04:46 But if you're not protecting thesecurity context of the entire
00:04:50 ecosystem, chances are, if thereis, let's say, a foreign state
00:04:56 that has interest in that IP,they can get ahold of it, right?
00:05:01 So, this is a veryimportant one.
00:05:04 >> You just said,highlight that one some more.
00:05:07 At Microsoft, we usually referto these as high value assets.
00:05:11 It may include source code,design specs,
00:05:15 something that's very uniqueto your organization,
00:05:17 varies by industry.
00:05:21 What's really important in thiscontext is knowing what your
00:05:24 critical assets are, knowing whoowns them, where they're stored,
00:05:28 and ensuring that they'reprotected in that way.
00:05:30 >> Absolutely, and this is allpart of know thyself, right?
00:05:34 We wanna know what ourorganization's high value
00:05:37 assets are.
00:05:38 And this is kind of a very longconversation that we can go
00:05:42 into.
00:05:43 But for the main part is, youwanna know what services depend
00:05:47 on AD and what are the highestvalue assets that you have with
00:05:51 that kind of dependency.
00:05:57 All right, so now we knowwhat AD can control, but
00:06:01 what about the things thatcan control AD itself?
00:06:05 So what are the differentmeans of control over
00:06:08 Active Directory?
00:06:12 To start with, what we did is welaid down the terminology here
00:06:17 to make things easier for you.
00:06:19 So, if principal A hasadministrative control over
00:06:22 principal B, and a principalcan be a user or a machine or
00:06:25 anything like that, a securableobject in Active Directory,
00:06:28 basically.
00:06:31 Then controlling A would allowyou to control B transitively,
00:06:36 I guess, if that's a word.
00:06:38 And principal A is called
00:06:42 a security dependencyof principal B, right?
00:06:45 So B depends on A for security.
00:06:48 And those dots that you see onthe screen, the nodes, we call
00:06:52 them nodes in what we callan attack graft terminology.
00:06:58 A node is either one ofthe systems, either A or B, and
00:07:01 the relationship betweenthem is an arrow going from
00:07:04 the controlling system down tothe controlled system, right?
00:07:11 So we went ahead and classifiedthe different ways that AD can
00:07:16 be controlled, right?
00:07:18 So what are thosedifferent ways?
00:07:20 Number one is the domaincontroller host.
00:07:24 I'm pretty sure you can imagineif you can compromise the host
00:07:30 in a way where you can executecode on it, for example,
00:07:33 you can compromise anythingthat sits on top of it, right?
00:07:37 And that includesActive Directory itself, right?
00:07:40 Not a very common one,by the way,
00:07:41 but we've seen some instanceswhere that happens.
00:07:45 Credentials, number two.
00:07:47 This is the second category,
00:07:48 and my opinion,the most important one.
00:07:50 And even statistically speaking,most of the attacks that we
00:07:53 see are based oncredential theft, right?
00:07:56 Stealing privilegedcredentials and
00:07:58 making use of that, to kindamimic legitimate behavior,
00:08:02 right, to move on and compromisethe rest of the enterprise.
00:08:07 The third one issecurity dependency, and
00:08:10 we have a whole session on this,by the way.
00:08:12 I think it's tactic number five,right?
00:08:13 >> Yeah.
00:08:14 >> And security dependenciesare external systems, so
00:08:17 they're not part of ActiveDirectory, they're external
00:08:20 systems that can impose controlon Active Directory, right.
00:08:24 So a good example of that is,
00:08:26 let say you're monitoringdomain controllers using SCOM,
00:08:30 right, Systems CenterOperations Manager.
00:08:34 Which means that normally youwould have an agent on the DC,
00:08:37 and SCOM would be able,if you are able to control SCOM
00:08:41 by compromising it, or if you'rea legitimate actor, you can
00:08:45 push commands and software downto the domain controller and
00:08:49 therefore you can controlthe domain controller.
00:08:52 The last part isActive Directory data, or
00:08:54 the last category.
00:08:56 And this is when you're
00:08:58 able to manipulate partsof the directory that will
00:09:01 lead to control overthe directory service.
00:09:04 So for example, if you're ableto manipulate the access control
00:09:08 entries over a sensitive partof Active Directory, lets say,
00:09:13 the system container, right?
00:09:16 It's very likely that, based onthat, you can indirectly control
00:09:20 Active Directory, in somecases directly, too, right?
00:09:23 So those other four categories,think about them.
00:09:26 Take a moment and find someexamples about each one of them,
00:09:30 in order to kindavisualize this very well. And-
00:09:35 >> I have a question for
00:09:37 you on this.
00:09:37 What happens when a company,for example, focuses on one or
00:09:41 two of these different typesof control categories, but
00:09:45 maybe they're missingthe other two categories?
00:09:48 >> That is a very good question,and in instances where we work
00:09:53 with customers that have beencompromised in the past,
00:09:58 right, we try toaddress all of these.
00:10:01 To the best extent possible inthe time period that we have to
00:10:04 perform something likea tactical recovery out of
00:10:07 a compromise, right.
00:10:08 So you have to be ascomprehensive as possible, but
00:10:12 at the same time, it's veryimportant that you prioritize,
00:10:15 right.
00:10:16 Priority always goes,well, probability and
00:10:20 impact when it comes to risk,right,
00:10:21 so credentials are probablywhere you have to focus most of
00:10:25 your effort, mitigating attacksagainst privileged credentials.
00:10:29 However, you also have toaddress all of them, right.
00:10:33 And the tactical term, you wannado this to a certain extent,
00:10:38 but on the strategic termyou wanna find the way of
00:10:41 addressing this ina more solid manner.
00:10:44 >> Got it, thank you.
00:10:47 >> Thank you.
00:10:49 All right, so I'm prettysure most of us have seen
00:10:53 this somewhere, right,in at least a few white papers.
00:10:58 But, I'm gonna go overit again here, and
00:11:01 make sure that we have a solidunderstanding of this,
00:11:04 because this is essential to thesecurity of Active Directory.
00:11:10 So what we've done here iswe've taken the AD Service,
00:11:13 the Active Directory Service,and any of its dependencies,
00:11:17 right, anything that the ADService depends on for security,
00:11:22 and we've lumped that into onebucket, and we called it tier 0,
00:11:26 right.
00:11:27 Tier 0 is any asset thatcan control the rest of
00:11:30 the environment, right.
00:11:33 Or basically, they can controlActive Directory service, but
00:11:36 also by inheritance theycan control the rest of
00:11:39 the environment.
00:11:40 And then for everything else,which we call AD data, right,
00:11:44 because basically whatyou're doing here is you
00:11:47 have representations, conceptualrepresentations, really,
00:11:52 of these assets in AD, right.
00:11:54 What you're doing here ishaving all of these assets
00:11:58 split into two parts,one that provides services, and
00:12:03 basically we call it tier 1,and one that provides
00:12:07 access mechanisms, andwe called it tier 2.
00:12:11 So tier 1 would probably be allof your servers, your cloud and
00:12:16 basically any servers thatare not tier 0, right,
00:12:19 or any services that you'rehosting that are not in tier 0.
00:12:24 And tier 2 wouldbe the Wild West.
00:12:26 This is where you fullyassume compromise.
00:12:27 Those are the access machinesthat are most exposed to risk
00:12:31 through things likeaccess to the Internet,
00:12:34 or email, orany of that stuff, right.
00:12:37 So basically, the higher up yougo, the more trust you have,
00:12:42 and the more you shouldprobably invest in protection.
00:12:48 Now, tier 1 itself can be verydiverse, as you can imagine,
00:12:51 because not all serversare created equal, right.
00:12:56 This is where you have to findyour high value assets within
00:12:59 tier 1, and
00:13:00 secure them to a higher degreethan the rest of the tier. Okay.
00:13:06 >> So,
00:13:06 let's talk maybe a little bitmore about the tier model.
00:13:10 Now, not every company hasthese three tiers in their
00:13:13 environment today, right.
00:13:15 They may have the assetswithin each tier, but
00:13:18 not divided in the way thatwe have in the diagram here.
00:13:22 What would it take fora company to implement that,
00:13:26 to create the separation,to create the controls,
00:13:29 to appropriatelyadminister each tier?
00:13:34 >> Great.
00:13:35 So basically,
00:13:36 what we have in the tier modelis a separation of the machines
00:13:42 in order to restrict who canlogon to those machines.
00:13:45 So you wanna have the tier ofmachines, and then the tier of
00:13:49 admins who have privilegedaccess over these machines.
00:13:53 And the way you do this is byimplementing a group policy
00:13:56 to each tier,a single group policy for
00:13:59 each tier that restricts logonsusing user rights assignments.
00:14:04 Those are under securityoptions in the group policy.
00:14:07 And what you're doinghere is making sure that
00:14:11 If you are privileged inone tier, you have logon
00:14:14 restrictions to deny youaccess to the other tiers.
00:14:18 That way, if a lowertier gets compromised,
00:14:21 which is very likely in tier 2,right, having somebody click on
00:14:24 the wrong link orsomething along those lines.
00:14:27 What will happen is the tier0 admins whose credentials
00:14:30 are considered very valuablewould not be able to logon down
00:14:34 there, right.
00:14:36 So, they will only be able tolog onto the tier itself and
00:14:40 to their privilegedworkstations that they use
00:14:43 to administer the tier.
00:14:44 So, it boils down togroup policy, basically.
00:14:47 And by the way, we havethe Securing Privileged Access
00:14:52 roadmap published, and as partof that we have scripts that
00:14:56 will help you implement the Tiermodel in your organization.
00:15:02 It's pretty simple,
00:15:03 at the beginning it's onlylogon restrictions, but
00:15:06 then you have to map those logonrestrictions to actual users and
00:15:10 groups to designate themas tier 0, 1, or 2.
00:15:13 >> Got it,this is also pulled out directly
00:15:16 from the Pass-the-HashWhite Paper, correct?
00:15:19 >> Absolutely, Pass-the-HashWhite Paper, Version One and
00:15:23 Version Two.
00:15:24 Please go ahead andread them, they're very good.
00:15:27 >> [LAUGH]>> All right.
00:15:31 >> So let's look at what happenswhen you don't have that, and
00:15:35 when you aren't very wellaware of your dependencies and
00:15:39 how to protect them.
00:15:41 >> Yeah, when you're not awareof the dependencies and you're
00:15:44 not doing the tier segmentation,things can go wrong, and
00:15:49 those are very simple mistakesthat adversaries make use of.
00:15:53 If we can fix those mistakes, weare really raising the bar for
00:15:59 adversary, without eveninvesting in security gadgets or
00:16:03 anything like that,
00:16:04 nothing fancy, just the built-inoperating system capabilities.
00:16:08 If you can develop that kung-fu,you are better off than having
00:16:13 any security gadgets, really,just understanding the concepts.
00:16:16 And we'll talk about thisa little more at the very end
00:16:19 when we dive intostrategic defense.
00:16:22 But looking at this attack graphhere, we have Patient 0 at
00:16:26 the very left side here, who'sa phishing victim, basically.
00:16:30 They clicked on the wrong link,
00:16:31 but it could have been anyother form of attack, really,
00:16:33 like a watering hole oranything along those lines.
00:16:36 And you can see the dot is red,
00:16:38 meaning that theyare compromised.
00:16:39 So, the attacker's on thatmachine at this point,
00:16:43 right, andthey have that machine as admin.
00:16:48 They have admin credentials onthat machine because that's
00:16:51 another mistake which is thefact that we're making all users
00:16:54 admins, right.
00:16:55 We wanna get away from that,too.
00:16:56 There are practicalways of doing this
00:16:59 that will mitigate things likethe installation of software and
00:17:03 things along those lines.
00:17:05 Key word here is config manager.
00:17:07 Well, anyway, we'll go->> Two words.
00:17:09 >> Two words, here.
00:17:10 >> [LAUGH]>> Two words, yeah.
00:17:12 [LAUGH] So, basicallyPatient 0 was phished, right,
00:17:17 credentials gone.
00:17:19 Well, the adversary has them,and
00:17:22 they also happen to bethe local admin password
00:17:25 which happens to bethe same on all machines.
00:17:28 Does it sound familiar?
00:17:29 Could be familiar, I hope not.
00:17:31 So if that's the case,then the adversary also
00:17:35 has access to all thesemachines as admin, right,
00:17:38 which means that it's just gonnasnowball from here, right.
00:17:42 They're gonna do the samething on each machine.
00:17:44 Well, they're gonna do somediscovery to find the ones they
00:17:46 have interest in.
00:17:47 But they're gonna do this onall machines until they find
00:17:51 a machine where a terminalservices admin is logged on,
00:17:55 right.
00:17:57 They compromise that machine,and
00:17:59 they use the terminalservices admin in order
00:18:02 to access the terminal servicesserver as admin, as well.
00:18:07 Now, one thing about terminalservice is they normally have
00:18:11 a whole bunch of peoplelogging on, right, because
00:18:14 nobody uses a jump server,like a shared jump server.
00:18:17 And by the way,
00:18:18 I have a lot of things tosay against jump servers.
00:18:20 Well, I'm not a big fan,let's just say.
00:18:23 But basically,internal services,
00:18:27 you have a whole bunchof people logged on.
00:18:29 And if you can administer thatmachine or logon as admin,
00:18:33 you can basically dumpall of their credentials.
00:18:35 So in this case, our friendthe adversary went ahead and
00:18:39 dumped the credentials onthe terminal server, and
00:18:42 one of them happened to be fora config manager server, right.
00:18:46 So, they go ahead and compromisetheir config manager server.
00:18:51 They stole the credentials and
00:18:52 now they're jumping ontothe config manager server.
00:18:55 Now, config manager happens tohave one of the categories of
00:19:00 dependencies that wespoke about earlier,
00:19:02 which is security dependency,meaning that it has
00:19:06 an agent sitting onthe domain controller.
00:19:09 So what do they do?
00:19:11 They go ahead andfrom the config manager server,
00:19:14 they deploy a PowerShell script,or any form, really,
00:19:18 of malware that they've writtenonto the domain controller and
00:19:22 now they control the restof the enterprise.
00:19:24 They can go ahead anddump the database or
00:19:26 whatever the heck they want,right.
00:19:28 So basically what we've
00:19:31 gone through is what wecall an attack graph.
00:19:34 And there is an awesomeblog post on this by one of
00:19:38 the thought leadersof Microsoft and
00:19:41 the security spacecalled John Lambert.
00:19:44 And he says that attackers thinkin graphs, because they need to
00:19:49 build a map on how to get to theasset that they're looking for,
00:19:53 whether it's AD ornot, right, while we,
00:19:56 defenders, think in lists,right.
00:19:59 So, what we think about is,all right,
00:20:01 I wanna secure those systems.
00:20:03 But when we think in lists,we don't realize that there
00:20:06 are dependencies thatwe have to protect.
00:20:10 So we need to startthinking in graphs and
00:20:13 understanding whatare the dependencies.
00:20:15 And what you will realize isthat one of the most common
00:20:19 dependencies and possiblythe first thing you have to
00:20:21 secure on your networkis Active Directory.
00:20:24 And this is why I'm answering myquestion that I asked earlier,
00:20:27 why should you care aboutActive Directory security?
00:20:30 It is the most commondependencies, or
00:20:31 one of the most common.
00:20:36 All right, so you havean advantage over the adversary,
00:20:39 right?
00:20:40 So let's assume that you and
00:20:42 the adversaries are onthe network, right.
00:20:44 You have an advantage,
00:20:45 which is the fact that it'slikely that you've built large
00:20:49 parts of the network, you know alot more about it than they do.
00:20:53 And you can use that knowledgeagainst the adversaries, right?
00:20:57 Because the adversaries have todo a lot of reconnaissance and
00:21:00 all kinds of socialengineering and research and
00:21:03 all that to understand whatyour network looks like.
00:21:05 You have that knowledge.
00:21:06 You are much betterequipped to build that
00:21:11 chain of dependencies that leadto our high value assets, right?
00:21:14 And you can use that knowledge,
00:21:16 really, to do things likeremoving dependencies.
00:21:19 And an example of that would beremoving an unnecessary agent
00:21:23 off of domain controllers.
00:21:27 I work with a lot of customerson an offering called ADSH,
00:21:32 Advanced DirectoryService Hardening, and
00:21:35 what we realized is thatmost customers have at
00:21:39 least five agents sittingon domain controllers.
00:21:42 The question is, are theysecuring the upstream systems
00:21:45 that are controllingthose agents or not?
00:21:47 Normally, the answer is no.
00:21:49 And normally, those agentsare not even necessary.
00:21:53 They do things onthe domain controller,
00:21:56 they help with a few things,but chances are the benefit
00:22:00 of the ROI is outweighed bythat introduced risk, right, so
00:22:04 they're better off without them.
00:22:05 So sometimes you wannaremove dependencies.
00:22:08 >> And if you're listening andyou're not sure how
00:22:11 to remove them, then that'swhat we cover in tactic five.
00:22:14 And we look into that in moredetail on what steps you can
00:22:18 take to remove your dependenciesin your environment.
00:22:21 >> Right, absolutely.
00:22:23 And, if you also think that youneed professional help with
00:22:27 hardening, whether it'sremoving, reducing, or
00:22:30 anything along those lines,Microsoft Consulting Services as
00:22:34 part of the Cybersecuritypractice can come in and
00:22:37 be of great help to you.
00:22:39 We've helped a lot ofcustomers in this space.
00:22:41 So the second thing you cando about dependencies is
00:22:44 reducing dependencies, right?
00:22:46 Sometimes you cannotremove them, so
00:22:47 that you have toreduce them in a way.
00:22:49 Make sure thatthe upstream system,
00:22:52 even though it does have controlover the downstream system, but
00:22:55 that control is mitigated.
00:22:56 And this is where thingslike JEA, for example,
00:22:59 Just Enough Access, which isa thing that we're basically,
00:23:03 a PowerShell-based solution forselective, I guess control over,
00:23:10 selective administration oversystems, becomes very handy.
00:23:14 I normally strongly recommendthem, especially in tier one,
00:23:17 right, because the size oftier one is very large and
00:23:20 you might wanna split it down.
00:23:22 And finally you knowwhere to invest.
00:23:25 If you have the knowledge ofwhere your high value assets
00:23:29 are, and where the dependenciesare, you would know where to
00:23:32 invest, your investmentswould not be done randomly.
00:23:36 Right?
00:23:36 A good example on that is like,
00:23:39 putting a lot of investment inend-user machines that do not
00:23:43 carry a lot of securitysignificance, right?
00:23:48 In which case you're definitelymaking an investment, but
00:23:52 it's not necessarilythe right investment, right?
00:23:55 We wanna be more strategic aboutour investments going forward
00:23:59 and make sure thatthey're risk-driven,
00:24:01 they're based on yourknowledge of risk,
00:24:03 which is very important.
00:24:04 All right, we'll talk about thatmore in the strategic defense
00:24:07 afterwards at the endof this session.
00:24:11 Now, a note on Azure AD andwhy it is awesome.
00:24:16 >> [LAUGH]>> It is because the four
00:24:19 categories of control that applyto AD and generally any system,
00:24:25 really, are largely mitigatedby the fact that Microsoft,
00:24:31 as the hoster ofAzure Active Directory,
00:24:35 is taking care of them.
00:24:37 So, for example,when it comes to host control,
00:24:41 you don't have to worry aboutthat because that's provided by
00:24:44 Microsoft, right?
00:24:45 You transfer the riskbasically to Microsoft, and
00:24:48 I can definitely say that weare very capable of protecting
00:24:52 the host in Azure datacenters.
00:24:55 And the second thing is controlthrough security dependencies.
00:24:59 Most security dependenciesare on the host level, right?
00:25:03 Things like agents andthings along those lines.
00:25:05 So unless you create a veryfancy dependency like,
00:25:08 I don't know, creatinga credential vault or something
00:25:11 along those lines, you'repretty much in very good shape,
00:25:14 because you've transferred mostof the risk to the hoster,
00:25:17 which is Microsoft, right.
00:25:19 And the third category, which isdirectory data, I have it dotted
00:25:23 here, and the reason I haveit dotted is because for
00:25:26 the most part, really, directorydata's a lot simpler when it
00:25:31 comes to Azure AD thanit is in on-prem, right?
00:25:34 In on-prem, normally you'veinherited this environment from,
00:25:37 I don't know, the late 90s orsomething along those lines.
00:25:40 And multiple peoplehave managed it, so
00:25:42 you don't know what'sgoing on in the directory.
00:25:44 But with Azure AD, with thingsstarting to pick up, and
00:25:47 actually, they've pickedup pretty quickly,
00:25:51 things are a lotmore under control,
00:25:53 you have the opportunityto start from scratch.
00:25:56 Start very clean with the datain making sure that you're
00:25:59 only making changes thatare not gonna affect
00:26:02 the integrity ofthe whole environment.
00:26:03 So the last thing you haveto worry about with that is
00:26:07 credential vector, right, whichis still the most common vector
00:26:12 of attack, whether on-prem orin the cloud, right.
00:26:15 You have to invest in securingprivileged access to the best
00:26:19 extent possible.
00:26:23 >> All right, well,this wraps up part one of our
00:26:26 first session.
00:26:27 In the next partof this session,
00:26:29 we're going to get to know ouradversary a little bit more,
00:26:32 look at the different types ofadversaries, the definitions.
00:26:36 As part of knowing myself,knowing the adversary,
00:26:40 is also a key component ofprotecting Active Directory.
00:26:44 >> All right.
00:26:46 >> Thank you.