00:00:09 >> And this is Defending ActiveDirectory Against Cyberattacks. 00:00:15 In this session,we're going to cover Part I, 00:00:18 Understanding Active Directorysecurity. 00:00:21 In the coming sessions,we're going to Part II and III, 00:00:24 Understanding the adversariesand 00:00:26 looking at Strategic defense. 00:00:30 >> All right, I'll go ahead andstart Part I, 00:00:33 understanding Active Directorysecurity. 00:00:37 So why should you careabout Active Directory 00:00:39 security, right? 00:00:42 At the end of the day,in isolation Active Directory by 00:00:45 itself, it's a network service,right, that provides a number of 00:00:50 services but it's not a corepart of the business, right. 00:00:53 It's not like a line ofbusiness application 00:00:56 that keeps the lights running. 00:00:58 So if you were to ask a CEOof a company, let's say, 00:01:01 about the top five applicationsin their Enterprise, 00:01:06 they would probably not mentionActive Directory as one of 00:01:08 the top five. 00:01:10 However, there are some factsthat we wanna talk about in this 00:01:14 presentation, that might kindachange this and show that 00:01:17 Active Directory is verycentric to the organization. 00:01:23 So this gentleman here,Socrates, is one of the ancient 00:01:29 Greek philosophers andhe says, know thyself. 00:01:34 And this is great advice fordefenders who wanna protect 00:01:38 their organizationfrom cyberattacks. 00:01:41 Because you need to start withknowing your weaknesses and 00:01:45 your strengths and just asimportantly, knowing where 00:01:48 the center of gravity foryour environment is and 00:01:51 this is what we're aboutto discover together. 00:01:57 So here's a question for you. 00:02:00 Which of your organization'sdigital assets 00:02:04 have a security dependencyon Active Directory? 00:02:08 Take a minute, pausethe video and think about it. 00:02:10 This is a very importantquestion, all right? 00:02:13 Good, so here are some ofthe common ones that we see. 00:02:18 So core business applications, 00:02:20 this is really gonnadepend on your business. 00:02:22 So things like, let's say, ifyou're into the retail industry, 00:02:26 this would be somethinglike pulling up sale. 00:02:30 Or if you are in manufacturing,this would be the controller for 00:02:34 your machinery andthings like that. 00:02:36 Normally those things dependheavily on Active Directory. 00:02:39 Productivity, very common,right? 00:02:41 Email, IM,instant messaging, and 00:02:45 I don't know,document repositories, right. 00:02:47 Those are all things that arevery centric to the business and 00:02:50 they normally dependon Active Directory. 00:02:52 Financial information likethe general ledger and 00:02:56 let's say the payroll andall that fancy talk 00:02:59 related to financial stuffthat I don't know much about. 00:03:02 But this is normally verydependent on Active Directory 00:03:06 and you wanna make sure that. 00:03:08 And by the way, what I mean bydependent on Active Directory, 00:03:12 it means that it'sjoined to a domain 00:03:15 that's part of Active Directoryand it depends on it for 00:03:18 the security context, right. 00:03:20 So, the next one hereis SLA-bound services. 00:03:22 So, let's say you're a hoster,providing services to third 00:03:25 parties, or any form of serviceprovider, really, aAnd you have 00:03:31 contracts to deliver accordingto a service level agreement. 00:03:35 And what happens in that caseis that any disruption to 00:03:38 the Active Directory servicecan cause a disruption to your 00:03:42 service and therefore, you couldpotentially break the SLA and 00:03:46 have some consequencesbased on that. 00:03:48 Critical infrastruction, 00:03:49 this is probably the scariestone in my opinion, 00:03:52 where the impact is actuallypropagated to the public, right. 00:03:57 There was an attackrecently in Ukraine for 00:04:00 example, against oneof the power grids. 00:04:03 And I would say, I don't know,I think over 250 million 00:04:08 people were in the dark forquite sometime because 00:04:11 of a cyberattack onone their power grids. 00:04:14 So there's one example ofa critical infrastructure. 00:04:17 It can get a little nastier,too. 00:04:19 There've been somebad incidents. 00:04:23 Finally, and 00:04:24 this is probably the most commonone, trade secrets and IP. 00:04:27 Well, most common In relevanceto the type of attackers that 00:04:31 we're discussing today, becausethis is where you're storing 00:04:36 the outcome of years and yearsof research and development 00:04:41 onto machines on your networkin hopes of protecting them. 00:04:46 But if you're not protecting thesecurity context of the entire 00:04:50 ecosystem, chances are, if thereis, let's say, a foreign state 00:04:56 that has interest in that IP,they can get ahold of it, right? 00:05:01 So, this is a veryimportant one. 00:05:04 >> You just said,highlight that one some more. 00:05:07 At Microsoft, we usually referto these as high value assets. 00:05:11 It may include source code,design specs, 00:05:15 something that's very uniqueto your organization, 00:05:17 varies by industry. 00:05:21 What's really important in thiscontext is knowing what your 00:05:24 critical assets are, knowing whoowns them, where they're stored, 00:05:28 and ensuring that they'reprotected in that way. 00:05:30 >> Absolutely, and this is allpart of know thyself, right? 00:05:34 We wanna know what ourorganization's high value 00:05:37 assets are. 00:05:38 And this is kind of a very longconversation that we can go 00:05:42 into. 00:05:43 But for the main part is, youwanna know what services depend 00:05:47 on AD and what are the highestvalue assets that you have with 00:05:51 that kind of dependency. 00:05:57 All right, so now we knowwhat AD can control, but 00:06:01 what about the things thatcan control AD itself? 00:06:05 So what are the differentmeans of control over 00:06:08 Active Directory? 00:06:12 To start with, what we did is welaid down the terminology here 00:06:17 to make things easier for you. 00:06:19 So, if principal A hasadministrative control over 00:06:22 principal B, and a principalcan be a user or a machine or 00:06:25 anything like that, a securableobject in Active Directory, 00:06:28 basically. 00:06:31 Then controlling A would allowyou to control B transitively, 00:06:36 I guess, if that's a word. 00:06:38 And principal A is called 00:06:42 a security dependencyof principal B, right? 00:06:45 So B depends on A for security. 00:06:48 And those dots that you see onthe screen, the nodes, we call 00:06:52 them nodes in what we callan attack graft terminology. 00:06:58 A node is either one ofthe systems, either A or B, and 00:07:01 the relationship betweenthem is an arrow going from 00:07:04 the controlling system down tothe controlled system, right? 00:07:11 So we went ahead and classifiedthe different ways that AD can 00:07:16 be controlled, right? 00:07:18 So what are thosedifferent ways? 00:07:20 Number one is the domaincontroller host. 00:07:24 I'm pretty sure you can imagineif you can compromise the host 00:07:30 in a way where you can executecode on it, for example, 00:07:33 you can compromise anythingthat sits on top of it, right? 00:07:37 And that includesActive Directory itself, right? 00:07:40 Not a very common one,by the way, 00:07:41 but we've seen some instanceswhere that happens. 00:07:45 Credentials, number two. 00:07:47 This is the second category, 00:07:48 and my opinion,the most important one. 00:07:50 And even statistically speaking,most of the attacks that we 00:07:53 see are based oncredential theft, right? 00:07:56 Stealing privilegedcredentials and 00:07:58 making use of that, to kindamimic legitimate behavior, 00:08:02 right, to move on and compromisethe rest of the enterprise. 00:08:07 The third one issecurity dependency, and 00:08:10 we have a whole session on this,by the way. 00:08:12 I think it's tactic number five,right? 00:08:13 >> Yeah. 00:08:14 >> And security dependenciesare external systems, so 00:08:17 they're not part of ActiveDirectory, they're external 00:08:20 systems that can impose controlon Active Directory, right. 00:08:24 So a good example of that is, 00:08:26 let say you're monitoringdomain controllers using SCOM, 00:08:30 right, Systems CenterOperations Manager. 00:08:34 Which means that normally youwould have an agent on the DC, 00:08:37 and SCOM would be able,if you are able to control SCOM 00:08:41 by compromising it, or if you'rea legitimate actor, you can 00:08:45 push commands and software downto the domain controller and 00:08:49 therefore you can controlthe domain controller. 00:08:52 The last part isActive Directory data, or 00:08:54 the last category. 00:08:56 And this is when you're 00:08:58 able to manipulate partsof the directory that will 00:09:01 lead to control overthe directory service. 00:09:04 So for example, if you're ableto manipulate the access control 00:09:08 entries over a sensitive partof Active Directory, lets say, 00:09:13 the system container, right? 00:09:16 It's very likely that, based onthat, you can indirectly control 00:09:20 Active Directory, in somecases directly, too, right? 00:09:23 So those other four categories,think about them. 00:09:26 Take a moment and find someexamples about each one of them, 00:09:30 in order to kindavisualize this very well. And- 00:09:35 >> I have a question for 00:09:37 you on this. 00:09:37 What happens when a company,for example, focuses on one or 00:09:41 two of these different typesof control categories, but 00:09:45 maybe they're missingthe other two categories? 00:09:48 >> That is a very good question,and in instances where we work 00:09:53 with customers that have beencompromised in the past, 00:09:58 right, we try toaddress all of these. 00:10:01 To the best extent possible inthe time period that we have to 00:10:04 perform something likea tactical recovery out of 00:10:07 a compromise, right. 00:10:08 So you have to be ascomprehensive as possible, but 00:10:12 at the same time, it's veryimportant that you prioritize, 00:10:15 right. 00:10:16 Priority always goes,well, probability and 00:10:20 impact when it comes to risk,right, 00:10:21 so credentials are probablywhere you have to focus most of 00:10:25 your effort, mitigating attacksagainst privileged credentials. 00:10:29 However, you also have toaddress all of them, right. 00:10:33 And the tactical term, you wannado this to a certain extent, 00:10:38 but on the strategic termyou wanna find the way of 00:10:41 addressing this ina more solid manner. 00:10:44 >> Got it, thank you. 00:10:47 >> Thank you. 00:10:49 All right, so I'm prettysure most of us have seen 00:10:53 this somewhere, right,in at least a few white papers. 00:10:58 But, I'm gonna go overit again here, and 00:11:01 make sure that we have a solidunderstanding of this, 00:11:04 because this is essential to thesecurity of Active Directory. 00:11:10 So what we've done here iswe've taken the AD Service, 00:11:13 the Active Directory Service,and any of its dependencies, 00:11:17 right, anything that the ADService depends on for security, 00:11:22 and we've lumped that into onebucket, and we called it tier 0, 00:11:26 right. 00:11:27 Tier 0 is any asset thatcan control the rest of 00:11:30 the environment, right. 00:11:33 Or basically, they can controlActive Directory service, but 00:11:36 also by inheritance theycan control the rest of 00:11:39 the environment. 00:11:40 And then for everything else,which we call AD data, right, 00:11:44 because basically whatyou're doing here is you 00:11:47 have representations, conceptualrepresentations, really, 00:11:52 of these assets in AD, right. 00:11:54 What you're doing here ishaving all of these assets 00:11:58 split into two parts,one that provides services, and 00:12:03 basically we call it tier 1,and one that provides 00:12:07 access mechanisms, andwe called it tier 2. 00:12:11 So tier 1 would probably be allof your servers, your cloud and 00:12:16 basically any servers thatare not tier 0, right, 00:12:19 or any services that you'rehosting that are not in tier 0. 00:12:24 And tier 2 wouldbe the Wild West. 00:12:26 This is where you fullyassume compromise. 00:12:27 Those are the access machinesthat are most exposed to risk 00:12:31 through things likeaccess to the Internet, 00:12:34 or email, orany of that stuff, right. 00:12:37 So basically, the higher up yougo, the more trust you have, 00:12:42 and the more you shouldprobably invest in protection. 00:12:48 Now, tier 1 itself can be verydiverse, as you can imagine, 00:12:51 because not all serversare created equal, right. 00:12:56 This is where you have to findyour high value assets within 00:12:59 tier 1, and 00:13:00 secure them to a higher degreethan the rest of the tier. Okay. 00:13:06 >> So, 00:13:06 let's talk maybe a little bitmore about the tier model. 00:13:10 Now, not every company hasthese three tiers in their 00:13:13 environment today, right. 00:13:15 They may have the assetswithin each tier, but 00:13:18 not divided in the way thatwe have in the diagram here. 00:13:22 What would it take fora company to implement that, 00:13:26 to create the separation,to create the controls, 00:13:29 to appropriatelyadminister each tier? 00:13:34 >> Great. 00:13:35 So basically, 00:13:36 what we have in the tier modelis a separation of the machines 00:13:42 in order to restrict who canlogon to those machines. 00:13:45 So you wanna have the tier ofmachines, and then the tier of 00:13:49 admins who have privilegedaccess over these machines. 00:13:53 And the way you do this is byimplementing a group policy 00:13:56 to each tier,a single group policy for 00:13:59 each tier that restricts logonsusing user rights assignments. 00:14:04 Those are under securityoptions in the group policy. 00:14:07 And what you're doinghere is making sure that 00:14:11 If you are privileged inone tier, you have logon 00:14:14 restrictions to deny youaccess to the other tiers. 00:14:18 That way, if a lowertier gets compromised, 00:14:21 which is very likely in tier 2,right, having somebody click on 00:14:24 the wrong link orsomething along those lines. 00:14:27 What will happen is the tier0 admins whose credentials 00:14:30 are considered very valuablewould not be able to logon down 00:14:34 there, right. 00:14:36 So, they will only be able tolog onto the tier itself and 00:14:40 to their privilegedworkstations that they use 00:14:43 to administer the tier. 00:14:44 So, it boils down togroup policy, basically. 00:14:47 And by the way, we havethe Securing Privileged Access 00:14:52 roadmap published, and as partof that we have scripts that 00:14:56 will help you implement the Tiermodel in your organization. 00:15:02 It's pretty simple, 00:15:03 at the beginning it's onlylogon restrictions, but 00:15:06 then you have to map those logonrestrictions to actual users and 00:15:10 groups to designate themas tier 0, 1, or 2. 00:15:13 >> Got it,this is also pulled out directly 00:15:16 from the Pass-the-HashWhite Paper, correct? 00:15:19 >> Absolutely, Pass-the-HashWhite Paper, Version One and 00:15:23 Version Two. 00:15:24 Please go ahead andread them, they're very good. 00:15:27 >> [LAUGH]>> All right. 00:15:31 >> So let's look at what happenswhen you don't have that, and 00:15:35 when you aren't very wellaware of your dependencies and 00:15:39 how to protect them. 00:15:41 >> Yeah, when you're not awareof the dependencies and you're 00:15:44 not doing the tier segmentation,things can go wrong, and 00:15:49 those are very simple mistakesthat adversaries make use of. 00:15:53 If we can fix those mistakes, weare really raising the bar for 00:15:59 adversary, without eveninvesting in security gadgets or 00:16:03 anything like that, 00:16:04 nothing fancy, just the built-inoperating system capabilities. 00:16:08 If you can develop that kung-fu,you are better off than having 00:16:13 any security gadgets, really,just understanding the concepts. 00:16:16 And we'll talk about thisa little more at the very end 00:16:19 when we dive intostrategic defense. 00:16:22 But looking at this attack graphhere, we have Patient 0 at 00:16:26 the very left side here, who'sa phishing victim, basically. 00:16:30 They clicked on the wrong link, 00:16:31 but it could have been anyother form of attack, really, 00:16:33 like a watering hole oranything along those lines. 00:16:36 And you can see the dot is red, 00:16:38 meaning that theyare compromised. 00:16:39 So, the attacker's on thatmachine at this point, 00:16:43 right, andthey have that machine as admin. 00:16:48 They have admin credentials onthat machine because that's 00:16:51 another mistake which is thefact that we're making all users 00:16:54 admins, right. 00:16:55 We wanna get away from that,too. 00:16:56 There are practicalways of doing this 00:16:59 that will mitigate things likethe installation of software and 00:17:03 things along those lines. 00:17:05 Key word here is config manager. 00:17:07 Well, anyway, we'll go->> Two words. 00:17:09 >> Two words, here. 00:17:10 >> [LAUGH]>> Two words, yeah. 00:17:12 [LAUGH] So, basicallyPatient 0 was phished, right, 00:17:17 credentials gone. 00:17:19 Well, the adversary has them,and 00:17:22 they also happen to bethe local admin password 00:17:25 which happens to bethe same on all machines. 00:17:28 Does it sound familiar? 00:17:29 Could be familiar, I hope not. 00:17:31 So if that's the case,then the adversary also 00:17:35 has access to all thesemachines as admin, right, 00:17:38 which means that it's just gonnasnowball from here, right. 00:17:42 They're gonna do the samething on each machine. 00:17:44 Well, they're gonna do somediscovery to find the ones they 00:17:46 have interest in. 00:17:47 But they're gonna do this onall machines until they find 00:17:51 a machine where a terminalservices admin is logged on, 00:17:55 right. 00:17:57 They compromise that machine,and 00:17:59 they use the terminalservices admin in order 00:18:02 to access the terminal servicesserver as admin, as well. 00:18:07 Now, one thing about terminalservice is they normally have 00:18:11 a whole bunch of peoplelogging on, right, because 00:18:14 nobody uses a jump server,like a shared jump server. 00:18:17 And by the way, 00:18:18 I have a lot of things tosay against jump servers. 00:18:20 Well, I'm not a big fan,let's just say. 00:18:23 But basically,internal services, 00:18:27 you have a whole bunchof people logged on. 00:18:29 And if you can administer thatmachine or logon as admin, 00:18:33 you can basically dumpall of their credentials. 00:18:35 So in this case, our friendthe adversary went ahead and 00:18:39 dumped the credentials onthe terminal server, and 00:18:42 one of them happened to be fora config manager server, right. 00:18:46 So, they go ahead and compromisetheir config manager server. 00:18:51 They stole the credentials and 00:18:52 now they're jumping ontothe config manager server. 00:18:55 Now, config manager happens tohave one of the categories of 00:19:00 dependencies that wespoke about earlier, 00:19:02 which is security dependency,meaning that it has 00:19:06 an agent sitting onthe domain controller. 00:19:09 So what do they do? 00:19:11 They go ahead andfrom the config manager server, 00:19:14 they deploy a PowerShell script,or any form, really, 00:19:18 of malware that they've writtenonto the domain controller and 00:19:22 now they control the restof the enterprise. 00:19:24 They can go ahead anddump the database or 00:19:26 whatever the heck they want,right. 00:19:28 So basically what we've 00:19:31 gone through is what wecall an attack graph. 00:19:34 And there is an awesomeblog post on this by one of 00:19:38 the thought leadersof Microsoft and 00:19:41 the security spacecalled John Lambert. 00:19:44 And he says that attackers thinkin graphs, because they need to 00:19:49 build a map on how to get to theasset that they're looking for, 00:19:53 whether it's AD ornot, right, while we, 00:19:56 defenders, think in lists,right. 00:19:59 So, what we think about is,all right, 00:20:01 I wanna secure those systems. 00:20:03 But when we think in lists,we don't realize that there 00:20:06 are dependencies thatwe have to protect. 00:20:10 So we need to startthinking in graphs and 00:20:13 understanding whatare the dependencies. 00:20:15 And what you will realize isthat one of the most common 00:20:19 dependencies and possiblythe first thing you have to 00:20:21 secure on your networkis Active Directory. 00:20:24 And this is why I'm answering myquestion that I asked earlier, 00:20:27 why should you care aboutActive Directory security? 00:20:30 It is the most commondependencies, or 00:20:31 one of the most common. 00:20:36 All right, so you havean advantage over the adversary, 00:20:39 right? 00:20:40 So let's assume that you and 00:20:42 the adversaries are onthe network, right. 00:20:44 You have an advantage, 00:20:45 which is the fact that it'slikely that you've built large 00:20:49 parts of the network, you know alot more about it than they do. 00:20:53 And you can use that knowledgeagainst the adversaries, right? 00:20:57 Because the adversaries have todo a lot of reconnaissance and 00:21:00 all kinds of socialengineering and research and 00:21:03 all that to understand whatyour network looks like. 00:21:05 You have that knowledge. 00:21:06 You are much betterequipped to build that 00:21:11 chain of dependencies that leadto our high value assets, right? 00:21:14 And you can use that knowledge, 00:21:16 really, to do things likeremoving dependencies. 00:21:19 And an example of that would beremoving an unnecessary agent 00:21:23 off of domain controllers. 00:21:27 I work with a lot of customerson an offering called ADSH, 00:21:32 Advanced DirectoryService Hardening, and 00:21:35 what we realized is thatmost customers have at 00:21:39 least five agents sittingon domain controllers. 00:21:42 The question is, are theysecuring the upstream systems 00:21:45 that are controllingthose agents or not? 00:21:47 Normally, the answer is no. 00:21:49 And normally, those agentsare not even necessary. 00:21:53 They do things onthe domain controller, 00:21:56 they help with a few things,but chances are the benefit 00:22:00 of the ROI is outweighed bythat introduced risk, right, so 00:22:04 they're better off without them. 00:22:05 So sometimes you wannaremove dependencies. 00:22:08 >> And if you're listening andyou're not sure how 00:22:11 to remove them, then that'swhat we cover in tactic five. 00:22:14 And we look into that in moredetail on what steps you can 00:22:18 take to remove your dependenciesin your environment. 00:22:21 >> Right, absolutely. 00:22:23 And, if you also think that youneed professional help with 00:22:27 hardening, whether it'sremoving, reducing, or 00:22:30 anything along those lines,Microsoft Consulting Services as 00:22:34 part of the Cybersecuritypractice can come in and 00:22:37 be of great help to you. 00:22:39 We've helped a lot ofcustomers in this space. 00:22:41 So the second thing you cando about dependencies is 00:22:44 reducing dependencies, right? 00:22:46 Sometimes you cannotremove them, so 00:22:47 that you have toreduce them in a way. 00:22:49 Make sure thatthe upstream system, 00:22:52 even though it does have controlover the downstream system, but 00:22:55 that control is mitigated. 00:22:56 And this is where thingslike JEA, for example, 00:22:59 Just Enough Access, which isa thing that we're basically, 00:23:03 a PowerShell-based solution forselective, I guess control over, 00:23:10 selective administration oversystems, becomes very handy. 00:23:14 I normally strongly recommendthem, especially in tier one, 00:23:17 right, because the size oftier one is very large and 00:23:20 you might wanna split it down. 00:23:22 And finally you knowwhere to invest. 00:23:25 If you have the knowledge ofwhere your high value assets 00:23:29 are, and where the dependenciesare, you would know where to 00:23:32 invest, your investmentswould not be done randomly. 00:23:36 Right? 00:23:36 A good example on that is like, 00:23:39 putting a lot of investment inend-user machines that do not 00:23:43 carry a lot of securitysignificance, right? 00:23:48 In which case you're definitelymaking an investment, but 00:23:52 it's not necessarilythe right investment, right? 00:23:55 We wanna be more strategic aboutour investments going forward 00:23:59 and make sure thatthey're risk-driven, 00:24:01 they're based on yourknowledge of risk, 00:24:03 which is very important. 00:24:04 All right, we'll talk about thatmore in the strategic defense 00:24:07 afterwards at the endof this session. 00:24:11 Now, a note on Azure AD andwhy it is awesome. 00:24:16 >> [LAUGH]>> It is because the four 00:24:19 categories of control that applyto AD and generally any system, 00:24:25 really, are largely mitigatedby the fact that Microsoft, 00:24:31 as the hoster ofAzure Active Directory, 00:24:35 is taking care of them. 00:24:37 So, for example,when it comes to host control, 00:24:41 you don't have to worry aboutthat because that's provided by 00:24:44 Microsoft, right? 00:24:45 You transfer the riskbasically to Microsoft, and 00:24:48 I can definitely say that weare very capable of protecting 00:24:52 the host in Azure datacenters. 00:24:55 And the second thing is controlthrough security dependencies. 00:24:59 Most security dependenciesare on the host level, right? 00:25:03 Things like agents andthings along those lines. 00:25:05 So unless you create a veryfancy dependency like, 00:25:08 I don't know, creatinga credential vault or something 00:25:11 along those lines, you'repretty much in very good shape, 00:25:14 because you've transferred mostof the risk to the hoster, 00:25:17 which is Microsoft, right. 00:25:19 And the third category, which isdirectory data, I have it dotted 00:25:23 here, and the reason I haveit dotted is because for 00:25:26 the most part, really, directorydata's a lot simpler when it 00:25:31 comes to Azure AD thanit is in on-prem, right? 00:25:34 In on-prem, normally you'veinherited this environment from, 00:25:37 I don't know, the late 90s orsomething along those lines. 00:25:40 And multiple peoplehave managed it, so 00:25:42 you don't know what'sgoing on in the directory. 00:25:44 But with Azure AD, with thingsstarting to pick up, and 00:25:47 actually, they've pickedup pretty quickly, 00:25:51 things are a lotmore under control, 00:25:53 you have the opportunityto start from scratch. 00:25:56 Start very clean with the datain making sure that you're 00:25:59 only making changes thatare not gonna affect 00:26:02 the integrity ofthe whole environment. 00:26:03 So the last thing you haveto worry about with that is 00:26:07 credential vector, right, whichis still the most common vector 00:26:12 of attack, whether on-prem orin the cloud, right. 00:26:15 You have to invest in securingprivileged access to the best 00:26:19 extent possible. 00:26:23 >> All right, well,this wraps up part one of our 00:26:26 first session. 00:26:27 In the next partof this session, 00:26:29 we're going to get to know ouradversary a little bit more, 00:26:32 look at the different types ofadversaries, the definitions. 00:26:36 As part of knowing myself,knowing the adversary, 00:26:40 is also a key component ofprotecting Active Directory. 00:26:44 >> All right. 00:26:46 >> Thank you.