00:00:05 Hi, welcome to Defending ActiveDirectory Against Cyberattacks.

00:00:09 We're covering tactic one,adopting least privilege.

00:00:13 >> Yep, and this is the firsttactic in our series of basic
00:00:18 control tactics thatwe wanna develop.
00:00:21 In order for us to masterActive Directory security
00:00:26 with the least amount ofinvestment possible and
00:00:29 based on the strategicdefender mindset.
00:00:31 And I wanna share with youa little bit of information
00:00:34 about this weird backgroundthat I have here
00:00:38 of a cross-sectionthrough the Titanic.
00:00:40 Right, now we all knowthat the Titanic sunk, so
00:00:43 I'm not gonna say thateverything they did was great.
00:00:46 But one thing that they did thatwas great was if you see those
00:00:52 lines that are little bolderthan everything else,
00:00:55 horizontal lines.
00:00:57 Those lines are actually forbulkheads that separate
00:01:01 different air compartments orair chambers within the Titanic.
00:01:07 And the purpose of thisis if a breach happens,
00:01:10 a breach where waterenters the Titanic,
00:01:13 water would be basicallytrapped into that area.
00:01:20 And it does not havethe opportunity to flow into
00:01:22 the other compartments, right?
00:01:24 And that way,the ship does not sink.
00:01:28 But due to a number ofunfortunate circumstances
00:01:32 things went wrong on a bunch ofother ends and they did sink.
00:01:35 >> All right, so
00:01:36 containment is a big part ofwhat we're talking about here.
00:01:39 >> Yes.>> Right with adopting least
00:01:41 privilege and how we can helpcontain any bad incident like
00:01:45 that within our environment.
00:01:48 >> Yeah, the smaller the scopeof access a set of credentials
00:01:51 has, the more likely it is thatwhen if they're compromised.
00:01:56 They will have a much smallerlevel of access to the network.
00:02:02 >> Right, so in this module,in the second module,
00:02:06 we have two parts here.
00:02:08 The first part is Understandingtier-0 and this is a critical
00:02:12 component in being ableto adopt least privilege.
00:02:14 Because we have toknow what is tier-0 and
00:02:17 what privilegesare contained within tier-0.
00:02:19 To be able to reduceprivileges or
00:02:22 reduce number ofaccounts where possible.
00:02:25 And a second part which we'llcover in the next episode
00:02:28 is minimizing privilege.
00:02:30 How do we minimizeprivilege based on
00:02:33 the tier-0 that we definehere in this part.
00:02:40 >> All right, solet's talk about tier-0.
00:02:42 So we brought this up earlier,right?
00:02:44 We talked a little bit abouttier-0, specifically in this
00:02:48 pyramid looking, I guess that'sthe symbol of the forest.
00:02:54 Pyramid looking shape, where we
00:02:56 broke down the components ofthe network into three tiers.
00:03:00 And the top most onehaving the AD service and
00:03:04 its dependencies past tier-0.
00:03:07 Now in this case,
00:03:10 this is just a review ofwhat we spoke about earlier.
00:03:12 Tier-0 is the control tier or
00:03:15 global access, we call it andthen you have data and
00:03:18 services in tier-1 andthen you have access in tier-2.
00:03:22 This is a review so far.
00:03:24 So let's dive a little deeperinto what makes up tier-0.
00:03:31 So here's an analogy,the human body.
00:03:34 You have all thesedifferent body parts or
00:03:36 peripherals that controlcertain functions, right?
00:03:40 So you have the eyes thatcontrol sight and so on.
00:03:44 And then you have the brain,
00:03:47 which is the most major partof the central nervous system,
00:03:50 that controls all ofthese parts, right?
00:03:52 So controlling your brain willhelp you control at least
00:03:56 the voluntary stuff on thenetwork, right, or in the body.
00:04:01 And same thing goeson the network.
00:04:03 You have all these differentmanagement functions that use
00:04:08 AD data, such as users orgroups to control access.
00:04:13 And those AD functions,those functions based on AD data
00:04:17 control different partsof the organization.
00:04:20 So we have accounting,HR, legal, IT, PR,
00:04:23 the public relationsbasically and sales.
00:04:26 Those are different functionsin the organization.
00:04:28 And then you have the AD servicewhich controls all the data
00:04:33 that basically makesup the business.
00:04:35 So this is an analogybetween the human body and
00:04:38 what tier-0 is, it'sbasically the AD service and
00:04:42 anything back and control it.
00:04:44 >> One distinction I wannamake here is when we're
00:04:47 talking about tier-0, we'retalking about control, right?
00:04:50 And not necessarilythe different types of data,
00:04:52 the accounting data, the HRdata, the legal data and so
00:04:54 on within the environment,>> Yes, the data itself with
00:04:59 an Active Directory islikely to be tier-1 or
00:05:03 tier-2 assets, right?
00:05:06 And what it is is control over
00:05:11 a subset of the environment,but not the entire environment.
00:05:14 Not the Active Directoryservice itself.
00:05:17 This is the differentiationbetween the service and
00:05:19 the data, the servicecontrols all the data.
00:05:22 >> So with that information,is it also
00:05:27 important to limit the size oftier-0, one defining tier-0?
00:05:31 The same way we're talkingabout limiting privileges for
00:05:33 different accounts?
00:05:34 >> Yep, absolutely right.
00:05:36 The tighter the circleof tier-0 objects is,
00:05:41 the more likely you are tobe able to harden it and
00:05:45 to understand whatit's made up of, right?
00:05:48 You wanna keep that attacksurface to the minimum and
00:05:51 then start to harden it.
00:05:52 >> Okay.
00:05:56 >> So what makes up tier-0,right?
00:05:59 Principals that control the ADservice either directly or
00:06:04 indirectly, solet's analyze that a little.
00:06:07 Principals, they canbe user objects,
00:06:11 security objects,servers or workstations.
00:06:15 Can be anything basically,right?
00:06:17 In terms of control, what doesit mean when something controls?
00:06:21 If we translate that,
00:06:22 if we project it on ActiveDirectory, what does it mean?
00:06:25 It's when you have a permissionto do things like taking
00:06:27 ownership of an object.
00:06:29 Changing the ACLs, the AccessControl Lists on the object.
00:06:33 In which way you can grantyourself any permission.
00:06:36 Read secrets, that way youcan impersonate the object
00:06:40 that's not an official, I guess,write in Active Directory.
00:06:44 But it's just a way of saying ifyou can impersonate an object,
00:06:48 you can control it.
00:06:50 And full write.
00:06:52 Basically if you can writeto any area of the object,
00:06:55 any attribute including itssecret, then you can control it.
00:07:00 And what defines the AD service,its DCs,
00:07:03 domain controllers basicallyprivileged groups.
00:07:06 Certain GPOs that have controlover tier-0 objects such as
00:07:10 domain controllers if youcan manipulate those.
00:07:12 Basically by inheritance you canmanipulate domain controllers
00:07:16 and therefore the service.
00:07:17 The configuration partition,that's another example,
00:07:20 NTDS.DIT is a prime example.
00:07:24 It's a file, it's a databasesitting on domain controllers,
00:07:27 that I'm pretty sure a lot ofour audience know about this.
00:07:31 This is the database thatholds all the data in
00:07:33 Active Directory.
00:07:37 So some examples of tier-0components are Domain Admins
00:07:41 group, any members ofthe Backup Operators group.
00:07:45 And the reason for that is theycan backup domain controllers
00:07:48 and therefore theycan steal secrets.
00:07:50 And they can restoreto domain controllers,
00:07:52 their own version ofthe domain controller.
00:07:54 The domain controller itselfare virtualization host
00:07:57 running the domain controller,right?
00:07:59 Because the host, well,for the most part,
00:08:03 the host owns everythingthat goes on top of it.
00:08:06 Including the disk space and
00:08:08 the memory space thatthe virtual machine runs in.
00:08:11 A Config Managerserver managing a DC,
00:08:14 because it has an agenton the domain controller.
00:08:18 It means can push commands toit and therefore control it, so
00:08:21 those are some ofthe examples of tier-0.
00:08:25 So, Napoleon Bonaparte here,he says fire must be
00:08:30 concentrated on one point andas soon as the breach is made,
00:08:34 the equilibrium is broken andthe rest is nothing.
00:08:37 And this is exactlyapplicable to tier-0, right?
00:08:41 This is that point inthe network where if control is
00:08:44 broken, the control forthe rest of
00:08:47 the network is basicallytaken over by an attacker.
00:08:51 >> That's Active Directory.
00:08:54 >> Yes.
00:08:57 All right, sowhat is securing AD consist of?
00:09:01 First of all, ensuring thatthe size of tier-0 is kept
00:09:04 to a minimum and this isa point we spoke about earlier.
00:09:07 You do this by minimizingthe members of tier-0 groups and
00:09:11 we'll talk aboutthose in detail.
00:09:13 You wanna minimize securitydependencies as we mentioned
00:09:16 earlier andwill mention in future episodes.
00:09:20 You wanna remove unnecessarilyAccess Control Entries in AD.
00:09:24 If you have certain sensitiveobjects where you've given them
00:09:27 vary wide access tocertain principals
00:09:30 you wanna remove that.
00:09:31 And remove any User Rights onDCs and those are just examples
00:09:35 of how we can minimizethe size of tier-0.
00:09:39 The other point is effectivelyprotecting tier-0 components.
00:09:43 So after you have minimizedthe surface of it,
00:09:45 you wanna protect whatever'sleft at tier-0, right?
00:09:49 And you do this, on someexamples of how you can do this
00:09:51 is protecting tier-0 groupsagainst credential theft.
00:09:55 This is the upcomingepisode following this one,
00:09:58 basically securingprivilege access.
00:10:00 Hardening domain controllers,right?
00:10:03 And hardening domainsecurity requirements.
00:10:05 Those are all componentsof tier-0 and
00:10:08 if you are able to secure them.
00:10:10 Well, then chances are,after you have minimized tier-0,
00:10:12 then chances are you can protectthe AD service and tier-0.
00:10:15 >> So let's actually talk aboutmaybe both of these items
00:10:18 a little bit more.
00:10:19 So the first one is ensuringthat the size of tier-0
00:10:21 is kept to a minimum.
00:10:23 In your experience with yourcustomers, what do you think is
00:10:26 the biggest challenge in keepingthat size down to a minimum?
00:10:30 >> Right, soin many cases, we see
00:10:35 customers have a very largenumber of people in tier-0.
00:10:39 Including domain admins,
00:10:40 enterprise admins, built-inadministrators and more.
00:10:44 And the challenge is you finda lot of members in these
00:10:49 groups whose ownersare either not identified or
00:10:54 I guess irresponsive.
00:10:56 Or are not sure aboutthe requirements of their
00:10:58 application, right, so theywould have to contact the vendor
00:11:01 first and come back to them.
00:11:03 So there are somelow-hanging fruits and
00:11:06 there's some Iguess details that
00:11:09 we'll have published atthe end of the series.
00:11:12 On what you can do in order tominimize the size of tier-0.
00:11:15 And a very important point tomention here is that the size of
00:11:18 tier-0 is mainly governed bymembership in privileged groups,
00:11:21 but this is not the onlydecisive factor.
00:11:25 The more I guess sophisticatedfactors that govern the size of
00:11:29 tier-0 are harder to find,they need specific techniques.
00:11:33 And normally this issomething we perform as
00:11:36 part of the advanceddirectory service hardening
00:11:39 offering that we have inthe cybersecurity team.
00:11:42 We write tools that findthose little items.
00:11:45 Such as for example, who hascontrol over a certain set of
00:11:48 directory objects andwhat type of control.
00:11:51 And then who has certain rightson domain controllers and
00:11:55 things along those lines.
00:11:57 You can check all of thesethings manually as well.
00:12:00 But in order to do them ona large scale, this is what we
00:12:04 provide and invest directoryservice hardening.
00:12:06 >> So it sounds like thereis some associated cost with
00:12:09 taking these steps, right?
00:12:11 Whether identifyingwhat your tier-0 is and
00:12:13 taking this up to reduce it.
00:12:15 What we're covering here is thebenefit associated with that or
00:12:19 outweighs the cost.
00:12:21 >> Yes, absolutely.
00:12:22 Far outweighs the cost,
00:12:24 because what's at stake hereis your entire organization.
00:12:27 When it comes to tier-0,it can control everything else.
00:12:30 So definitelyoutweighs the cost,
00:12:32 definitely an exerciseworth taking.
00:12:34 >> Okay.
00:12:39 >> So it is very important thatyou consider all of tier-0
00:12:43 components to be equallypowerful and treat them as such.
00:12:47 So if anything besides a domaincontroller is a tier-0
00:12:51 component, then you wannasecure it to the same extent
00:12:54 as the domain controller, right?
00:12:56 You don't wanna leave ithanging because it will
00:12:59 be able to control domaincontroller no matter how much
00:13:03 you harden the DC itself.
00:13:07 So those are someof the examples
00:13:10 of AD Service Management tasks.
00:13:12 Backing up a DC,managing trusts,
00:13:16 managing the schema, managingdomain controller GPO's,
00:13:20 patching domain controllers andmanaging sites.
00:13:23 However, those same activities,
00:13:27 management activities, if theyfall in the wrong actor's hands,
00:13:32 they can be escalationof privilege factors.
00:13:34 So I'm backing up the DC,you can steal the NTDS.DIT,
00:13:37 they hack the directory databaseand exfiltrate all the secrets.
00:13:42 When it comes tomanaging trusts,
00:13:43 you can set the trustconfiguration to a low level.
00:13:47 Where well,to a low security level where
00:13:49 SID history attacksbecome very possible.
00:13:52 And you can basically ownthe domain based on that or
00:13:55 the forest.
00:13:56 Managing schema,
00:13:57 you can change the defaultsecurity descriptors.
00:13:59 And if you do that,
00:14:01 then anything anyone createsis under your control because
00:14:04 you're definingthe security descriptors.
00:14:07 Managing DC GPOs, you candeploy malware through GPOs or
00:14:12 change the user rightsassignments or privileges.
00:14:15 Patching DCs,
00:14:16 you can disguise legitimatetools as updates when patching.
00:14:20 Especially if you control anupstream software update server,
00:14:25 there are some good demoson that on the Internet.
00:14:29 Managing sites, basically
00:14:32 if you're able to fully controla site and link a GPO to it.
00:14:36 You can link a GPO of yourchoice and have it affect
00:14:40 the entire site no matterhow many domains it affects.
00:14:43 So those are some examples ofescalation privilege based on
00:14:46 AD Service Management.
00:14:48 >> Right, great.
00:14:50 So what you just covered isa lot of the risk associated
00:14:53 within the tier-0 environment,right?
00:14:55 Highlighting the importanceof why you wanna reduce it,
00:14:58 why you wanna protect it.
00:14:59 In the next part of this module,
00:15:01 we are covering reducingprivilege accounts.
00:15:04 We'll go through some guidingprincipals on how to best do
00:15:08 that, some of the processesinvolved with doing that.
00:15:11 And help equip you andyour organization
00:15:15 with being able to takethe information provided there.
00:15:18 Take some scripts and
00:15:20 other guidance back toyour organization to use.
00:15:24 >> Thank you very much.