00:00:05 Hi, welcome to Defending ActiveDirectory Against Cyberattacks.
00:00:09 We're covering tactic one,adopting least privilege.
00:00:13 >> Yep, and this is the firsttactic in our series of basic 00:00:18 control tactics thatwe wanna develop. 00:00:21 In order for us to masterActive Directory security 00:00:26 with the least amount ofinvestment possible and 00:00:29 based on the strategicdefender mindset. 00:00:31 And I wanna share with youa little bit of information 00:00:34 about this weird backgroundthat I have here 00:00:38 of a cross-sectionthrough the Titanic. 00:00:40 Right, now we all knowthat the Titanic sunk, so 00:00:43 I'm not gonna say thateverything they did was great. 00:00:46 But one thing that they did thatwas great was if you see those 00:00:52 lines that are little bolderthan everything else, 00:00:55 horizontal lines. 00:00:57 Those lines are actually forbulkheads that separate 00:01:01 different air compartments orair chambers within the Titanic. 00:01:07 And the purpose of thisis if a breach happens, 00:01:10 a breach where waterenters the Titanic, 00:01:13 water would be basicallytrapped into that area. 00:01:20 And it does not havethe opportunity to flow into 00:01:22 the other compartments, right? 00:01:24 And that way,the ship does not sink. 00:01:28 But due to a number ofunfortunate circumstances 00:01:32 things went wrong on a bunch ofother ends and they did sink. 00:01:35 >> All right, so 00:01:36 containment is a big part ofwhat we're talking about here. 00:01:39 >> Yes.>> Right with adopting least 00:01:41 privilege and how we can helpcontain any bad incident like 00:01:45 that within our environment. 00:01:48 >> Yeah, the smaller the scopeof access a set of credentials 00:01:51 has, the more likely it is thatwhen if they're compromised. 00:01:56 They will have a much smallerlevel of access to the network. 00:02:02 >> Right, so in this module,in the second module, 00:02:06 we have two parts here. 00:02:08 The first part is Understandingtier-0 and this is a critical 00:02:12 component in being ableto adopt least privilege. 00:02:14 Because we have toknow what is tier-0 and 00:02:17 what privilegesare contained within tier-0. 00:02:19 To be able to reduceprivileges or 00:02:22 reduce number ofaccounts where possible. 00:02:25 And a second part which we'llcover in the next episode 00:02:28 is minimizing privilege. 00:02:30 How do we minimizeprivilege based on 00:02:33 the tier-0 that we definehere in this part. 00:02:40 >> All right, solet's talk about tier-0. 00:02:42 So we brought this up earlier,right? 00:02:44 We talked a little bit abouttier-0, specifically in this 00:02:48 pyramid looking, I guess that'sthe symbol of the forest. 00:02:54 Pyramid looking shape, where we 00:02:56 broke down the components ofthe network into three tiers. 00:03:00 And the top most onehaving the AD service and 00:03:04 its dependencies past tier-0. 00:03:07 Now in this case, 00:03:10 this is just a review ofwhat we spoke about earlier. 00:03:12 Tier-0 is the control tier or 00:03:15 global access, we call it andthen you have data and 00:03:18 services in tier-1 andthen you have access in tier-2. 00:03:22 This is a review so far. 00:03:24 So let's dive a little deeperinto what makes up tier-0. 00:03:31 So here's an analogy,the human body. 00:03:34 You have all thesedifferent body parts or 00:03:36 peripherals that controlcertain functions, right? 00:03:40 So you have the eyes thatcontrol sight and so on. 00:03:44 And then you have the brain, 00:03:47 which is the most major partof the central nervous system, 00:03:50 that controls all ofthese parts, right? 00:03:52 So controlling your brain willhelp you control at least 00:03:56 the voluntary stuff on thenetwork, right, or in the body. 00:04:01 And same thing goeson the network. 00:04:03 You have all these differentmanagement functions that use 00:04:08 AD data, such as users orgroups to control access. 00:04:13 And those AD functions,those functions based on AD data 00:04:17 control different partsof the organization. 00:04:20 So we have accounting,HR, legal, IT, PR, 00:04:23 the public relationsbasically and sales. 00:04:26 Those are different functionsin the organization. 00:04:28 And then you have the AD servicewhich controls all the data 00:04:33 that basically makesup the business. 00:04:35 So this is an analogybetween the human body and 00:04:38 what tier-0 is, it'sbasically the AD service and 00:04:42 anything back and control it. 00:04:44 >> One distinction I wannamake here is when we're 00:04:47 talking about tier-0, we'retalking about control, right? 00:04:50 And not necessarilythe different types of data, 00:04:52 the accounting data, the HRdata, the legal data and so 00:04:54 on within the environment,>> Yes, the data itself with 00:04:59 an Active Directory islikely to be tier-1 or 00:05:03 tier-2 assets, right? 00:05:06 And what it is is control over 00:05:11 a subset of the environment,but not the entire environment. 00:05:14 Not the Active Directoryservice itself. 00:05:17 This is the differentiationbetween the service and 00:05:19 the data, the servicecontrols all the data. 00:05:22 >> So with that information,is it also 00:05:27 important to limit the size oftier-0, one defining tier-0? 00:05:31 The same way we're talkingabout limiting privileges for 00:05:33 different accounts? 00:05:34 >> Yep, absolutely right. 00:05:36 The tighter the circleof tier-0 objects is, 00:05:41 the more likely you are tobe able to harden it and 00:05:45 to understand whatit's made up of, right? 00:05:48 You wanna keep that attacksurface to the minimum and 00:05:51 then start to harden it. 00:05:52 >> Okay. 00:05:56 >> So what makes up tier-0,right? 00:05:59 Principals that control the ADservice either directly or 00:06:04 indirectly, solet's analyze that a little. 00:06:07 Principals, they canbe user objects, 00:06:11 security objects,servers or workstations. 00:06:15 Can be anything basically,right? 00:06:17 In terms of control, what doesit mean when something controls? 00:06:21 If we translate that, 00:06:22 if we project it on ActiveDirectory, what does it mean? 00:06:25 It's when you have a permissionto do things like taking 00:06:27 ownership of an object. 00:06:29 Changing the ACLs, the AccessControl Lists on the object. 00:06:33 In which way you can grantyourself any permission. 00:06:36 Read secrets, that way youcan impersonate the object 00:06:40 that's not an official, I guess,write in Active Directory. 00:06:44 But it's just a way of saying ifyou can impersonate an object, 00:06:48 you can control it. 00:06:50 And full write. 00:06:52 Basically if you can writeto any area of the object, 00:06:55 any attribute including itssecret, then you can control it. 00:07:00 And what defines the AD service,its DCs, 00:07:03 domain controllers basicallyprivileged groups. 00:07:06 Certain GPOs that have controlover tier-0 objects such as 00:07:10 domain controllers if youcan manipulate those. 00:07:12 Basically by inheritance you canmanipulate domain controllers 00:07:16 and therefore the service. 00:07:17 The configuration partition,that's another example, 00:07:20 NTDS.DIT is a prime example. 00:07:24 It's a file, it's a databasesitting on domain controllers, 00:07:27 that I'm pretty sure a lot ofour audience know about this. 00:07:31 This is the database thatholds all the data in 00:07:33 Active Directory. 00:07:37 So some examples of tier-0components are Domain Admins 00:07:41 group, any members ofthe Backup Operators group. 00:07:45 And the reason for that is theycan backup domain controllers 00:07:48 and therefore theycan steal secrets. 00:07:50 And they can restoreto domain controllers, 00:07:52 their own version ofthe domain controller. 00:07:54 The domain controller itselfare virtualization host 00:07:57 running the domain controller,right? 00:07:59 Because the host, well,for the most part, 00:08:03 the host owns everythingthat goes on top of it. 00:08:06 Including the disk space and 00:08:08 the memory space thatthe virtual machine runs in. 00:08:11 A Config Managerserver managing a DC, 00:08:14 because it has an agenton the domain controller. 00:08:18 It means can push commands toit and therefore control it, so 00:08:21 those are some ofthe examples of tier-0. 00:08:25 So, Napoleon Bonaparte here,he says fire must be 00:08:30 concentrated on one point andas soon as the breach is made, 00:08:34 the equilibrium is broken andthe rest is nothing. 00:08:37 And this is exactlyapplicable to tier-0, right? 00:08:41 This is that point inthe network where if control is 00:08:44 broken, the control forthe rest of 00:08:47 the network is basicallytaken over by an attacker. 00:08:51 >> That's Active Directory. 00:08:54 >> Yes. 00:08:57 All right, sowhat is securing AD consist of? 00:09:01 First of all, ensuring thatthe size of tier-0 is kept 00:09:04 to a minimum and this isa point we spoke about earlier. 00:09:07 You do this by minimizingthe members of tier-0 groups and 00:09:11 we'll talk aboutthose in detail. 00:09:13 You wanna minimize securitydependencies as we mentioned 00:09:16 earlier andwill mention in future episodes. 00:09:20 You wanna remove unnecessarilyAccess Control Entries in AD. 00:09:24 If you have certain sensitiveobjects where you've given them 00:09:27 vary wide access tocertain principals 00:09:30 you wanna remove that. 00:09:31 And remove any User Rights onDCs and those are just examples 00:09:35 of how we can minimizethe size of tier-0. 00:09:39 The other point is effectivelyprotecting tier-0 components. 00:09:43 So after you have minimizedthe surface of it, 00:09:45 you wanna protect whatever'sleft at tier-0, right? 00:09:49 And you do this, on someexamples of how you can do this 00:09:51 is protecting tier-0 groupsagainst credential theft. 00:09:55 This is the upcomingepisode following this one, 00:09:58 basically securingprivilege access. 00:10:00 Hardening domain controllers,right? 00:10:03 And hardening domainsecurity requirements. 00:10:05 Those are all componentsof tier-0 and 00:10:08 if you are able to secure them. 00:10:10 Well, then chances are,after you have minimized tier-0, 00:10:12 then chances are you can protectthe AD service and tier-0. 00:10:15 >> So let's actually talk aboutmaybe both of these items 00:10:18 a little bit more. 00:10:19 So the first one is ensuringthat the size of tier-0 00:10:21 is kept to a minimum. 00:10:23 In your experience with yourcustomers, what do you think is 00:10:26 the biggest challenge in keepingthat size down to a minimum? 00:10:30 >> Right, soin many cases, we see 00:10:35 customers have a very largenumber of people in tier-0. 00:10:39 Including domain admins, 00:10:40 enterprise admins, built-inadministrators and more. 00:10:44 And the challenge is you finda lot of members in these 00:10:49 groups whose ownersare either not identified or 00:10:54 I guess irresponsive. 00:10:56 Or are not sure aboutthe requirements of their 00:10:58 application, right, so theywould have to contact the vendor 00:11:01 first and come back to them. 00:11:03 So there are somelow-hanging fruits and 00:11:06 there's some Iguess details that 00:11:09 we'll have published atthe end of the series. 00:11:12 On what you can do in order tominimize the size of tier-0. 00:11:15 And a very important point tomention here is that the size of 00:11:18 tier-0 is mainly governed bymembership in privileged groups, 00:11:21 but this is not the onlydecisive factor. 00:11:25 The more I guess sophisticatedfactors that govern the size of 00:11:29 tier-0 are harder to find,they need specific techniques. 00:11:33 And normally this issomething we perform as 00:11:36 part of the advanceddirectory service hardening 00:11:39 offering that we have inthe cybersecurity team. 00:11:42 We write tools that findthose little items. 00:11:45 Such as for example, who hascontrol over a certain set of 00:11:48 directory objects andwhat type of control. 00:11:51 And then who has certain rightson domain controllers and 00:11:55 things along those lines. 00:11:57 You can check all of thesethings manually as well. 00:12:00 But in order to do them ona large scale, this is what we 00:12:04 provide and invest directoryservice hardening. 00:12:06 >> So it sounds like thereis some associated cost with 00:12:09 taking these steps, right? 00:12:11 Whether identifyingwhat your tier-0 is and 00:12:13 taking this up to reduce it. 00:12:15 What we're covering here is thebenefit associated with that or 00:12:19 outweighs the cost. 00:12:21 >> Yes, absolutely. 00:12:22 Far outweighs the cost, 00:12:24 because what's at stake hereis your entire organization. 00:12:27 When it comes to tier-0,it can control everything else. 00:12:30 So definitelyoutweighs the cost, 00:12:32 definitely an exerciseworth taking. 00:12:34 >> Okay. 00:12:39 >> So it is very important thatyou consider all of tier-0 00:12:43 components to be equallypowerful and treat them as such. 00:12:47 So if anything besides a domaincontroller is a tier-0 00:12:51 component, then you wannasecure it to the same extent 00:12:54 as the domain controller, right? 00:12:56 You don't wanna leave ithanging because it will 00:12:59 be able to control domaincontroller no matter how much 00:13:03 you harden the DC itself. 00:13:07 So those are someof the examples 00:13:10 of AD Service Management tasks. 00:13:12 Backing up a DC,managing trusts, 00:13:16 managing the schema, managingdomain controller GPO's, 00:13:20 patching domain controllers andmanaging sites. 00:13:23 However, those same activities, 00:13:27 management activities, if theyfall in the wrong actor's hands, 00:13:32 they can be escalationof privilege factors. 00:13:34 So I'm backing up the DC,you can steal the NTDS.DIT, 00:13:37 they hack the directory databaseand exfiltrate all the secrets. 00:13:42 When it comes tomanaging trusts, 00:13:43 you can set the trustconfiguration to a low level. 00:13:47 Where well,to a low security level where 00:13:49 SID history attacksbecome very possible. 00:13:52 And you can basically ownthe domain based on that or 00:13:55 the forest. 00:13:56 Managing schema, 00:13:57 you can change the defaultsecurity descriptors. 00:13:59 And if you do that, 00:14:01 then anything anyone createsis under your control because 00:14:04 you're definingthe security descriptors. 00:14:07 Managing DC GPOs, you candeploy malware through GPOs or 00:14:12 change the user rightsassignments or privileges. 00:14:15 Patching DCs, 00:14:16 you can disguise legitimatetools as updates when patching. 00:14:20 Especially if you control anupstream software update server, 00:14:25 there are some good demoson that on the Internet. 00:14:29 Managing sites, basically 00:14:32 if you're able to fully controla site and link a GPO to it. 00:14:36 You can link a GPO of yourchoice and have it affect 00:14:40 the entire site no matterhow many domains it affects. 00:14:43 So those are some examples ofescalation privilege based on 00:14:46 AD Service Management. 00:14:48 >> Right, great. 00:14:50 So what you just covered isa lot of the risk associated 00:14:53 within the tier-0 environment,right? 00:14:55 Highlighting the importanceof why you wanna reduce it, 00:14:58 why you wanna protect it. 00:14:59 In the next part of this module, 00:15:01 we are covering reducingprivilege accounts. 00:15:04 We'll go through some guidingprincipals on how to best do 00:15:08 that, some of the processesinvolved with doing that. 00:15:11 And help equip you andyour organization 00:15:15 with being able to takethe information provided there. 00:15:18 Take some scripts and 00:15:20 other guidance back toyour organization to use. 00:15:24 >> Thank you very much.