BloodHound Enterprise Preview FAQ

Mar 26 2021
Share
By: Justin Kohler • 5 min read

Note: This post was originally posted back in March of 2021. For the most up-to-date information on BloodHound Enterprise, please visit https://bloodhoundenterprise.io.

We recently held a preview event for BloodHound Enterprise and had a ton of questions both during the event and through various other sources. We wanted to answer the first round of questions and will continue to do so as we approach our release this summer.

If you missed the webinar, you can still check it out here and if you’re interested in getting direct updates on BloodHound Enterprise, you can sign up here.

Product Use

Q: How is the Tiering model defined in BloodHound Enterprise (BHE)?

BHE mirrors the same default list of principals as defined by Microsoft while supporting custom additions. At a minimum, BHE automatically classifies Domain Controllers, Domain Admins, Enterprise Admins, GPOs that apply to Tier Zero objects, and the Domain head object as Tier Zero. We work with clients during the onboarding process to identify other Tier Zero objects.

An easy example of this would be the hypervisor that hosts virtual Domain Controllers. If you compromise the hypervisor, you have physical access to the virtual machine so those are typically included as well.

Q: Is it possible to define other custom groups in case one wants to check if some object (or group of objects) has any attack paths leading to it?

Yes, BHE supports custom asset groups whether those groups represent internal business segments or a regulated set of systems such as PCI/HIPAA environments.

Q: Will there be an API to programmatically query? And will it be able to surface newly discovered weaknesses?

Yes, BHE is an API first product which means anything you’d be able to do in the UI will be doable via an API. Examples include entity information, pathfinding, and risks. Further, the API can be used to pull that data into their SIEM or other products to identify new Attack Paths within their environment.

Q: Given this is a SaaS service, where is data hosted?

BloodHound Enterprise is hosted in AWS within the United States.

Q: Do you support SAML for user authentication?

Yes.

Q: Does BHE still allow users to create custom cypher queries and store these?

Yes, all the functionality from BloodHound is in BloodHound Enterprise but redesigned and rethought for managing Attack Paths at scale. The exceptions to this are around features in the open-source project that don’t make sense in Enterprise (i.e. stealth data collection).

Pricing

Q: Any idea on pricing / licensing model? By user, by domain, etc? What about partners?

Yes, the pricing is based on the size of the environment that BloodHound Enterprise is monitoring for customers. This is calculated by total employees/contractors at the organization.

We have begun discussions with partners and can work through various models depending on the partner and their engagement types.

Data Collection

Ya’ll asked a lot of questions on data collection. Before hopping into individual questions, it’s helpful to establish that beyond some of the data elements that are collected, BloodHound Enterprise and BloodHound open-source are completely different in terms of designed use case, functionality, and codebase. This applies to the data collection process which has been completely rethought and rewritten.

BloodHound Enterprise supports several different data collection methods:

  • Active data collection from a new enterprise version of SharpHound. Multiple SharpHound collectors can now be deployed to get coverage over separate locations (e.g. subsidiaries).
  • Bulk uploads of data from an external source
  • Streaming data ingestion from an internal data source (SIEM or other some data aggregator)

Q: What sort of access does BHE require?

At minimum, BloodHound Enterprise requires a SharpHound data collector to be installed on a domain-joined Windows host.

Coverage on user session data and local group data requires an Active Directory User Account with Administrator rights on computers in scope.

Q: Can the collection of data be scheduled?

Yes, BloodHound Enterprise is designed to collect data continuously and the schedule is customizable.

Q: Are you going to build similar attack path modelling for AWS and GCP?

BloodHound Enterprise is focused on Active Directory Attack Paths at this time.

Q: Will BloodHound Enterprise support Azure AD as well?

SpecterOps hopes to provide more information around Azure in BloodHound Enterprise before launch, stay tuned.

Q: If the data collection is automated, is there a notification channel API for diff/changes?

Short Answer: Yes.

Longer Answer: Our assumption is you’re both interested in 1) what has changed in the underlying data; 2) new potential risks that have popped up in the environment (example: Ensuring you immediately see the addition of Domain Users Group to the Local Admins Group on a host). Both will be answered by BloodHound Enterprise.

BHE measures every data point ingested to provide views across any AD object changes. More importantly, BHE does this to show the coverage of user session or local group data across all active hosts within the environment.

Risks are analyzed as data is ingested so your team can trust that the risk view will always reflect the current risks based on the data ingested. Risks are also viewable on a timeline to show what specifically change caused a recent increase in a risk rating, for example.

Other

Q: When are BloodHound Enterprise T-Shirts or Stickers available?

Clearly not soon enough. We’re on it! 😉

Q: Is there a way for partners to benefit from this product?

Absolutely, SpecterOps would be happy to meet with partners who wish to discuss how they can bring BloodHound Enterprise to their customers.

That’s it for now. Sign up to receive direct updates if you’re interested in learning more as we approach launch.