Mar 3 2022 | Justin Kohler

Attack Path Management Pillars: Part 3 — Safe AD Security Remediation Guidance


Attack Path Management Pillars: Part 3 —Practical AD Security Remediation Guidance

Historically, Identity Attack Paths are a double edge sword; remediation efforts can easily break production applications or create more Attack Paths. Unfortunately, fixing the problem can pose just as much risk to the organization (as the adversaries’ abuse of the Attack Paths).

Fortunately, Attack Path Management (APM) eliminates the dilemma. Not only does APM continuously map every Identity Attack Path and determine critical Choke Points (Part 1), prioritize those Choke Points by empirical Exposure scores (Part 2), but also eliminates the risk of removing Attack Paths.

In the final blog of our 3-part series to help organizations eliminate Identity Attack Paths such that it’s no longer worth the adversary’s effort to try to enumerate or execute Attack Paths in that organization’s network we share how APM delivers practical, precise, and safe remediation guidance that organizations can easily implement.

APM: Practical, Precise, and Safe

Practical, Precise, and Safe aren’t just words to us, BloodHound Enterprise provides true value for organizations because it makes Attack Path Management a reality. Below are the guidelines we hold ourselves accountable to within BloodHound Enterprise:

Practical Remediation Guidance

  • Remediation actions should not require drastic changes to the environment’s directory services architecture
  • Remediation actions should not require the organization to migrate from one directory services platform to another
  • Remediation actions should not require expert-level knowledge to implement
  • Remediation actions should have expected outcomes, and both the remediation and the expected outcomes should be verifiable

Precise Remediation Guidance

  • Remediation actions must provide exact and complete guidance to ensure the elimination of the intended Attack Path with minimal risk of impacting critical business processes.

Safe Remediation Guidance

  • Safe remediation guidance must include instructions to administrators on how they can determine whether the privileges you will remove / alter / mitigate to eliminate an Attack Path could cause critical business processes to fail.

Remediation Guidance Detail

First and foremost, it’s important to remember that APM solutions do not ask you to mitigate every misconfiguration found within AD. Legacy AD security solutions are impractical to operationalize because you could never mitigate the thousands of issues found in most enterprises. Instead, APM solutions focus on the handful of critical Choke Points where you can remove the risk of thousands of misconfigurations with the mitigation of a few.

For those Choke Points, BloodHound Enterprise provides step-by-step remediation guidance that administrators can follow within their Active Directory Users and Computers (ADUC) management console. Below represents how BloodHound Enterprise administrators can drill down into findings and ultimately resolve issues reported by BloodHound Enterprise.

Within BloodHound Enterprise, the Attack Paths view provides quick information on every Attack Path identified by BloodHound Enterprise:

Viewing Attack Path details

This view also has a brief timeline view where BloodHound Enterprise clients can view the exposure score and impacted principals over time:

Attack Path Timeline view showing exposure.

BloodHound Enterprise clients can view or export step-by-step ADUC remediation plans (with sample screen shots within ADUC) for every Attack Path:

Recommended Remediation view

BloodHound Enterprise clients can also drill into the specific objects within Active Directory:

User selecting “Explore” on a principal within an Attack Path
User viewing the individual objects in Active Directory for detailed information
User viewing the group membership for the “Administrator” user
User viewing the local administrators for the WIN10 computer

Results and Impact of Remediation

Resolved Attack Paths are immediately reflected in BloodHound Enterprise, allowing teams to confirm successful remediation based on defensible risk metrics in Active Directory.

  • Every BloodHound Enterprise customer understands exactly how many users and computers can attack critical AD Assets through any available Attack Path at any time. Remediation activities reduce this risk exposure over time:
Tracking Tier Zero Exposure Over Time
  • Every customer also knows their changes’ exact effect and impact before starting remediation. Every Attack Path is measured based on the percentage of users and computers that can abuse it.

Wrap Up

When we introduced the world to Attack Path Management in our post “The Attack Path Manifesto” in May of 2021, we brought awareness to the most prevalent tactic used by adversaries to accomplish their mission. Since that time, the broader market has begun to take notice of the importance of AD Security and BloodHound Enterprise with coverage including:

In this three-part series, we have covered what we believe are the 3 pillars of Attack Path Management:

Whether you choose to utilize BloodHound Enterprise or utilize other solutions, our intent has been to provide content that informs and enables every enterprise to begin their Attack Path Management journey and significantly reduce the risks Identity Attack Paths pose to their organizations.

Attack Path Management Pillars: Part 3 — Safe AD Security Remediation Guidance was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.