Privilege Zones: BloodHound Enterprise spreading like a computer virus (of security)

TL;DR The BloodHound Enterprise team recently pushed out Privilege Zones, one of the most requested features from our clients. Here’s a brief overview of how it expands (literally) the capabilities of BloodHound Enterprise.

A couple of years ago, I wrote a blog post explaining the basic functionality of BloodHound Enterprise: what it does, how it does it, and why we think it is an essential tool to securing your Active Directory (AD) or Azure environment. Consider that as pre-requisite reading for this post. We will be leaning heavily on that explanation, and expanding that scenario to understand Privilege Zones.

In that post, we used BloodHound Enterprise (BHE) to secure the island of Manhattan from a zombie apocalypse; Manhattan was thereby labelled Tier Zero (T0). This was the initial goal of BloodHound Enterprise. However, our job doesn’t stop there- we still have the rest of the nation (or in our clients’ case, the rest of their AD or Azure environment) to secure. Let’s get right into how Privilege Zones take us to that next step.

What is a Privilege Zone?

Having secured Manhattan, we would like to gradually start expanding our infection-free zone. Let’s choose New York City (NYC) as our next goal. Going by our previous Tiering terminology, this would make NYC the Tier One (T1). However, in a sense, this implies that NYC is lesser critical than Manhattan (T0), which isn’t the case — it is simply an extended area that, for all intents and purposes, is as critical as the prior Tier Zero. In order to prevent this unintended prioritization, we have renamed Tiers to Privilege Zones. We are able to set custom names for each Privilege Zone in BHE, so the naming scheme is now chosen by the user(s).

Under the hood: what is analysis?

The process of reading an AD/Azure environment and running BHE’s proprietary algorithm to build the weighted graph is internally called Analysis. Privilege Zones are achieved by simply looping through the Analysis phase, with a weighted graph being built for a larger Zone in each iteration. 

The algorithm is designed to ignore the edges built in the prior iteration. This is because we collapse the Privilege Zones into a clique (I told you we were going to lean heavily on the first blog post). That reasoning will become clearer as we map NYC and Manhattan below.

Building a graph with the new Privilege Zone

The image below shows both Privilege Zones. The red zone is Manhattan, which we secured in my previous blog; and the green zone is NYC.

fig 1: Privilege Zones Manhattan and NYC

For simplicity, we will only consider interstates as viable route options in this scenario. The interstates connecting NYC to the zombie zone are I-95, I-87, I-78, I-278, I-495. However, I-95 and I-87 both enter NYC and then proceed to exit it later, so we will add 2 edges for each of the interstates —  one northbound and the other southbound. We can represent all of this information via the following graph:

fig 2: NYC’s Interstate connections as a graph

Notice that I skipped Manhattan from this graph entirely. This is because we collapsed both zones into a clique. Since Manhattan is contained within NYC and can only be accessed by accessing NYC, the paths we computed for Manhattan are not considered here.

Upon running this through Analysis, BHE computes weights for those edges. Like last time, we will choose weights randomly for our scenario:

fig 3: graph with weighted edges

Furthermore, Long Island is only connected to the landmass through I-495 passing through NYC. So we can collapse all of NYC plus Long Island into a much larger clique, since securing NYC would automatically secure Long Island as well. Highlighted below are Manhattan in red, NYC in Green and our entire clique in orange:

fig 4: Manhattan, NYC and Long Island as a clique

Collapsing Long Island into the same clique and reassigning those edge weights to I-95, our graph then becomes:

fig 5: clique with weighted edges

Once we action on these edges and secure NYC, we have gone from securing one island in the city to securing the whole city and also the entire land mass east of it. We can continue working on larger Privilege Zones — New York state, then the east coast, and so on — to build a quarantine zone that keeps expanding until all of USA is zombie free. This is a pattern that we’ve seen before, but more often in a negative context:

“A computer virus is a type of malware created to replicate and spread itself across computers.” (Norton)

Just like a virus, users are able to spread security through BHE across their network as multiple, consecutively larger Privilege Zones (refer to fig 4); securing each one as they go.