In this episode of Know Your Adversary, Jared Atkinson and Justin Kohler sit down with SpecterOps Principal Product Architect Andy Robbins and Ping Identity Director of Product Management Bjorn Aannestad to discuss SpecterOps’ recent attack path research engagement with the PingOne platform. The conversation covers how the collaboration began, why gaining access to a real PingOne tenant was crucial for...
In this episode of Know Your Adversary, Jared Atkinson and Justin Kohler sit down with SpecterOps Principal Product Architect Andy...
00:00:00:00 - 00:00:14:02
Jared Atkinson
Welcome back to the Know Your Adversary podcast. I'm Jared Atkinson. I'm Justin Kohler. And we're joined today by our colleague Andy Robbins and by Bjorn Aannestad. Andy, would you go ahead and introduce yourself?
00:00:14:03 - 00:00:25:20
Andy Robbins
Yeah. Hello. My name is Andy Robbins, along with Will Schroeder and Rohan Vazarkar im one of the co-creators of BloodHound. And now I'm principal product architect at SpecterOps.
00:00:25:22 - 00:00:29:09
Jared Atkinson
And then, Bjorn, if you could introduce yourself as well, you're kind of our guest of honor today.
00:00:29:11 - 00:00:42:23
Bjorn Aannestad
Yeah, Thanks for having me on, you guys. My name is Bjorn Aannestad. I am the director of product management for Ping Identity. Specifically the PingOne multi-tenant identity as a service platform.
00:00:43:01 - 00:00:53:02
Jared Atkinson
Okay. And then, Justin, I think SpecterOps got an engagement with Ping Identity to do some attack path research. Do you want to kind of talk about the background behind that?
00:00:53:02 - 00:01:10:05
Justin Kohler
Yeah. So just over a year ago, we got engaged together to do a potential tech partnership. And as we were trying to through the details, we wanted to dig in to the PingOne platform and understand kind of the the scenarios that we see play out in other APIs.
00:01:10:05 - 00:01:37:14
Justin Kohler
So where could users potentially misconfigured and put themselves in a bad situation or potentially where where things have been set to where a regular user could could elevate their privilege in an unforeseen way? So it was really cool. I mean, first of all, we got to meet Bjorn and work with him and, and the Ping team. And also we got access to a free tenant that allowed us to do the research, you know, kind of really quickly and be able to get to like direct access to the information
00:01:37:16 - 00:01:42:05
Jared Atkinson
and that's something I want to double click on, is the the access to the free tenant is just fantastic.
00:01:42:06 - 00:02:00:08
Jared Atkinson
So SpecterOps is a small organization. We're trying to create these attack graphs for tons of different platforms to help our customers kind of understand what their attack. It's not really attack surface, but the underbelly of their attack surface really looks like. And one of the difficulties that we have is because we're a small organization, we're also kind of known for red teaming.
00:02:00:10 - 00:02:19:04
Jared Atkinson
It becomes very difficult for us to actually get access to tenants for these different platforms and therefore do kind of like the security research to make these organizations more secure. And like hats off to ping for kind of facilitating that and making that available to us because that really helped to kind of supercharge our ability to to do that research.
00:02:19:10 - 00:02:21:19
Jared Atkinson
I don't know, Andy, if you want to comment on that as well.
00:02:21:21 - 00:02:46:03
Andy Robbins
Yeah, I actually had a thought about that. So we have a lot of positive things to say about this experience with working with the Ping Identity Corporation. And one thing I was thinking when Jared was talking about, you know, in order for us to help our customers and our users in the open source community understand attack patterns in different systems, it turns out we have to understand those systems first.
00:02:46:05 - 00:03:13:13
Andy Robbins
And you might think, well, you know, you can start to read the documentation. My experience is that documentation is usually wrong, out-of-date, inaccurate, frustrating to read. But as a matter of fact, one of the things I shared with the ping identity folks is that the documentation is excellent. It's concise, it's clear, it's accurate. It's very easy to navigate.
00:03:13:15 - 00:03:29:12
Andy Robbins
It's a great example of what a what a platform documentation should look like, and that's at least coming from a security researchers perspective. Operationally, I'm sure it's excellent as well.
00:03:29:14 - 00:03:46:23
Bjorn Aannestad
That's very nice of you to say so. Andy, thanks for the compliments were passed us on to the team. From our point of view, from my point of view. We're very interested in engaging with you guys. You know, when the partner group came to me and said, Hey, we've got this company called SpecterOps and this is what they do.
00:03:47:01 - 00:04:08:05
Bjorn Aannestad
My reaction was, wow, let's let's take advantage of that. And there are a couple of reasons for that. One, we are a security company. We're very security focused. That's very interesting to us. The other is that when we built the PingOne multi-tenant platform, we were fortunate enough to start with a blank slate. And that doesn't happen too often in the identity space.
00:04:08:07 - 00:04:30:06
Bjorn Aannestad
You know, we've got a lot of startups doing clever things with biometrics and a lot of things like that. But as far as starting with a core identity provider, kind of from a blank slate and saying how can we build more security in from the beginning was one of the fun things about this project. And we in the early days and the platform that's now grown into the PingOne platform and why we were going through that.
00:04:30:07 - 00:04:52:10
Bjorn Aannestad
I always kind of felt this nagging need for some kind of independent validation of the design choices that had been made. And when you guys popped up on the horizon, I was like, Ah, that's what we want. We want an independent validation that some of these fundamentals we've done differently in our platform versus some of the legacy platforms out there are actually paying off.
00:04:52:12 - 00:05:22:07
Jared Atkinson
Yeah, I think maybe, maybe Andy you could get into. So Andy's the researcher on the spectrum off side that really, really dug in, along with Garrett Foster, one of our other researchers, the configuration. And I think maybe it's it's important to note that while we're not looking for vulnerabilities, like in kind of the classic sense, we are looking for ways in which the access control model is configured that might facilitate unintentional takeover of certain applications or certain identities, things of that nature.
00:05:22:07 - 00:05:35:14
Jared Atkinson
And so maybe, Andy, you could like touch on what you what you found as you were digging into that and maybe kind of highlight what Bjorn's talking about to where there are certain design decisions that you noticed that were different from what you had seen previously in some of the other platforms that you looked at?
00:05:35:15 - 00:06:11:21
Andy Robbins
Yeah, definitely happy to do that. So I think probably the best way to do this is for me to start share my screen and show that to you. And then for audio only consumers of this podcast episode, I will do my best to verbalize everything that we're looking at as well. All right, cool. So what I'm going to be doing is I will be showing the PingOne administrative portal and I'll be talking through some of the results of our testing, talking through what the abuse primitives are, and also just talking through kind of some of the differences between this platform and how attack paths emerge out of it versus maybe some other platforms and
00:06:11:21 - 00:06:44:04
Andy Robbins
how attack paths emerge out of those. And talk about some of the differences that we noticed along the way. So we are looking at the PingOne administration portal, and if you've never seen this before, this is kind of what you would see when you first log in as an administrator of a organization and this organization is called SpecterOps underscore c five, a5a, a PingOne organization is the top level object in the object hierarchy within PingOne.
00:06:44:06 - 00:07:20:10
Andy Robbins
So you can think of an organization as being kind of equivalent to an intra tenant kind of. But there are differences that we will that we will talk about there as well. Organizations contain environments and you can see I have a list of environments here. The administrators environment is created by default. Every time an organization is created in PingOne and then I have some other environments here that we created during testing environment one, two, three Garret test environment and then one called my PingOne environment.
00:07:20:12 - 00:08:01:15
Andy Robbins
So let's talk about digging into some of the objects that fall under the environments. Let's look at this environment here called environment. One environments are where principles, groups, applications and other objects are actually created and managed and what's, let's say, stored or in the in the hierarchy environments contain users, groups, etc.. So in the portal we're looking at navigating within the environment and under this dropdown here under directory is where we're gonna start to see most of the objects, or at least some of the objects that we're very interested in.
00:08:01:17 - 00:08:37:14
Andy Robbins
So we have users, users within PingOne work very similarly to how users in other platforms work. They can be authenticated with a credential. You can set up different authentication policies to control user has to have a certain control applied for a particular log on from a particular geographic location, let's say. So all of the great stuff that you get with like conditional access with trigger, for example, let's say you get with with PingOne users as well.
00:08:37:16 - 00:09:13:19
Andy Robbins
These primitives, as far as these primitives go, the one abuse primitive that we have for users is very simple. It's very easy, is very disruptive as well, which is force resetting a user password. That's not a very attractive option for an adversary who's wanting to execute an attack path through any environment, I would say, because obviously the next time that user goes to log in, they're going to get a password error and that's a detection opportunity as well for security operations to start reacting to an adversary's actions.
00:09:13:21 - 00:09:36:17
Andy Robbins
However, it is an abuse primitive with no one being able to change a user's password to some kind of adversary. No value. The way that all of these abuse primitives function. All has to do with PIN one are back and we will talk about people on our back in more depth when we get to it. So next, let's talk about groups.
00:09:36:19 - 00:10:15:04
Andy Robbins
Groups also work very similarly to other platforms that at least we are more familiar with, meaning Active Directory and interrupt. So I mentioned PingOne are back users. They can have role assignments and they can be given certain permissions and they can be given certain powers and they can they can be targets for adversaries, groups and PingOne also can have roles assigned to them and then the immediate members of those groups will have the role assignment effectively as well through the group delegation concept.
00:10:15:04 - 00:10:38:16
Andy Robbins
So that concept exists and PingOne as well. A few differences and a note here about where attack paths emerge from and how the design of this system prevents the emergence of particular classes of abuse primitives. So we're looking at the PingOne administration portal. You can see that I have a group here called GrouPingOne that has roles granted to it.
00:10:38:16 - 00:11:04:18
Andy Robbins
If I click on the group, we can see roles. We can see that it has a role assignment for a role called Configuration Read Only. Now one of the interesting abuse primitives that can emerge out of a situation like this is you have a group that has some kind of powerful role, let's say, and then the administrator, they want to manage who's in that group.
00:11:04:23 - 00:11:34:10
Andy Robbins
And platforms like PingOne will introduce tools for those administrators to make that task easier, to make group management easier. One of those is what I would personally refer to as like dynamic group membership or like rules based membership, let's say. So let's say that Gerard creates a group called Jared's Admin Group, and that group has all the role assignments, has all the power in the world.
00:11:34:12 - 00:12:00:18
Andy Robbins
And then Jared says, Well, okay, well, anytime a user gets created and that user has like admin in their username, I want them to be automatically added into this group. That can be dangerous because the complexities of how the system is actually granting privileges becomes more obscured. The more layers of automation you put on top of an back system.
00:12:00:20 - 00:12:28:18
Andy Robbins
So we not only have the drawback system, but then we have group management and then we have the user properties that might be analyzed for dynamic group membership. And so that kind of complexity is really, really dangerous for a platform, but it's also very beneficial to adversaries because that complexity makes auditing or how exactly roles are being granted and makes that very difficult to understand.
00:12:28:20 - 00:12:45:03
Andy Robbins
It makes it hard to audit, it makes it hard to manage. And then what happens in the real world is these things just spin out of control and all of a sudden you have groups that have members in them and no one has any idea why that user is in there. But if it ain't broke, don't fix it, don't take them out.
00:12:45:03 - 00:12:49:10
Andy Robbins
And and so these things kind of spiral out of control. So the reason I mentioned.
00:12:49:10 - 00:12:56:21
Jared Atkinson
All right, what's that? I mean, case in point, Active Directory, right? Sure. That's relevant. Yeah, yeah, yeah, yeah, yeah.
00:12:56:21 - 00:13:26:05
Andy Robbins
Complexity is complexity is probably the greatest enabler of attack paths emerging out of systems like this. And so the the PingOne mechanism here is that, yes, there is a way to add users to groups automatically based on some kind of property or some rule that an admin sets up. But if a group has role assignments granted to it, you can't do that anymore.
00:13:26:07 - 00:13:48:17
Andy Robbins
So if a group has role assignments assigned to it, you have to manually add each user to that group. And personally, I think this is a fantastic design choice. I think it prevents the emergence of attack paths that could be really difficult to understand why they even emerge in the first place. Could it give a little bit of administrative burden to admins?
00:13:48:17 - 00:14:10:09
Andy Robbins
Maybe, but I think I think my perspective and maybe our perspective collectively on a sector upside is that is that this design choice is worth the preclusion of thousands, tens of thousands, millions of attack paths that would have emerged if it wasn't designed this way.
00:14:10:11 - 00:14:21:15
Jared Atkinson
Beyond I think I think during our conversations kind of as we were working on this project, we had talked to you all about this and you had kind of your team at least had kind of explained what the thought process was behind this.
00:14:21:15 - 00:15:09:17
Bjorn Aannestad
Yeah, the fundamental thought processes, what Andy is talking about, which is prevent methods of privilege, escalation, whether accidental or intentional. So we have rules like that that say, well, you can't guarantee yourself a role. For example, that's another rule that exists. Another fundamental design choice we've made is there is no requirement in the platform that you have a root user with all the permissions you could create one if you wanted to when you set up your tenancy, but you don't have to because our customers value the separation of duties, especially when it comes to things like separating the administrator's right to configure the system apart from their right to see end user data.
00:15:09:19 - 00:15:33:20
Bjorn Aannestad
You know, So just because you have the ability to set up the configuration, the policy rules doesn't give you the right to look up somebody's home phone number. You know, that's a clear example of separation of duties. And by default, there is no user, whether it's a service account or a root account or anything like that, that has both of those permissions, both of those sets of permissions.
00:15:33:22 - 00:15:39:05
Bjorn Aannestad
So those are the kinds of things we were thinking through as we were designing the platform.
00:15:39:07 - 00:15:51:21
Jared Atkinson
That's I've just got to say, that's awesome. That's that's really cool that from the start, you don't have this this concept of like somebody who has everything because, I mean, honestly, that's what we're going to target on the adversary side.
00:15:52:00 - 00:16:07:15
Bjorn Aannestad
That's right. And it does have some effects. It means things like helping a tenant recover access they might have lost is a bit harder, but at least we can insert some humans in the loop to make sure that that's done legitimately and not maliciously.
00:16:07:21 - 00:16:29:16
Andy Robbins
I see this design choice as a really great safety rail against, you know, anybody kind of foot gunning themself with the platform. It reminds me of every so often we'll see something and BloodHound will say, Well, why would anybody in their right mind ever do that? Why would anybody ever give domain users generic? All of the domain had object.
00:16:29:16 - 00:16:51:10
Andy Robbins
Why would anybody ever do that? And I've always thought that, like, that's kind of the wrong question. The right question is why does the system allow you to do that in the first place? And it reminds me of Murphy's Law that if we put a little product twist on it, which is if a platform allows an admin to configure something in a certain way, someone is going to do it.
00:16:51:13 - 00:16:56:14
Andy Robbins
Like, you know, if admins are going to do that to cause problems for themselves. Yeah. So we're going to have.
00:16:56:14 - 00:16:58:16
Jared Atkinson
A business dependency on it, right?
00:16:58:18 - 00:17:28:12
Bjorn Aannestad
Yep. That's a very good point. I would like to call out. One of the things that I think is remarkable about what you guys do is the fact that when you test for these pathways, right, these primitives, you do that in the course in the context of a given deployment are giving customers deployment. So a lot of the penetration testing and so on and tools like that that everybody does as a matter of course, do that in isolation of a particular configuration.
00:17:28:14 - 00:17:40:19
Bjorn Aannestad
But what BloodHound can do is it can look at the system as it's been configured and find out if somebody has taken advantage of a foot gun or not. Right. Sure. I think that's special.
00:17:40:21 - 00:17:59:06
Justin Kohler
This is real quick example of how I try to explain that to people like A and from a completely different aspect of security is you can have a firewall, perfectly functioning firewall. But if you put in any any role in it, you're going to let everything through right? So it's like it's that's the most extreme way of seeing that problem.
00:17:59:08 - 00:18:00:02
Justin Kohler
But yeah.
00:18:00:07 - 00:18:31:11
Bjorn Aannestad
I did want to touch on something that Andy talked about earlier, which was that organization to environment hierarchy, because that's related to this idea to, you know, the organization, as Andy said, is a tenant. That's the fundamental large scale tenancy object in the platform. But the environments that he showed are the sub tenants and they are isolated from each other in terms of you can grant an administrator rights to one environment but not another, for example.
00:18:31:11 - 00:18:35:16
Bjorn Aannestad
So that's a way of segmenting below that.
00:18:35:18 - 00:18:56:15
Andy Robbins
I have a, I have a graphic for that that illustrates kind of the, the role scoping and I'll kind of explain some of the behind the scenes what BloodHound does maybe, maybe be good for me to kind of finish the kind of tour here visually and go through some of the more of the abuse primitives. So we just talked about groups.
00:18:56:17 - 00:19:28:12
Andy Robbins
And let's talk next about let's talk about the administrator roles. Let's just touch on these briefly. So in looking at the administrator roles and now in the in the PingOne portal, I'm looking at the administrator roles page which lists out all of the built in roles that can be assigned to certain principles. There's a lot to talk about when it comes to the admin roles within Pane one.
00:19:28:14 - 00:19:57:09
Andy Robbins
I think maybe one of the most important aspects is that at least as far as I know, the only way, the only endpoint that you would be able to touch in order to grant someone a role assignment, there's there's one endpoint, maybe two, if you're doing it by a reference ID of a user. But the long and short of it is there's, there's one API essentially that is responsible for allowing admins to grant admin role assignments.
00:19:57:11 - 00:20:18:16
Andy Robbins
And what that means is that you don't have 25 different API endpoints or 25 different applications that you have to worry about. As far as you know, well, I could I could promote someone to this role through this part of the product, but I could also I can also promote them through the other side of the product. And guess what?
00:20:18:16 - 00:20:44:12
Andy Robbins
This one has a completely distinct our back mechanism has a completely distinct permission model. But in order to understand the reality of who can grant admin roles, I have to understand all of those systems. So I see that as a as a great distinction as well, from paying one to other platforms. Best example I can think of is the one that I know the best, which is intro, so I can grant admin role assignments through the, through the the Azure portal.
00:20:44:12 - 00:21:17:10
Andy Robbins
I can do it at the Graph API. I can do it through the PEN API for a couple more days. I can do it at the Legacy Azure Ad Graph Portal or API. What that turns into is just more complexity and more kind of obscurity or fog of war where it can be really, really difficult to understand who has the ability to do something because there are so many different ways to accomplish that through all these different products.
00:21:17:12 - 00:21:50:04
Andy Robbins
So the the kind of point that I'm trying to make here is that a combination of the sole responsible party of of the PingOne API being the only one that can manage role assignments and some other things that get a little in the weeds that might be a little too far in the weeds make it so that when it comes to role assignments, I don't have an abused primitive for you about granting new role assignments because that abused primitive in this platform just really isn't that interesting.
00:21:50:09 - 00:22:31:13
Andy Robbins
And, and the reason for that is because the role is the role of the roles that allow you to grant other role assignments. They can be restricted. So I can look at I can look at an example here. If we come to identity data admin, which is right here, you can see an example here where if if a principal has been granted the identity data admin role assignment because they have this role assignment, one of the permissions in here is going to be granting other role assignments in other platforms.
00:22:31:13 - 00:22:57:12
Andy Robbins
That could mean like, well, I can grant any role to any principal at any scope. So that could be like a built in privilege escalation mechanism, even though it's obviously not designed to be one and PingOne, it doesn't work that way. So in PingOne you have a limit on which roles can be assigned based on what roles you have.
00:22:57:17 - 00:23:27:15
Andy Robbins
So if I have identity data admin, can I grant roles? Yes, I have that permission. But guess what? There's a further restriction. I can actually only grant these two roles, which from my perspective are less powerful than the one I already have. So there's this again, a preclusion of an abuse primitive, because when it comes to granting role assignments, you can't grant a role with more permissions than what you currently have.
00:23:27:17 - 00:23:31:22
Bjorn Aannestad
That's correct. That was an individual design choice.
00:23:32:00 - 00:24:04:20
Andy Robbins
Great design choice, Great, great, great design choice. So next, we're going to talk about some stuff that might be a little more obscure. So let's talk about applications versus applications in PingOne. There are different kinds of applications and from my perspective, these works similarly to kind of the app registrations or service principles and interest. So you have all of two authentication policies that you can configure for these.
00:24:04:22 - 00:24:32:08
Andy Robbins
These applications can be used to control access to third party applications, like I could have like a Salesforce application in here and control access to Salesforce through this. And when it comes to application abuse primitives, there's, there's one that I that I have for you all and it has to do with the A type of thing, one application referred to as a worker app.
00:24:32:10 - 00:25:00:23
Andy Robbins
So a worker app, which I'm going to click on one here in the portal called Worker at one click on this and there's, there's a, there's a, there's a difference between how this abuse of these primitive and being one works versus how a very, very similar one in intra works. So in PingOne this worker app is going to be able to authenticate using its own credential and be able to authenticate as itself.
00:25:00:23 - 00:25:26:22
Andy Robbins
So it doesn't necessarily need to have a user authenticate and do like a flow. But the application itself is a principle, it is an identity. So it has a it has an ID and it has a client secret that it can authenticate with applications and PingOne as well. They can have roles assigned to them. And so we start to get into kind of a concept of attack poster.
00:25:27:00 - 00:25:56:18
Andy Robbins
But the the abuse committed here is that given the given the right role assignment, which my user has all of them, so I can do everything I want, but given the right role assignment for a worker app, we can actually just look at the client secret. We can just we can read the client secret, which I'm showing here on my screen here and using that client secret and the client ID and the environment ID, we can then authenticate as this application.
00:25:56:20 - 00:26:23:09
Andy Robbins
So the distinction I want to show here is with Intro, there's a very similar abused primitive in intro where if I have an app registration, for example, this example intra app reg and I come over here to certificates and secrets, I can create again a secret for this application that it can use to authenticate using its associated service principle.
00:26:23:12 - 00:26:55:18
Andy Robbins
So it is authenticate as itself. When I create a client secret here, the the gooey will show the value of the secrets. But then if I refresh the page, you'll see that we're only now able to see the first three letters and the portal and the API that is serving this information will never show the full secret ever again.
00:26:55:20 - 00:27:12:20
Andy Robbins
The difference here is that in intro with the write roll assignment, I can just create a new secret so it doesn't really matter that I can't read the current one. I can. I can give it a new one so I don't reset as password. I give it an additional password which is just as valid as the existing one.
00:27:12:22 - 00:27:39:07
Andy Robbins
So little difference in abuse. Primitive. There, but similar concepts. Now let's talk about some things that are a little bit more obscure. Maybe. So we're back in the K one console on the left, I'm going to click on integrations and the first thing I'm going to click on is provisioning. I don't have any here. Let's go to Gateways.
00:27:39:11 - 00:28:25:15
Andy Robbins
I don't have any here. Let's go to another environment. Let's go to Garrett Test environment. Okay, So let's look at the gateways that we have within the Garrett Test environment. Gateways are a class of PingOne object that can store configuration information that from my perspective is is kind of about authenticating external users or gathering principal information from some other platform, bringing it into PingOne and being able to add users to groups, give them permissions within applications, within PingOne, all that kind of stuff.
00:28:25:17 - 00:28:54:09
Andy Robbins
From my perspective, there's kind of like red teamer like used to be a red team or kind of like the offensive security perspective. The thing I care about with gateways is that gateways similar to PingOne applications have their own credential material and their own identity. So they are identities that can be authenticated and they can perform actions within the platform.
00:28:54:10 - 00:29:29:08
Andy Robbins
The other note is that gateways can be granted role assignments. And so what you have here is from my perspective, from the perspective of somebody who just wants to execute an attack, that is you have a principal type that can be authenticated, that can be granted permissions. And the the authentication material for these objects is most likely not going to be within this platform itself, but it's going to be wherever the host is or whatever the system is that is kind of feeding information into the PingOne platform.
00:29:29:12 - 00:29:57:15
Andy Robbins
So we may have like a radius gateway, so there could be a radius, a TAC ax, you know, Cisco system out there somewhere that's feeding information about principles into paying one. I might be able to lift off a credential of some kind from that from that Cisco system and then turn that into you could call it like initial access into the end of the PingOne environment.
00:29:57:17 - 00:30:03:04
Andy Robbins
So that's my take on gateways there. In did you have anything you want to add regarding.
00:30:03:06 - 00:30:31:20
Bjorn Aannestad
You know, something kind of related to this that we also were thinking about, which is when we looked at existing systems, we saw a proliferation of shared administrator accounts and service accounts and things like that. So what you're pointing out about how the worker app has a role and acts much like a user, it's part of that. But we also didn't want to open our customers to the temptation to share administrator accounts around shared passwords and so on.
00:30:31:20 - 00:31:05:06
Bjorn Aannestad
So the philosophy there was the administrators in the system are not separate from the end users. From an implementation point of view. We put them in that administrators environment that you showed, but all the same security rules that are available like multi-factor authentication, biometrics are available for the administrators as well. But an important thing is that if you do have a user who needs some extra roles to become a a limited scope administrator, they don't have to have two accounts.
00:31:05:08 - 00:31:46:07
Bjorn Aannestad
They can have their own identity as an employee. Right. And still be given that identity data admin over their department, for example, without having to have two accounts to juggle and without having the temptation of, well, let me give you my log in so that you can manage those users, right? So you have the ability to not distinguish fundamentally administrators from end users, gives us those two benefits they get now all the same features that are available for protecting end user accounts are available for administrators, and you don't have quite the same temptation to create multiple identities for the same person.
00:31:46:09 - 00:32:20:06
Andy Robbins
Yeah, great. So let's talk about the product. But the last thing I'll talk about in the portal here, so I'm back in the pen one portal and I'm looking at a tab here that says provisioning. Now I might refer to these objects more so as propagation stores as opposed to provisioning only because some of the API documentation and some of the endpoints refer to these objects as propagation stores.
00:32:20:08 - 00:32:47:09
Andy Robbins
Now, what are these for? These are for taking information about principles within one and putting that information into another platform. So we have two different examples here from the mapPingOne environment environment that we created for research purposes. One here is called Outbound ADI. And so we are taking users from PingOne and we are putting them into Active Directory.
00:32:47:11 - 00:33:19:17
Andy Robbins
And then we have another one here, I think, Jared, I think you may have actually created this one. Now this one is called Snowflake Rule and this is for taking users and taking them from the PingOne platform and then automatically kind of shoveling data about those users into a snowflake tenant. Now, earlier I was talking about gateways, how a gateway could turn, you know, adversary access of a different platform into access into one.
00:33:19:19 - 00:33:57:18
Andy Robbins
This is now the other way around. So this is where we might be able to take access, adversary access in an open one environment, and we might be able to turn that into access into some other platform, kind of a change of venue, if you will. These objects here, they store credentials for authenticating to these other platforms and with the right permissions, with the right back permissions, a principal can read the credential material of these propagation stores and then obviously then authenticate into that other platform.
00:33:57:20 - 00:34:07:22
Andy Robbins
And then what permissions you have in that other platform, what you're able to do there, is going to be wholly dependent on the configuration of that other platform.
00:34:08:00 - 00:34:27:22
Jared Atkinson
Well, one of the things that I think is worth touching on just from a we call these hybrid paths in the context of BloodHound, where you're able to leverage access in one environment, say, add and then gain access to another environment, right, or another platform. One of the things that's interesting about the way that these get set up is in detection response.
00:34:27:22 - 00:34:44:15
Jared Atkinson
We often talk about kind of this client. And I mean, just in computing in general, we talk about this client server relationship and there's different perspectives you have whether you're kind of operating or collecting telemetry from the client side versus collecting telemetry from the server side. There may be more detail on one side, there's more trust on another side, so on and so forth.
00:34:44:17 - 00:35:12:01
Jared Atkinson
In this case, if an attacker has control of the PingOne environment, they would be able to see potentially that there is a relationship with Snowflake. They might even be able to see what have a relationship with Snowflake in this in this example. But they won't necessarily know which of those users has admin privileges or what that you kind of touched on this, Andy, but they won't know what privileges they have on the far end, on the remote end of that relationship.
00:35:12:03 - 00:35:34:19
Bjorn Aannestad
I was just going to congratulate you guys on on that. That's important aspect of this, being able to see how systems interoperate and what the tasks are across system boundaries. There's vendors and maintainers of these systems. We generally look at our our products in isolation, but you guys bring something very valuable to that. Being able to look across.
00:35:34:21 - 00:35:59:01
Jared Atkinson
Yeah, I think we talk about that quite often. You know the security of one system and I think we're showing off that like you guys have done a lot of really good work. The problem comes in to how how could a user, even with the controls that you guys have put in place for a users, you know, potentially for getting themselves within your platform how can they how are they connecting to potentially other platforms that's putting them at risk.
00:35:59:03 - 00:36:05:23
Jared Atkinson
But through no fault of either of those platforms, it's just the connections that you're creating and the invisible nature of that.
00:36:06:01 - 00:36:21:12
Bjorn Aannestad
And the specific configurations that you have there. The user of both platforms has has set up, you know, in an innocence between the two. Right? This fills a very important need to to evaluate the security of that.
00:36:21:14 - 00:36:46:03
Jared Atkinson
Maybe a reason why we're so interested in the hybrid aspect is because we started with Active Directory and then our our experience and just you might have more specific statistics on this. Almost every environment we've ever explored, every user has the ability to take over the entire environment. And so that means that if there is if there is a connection to some other platform or other environment, you have a path to get there.
00:36:46:05 - 00:37:02:21
Jared Atkinson
That may not be true. And like more modern environments and things of that nature, but that was true and active. That is and was true in Active Directory. And so it's kind of been something that we're very sensitive to as a result of kind of that experience.
00:37:02:23 - 00:37:30:11
Andy Robbins
So now I'm going to show some of what we've been able to accomplish with the research that we did in the PingOne and with the open graph with BloodHound in being able to model some of the stuff, some of these attack paths and some of these configurations within BloodHound. So the first thing I'm going to show you is pretty basic and I'm going to show you just a very simple hierarchy view of the SpecterOps organization.
00:37:30:13 - 00:37:57:20
Andy Robbins
And you can see the different take on environments that are contained under that organization. Very, very simple. Doesn't really tell you anything, but the PingOne portal itself doesn't tell you already, but things can get kind of more interesting if we say, Well, I just watched a conference presentation about propagation stores and PingOne and I want to know within my environments here which ones actually have propagation stories.
00:37:57:20 - 00:38:20:12
Andy Robbins
Where should I go to start looking for scenarios where I might want to do well? We can change the query a little bit and we can see from the top level organization down to each propagation store that the data collector was able to collect. So from that list of virus environments, we see that there's actually only three of them that even contain propagation stores in the first place.
00:38:20:12 - 00:38:44:10
Andy Robbins
And we can see a nice list right here of those. We can do the same thing for gateways. Before we move on to the gateways though, this also if I'm an admin, if I'm a PingOne admin and I see this view, I might look at these names and I might just do a sanity check with Do we have a snowflake instance that we're sending data to?
00:38:44:10 - 00:39:00:11
Andy Robbins
Do we have slack that we're sending data to? Is this all legitimate? It can be a good way to just do a little quick sanity check and maybe some clean out this maybe or some old or something they don't really use anymore.
00:39:00:13 - 00:39:13:13
Jared Atkinson
That's interesting. I assume you haven't gone into this, but imagine if an attacker leveraged the ability to create these propagation stores or these gateways as a means of somehow compromising persistence.
00:39:13:15 - 00:39:20:05
Andy Robbins
Sure. Process this mechanism. Sure. I think a gateway is a good persistence mechanism. But imagine.
00:39:20:06 - 00:39:34:04
Jared Atkinson
Imagine if you were if you were provisioning to Active Directory and you control Active Directory, you now have a way to capture passwords of users. Sure. Because yeah, you could you could do like DC Sync or something like that on your own controlled Active Directory.
00:39:34:06 - 00:40:01:09
Andy Robbins
Yeah. So last thing I would say here is as an adversary, this also gives me some good indication of other platforms I might be able to pivot into if I'm able to execute an attack path to get to one of these objects, I might be able to then pivot into Snowflake, GitHub, Salesforce, some of the platform where then, you know, the security of that platform has nothing to do at all with with pain.
00:40:01:09 - 00:40:27:06
Andy Robbins
One, it's just kind of ping. One is the way I kind of got there. The opposite. We could also do so we can we could look for all the gateways that are stored under our organization and we can see that we know because we were doing testing there's a lot where, you know, we're kind of mucking around in the system and we're making stupid things like there's one here called this Gateway has custom roles, admin role.
00:40:27:08 - 00:40:59:16
Andy Robbins
So this is obviously not, you know, real world data, but this can kind of give us as an adversary an indication of where some ways in or as a defender, where some potential avenues in to my one organization environments where if somebody compromises let's say let's say the compromise this ping federate system that's running on prem somewhere, they might be able to use that to then gain initial access into my PingOne environment.
00:40:59:16 - 00:41:10:09
Andy Robbins
And then the the the impact of that would be, of course, dictated by how privileged that gateway itself actually is.
00:41:10:11 - 00:41:34:16
Jared Atkinson
Yeah, I think I think this is just a good opportunity for us to talk about recently in the news, there was this breach for a company called Salesforce, that application called Drift. And that and Drift was essentially like a plug in for Salesforce and what people what what happened in the breach was that there was a scenario where it's kind of not not descriptive, but somehow an attacker got access to sales, lofts, GitHub organization.
00:41:34:21 - 00:42:04:08
Jared Atkinson
Within that GitHub organization, they found API keys for eight of us. Somehow they were able to and I guess the drift application was being run in IWC and they're able to derive OAuth credentials or tokens to be able to access customer fate like the customer side of the Salesforce application. And I think I think that just really digs into the importance of understanding not just how does an attacker escalate privilege within a kind of atomic environment, but we've kind of touched on this throughout the conversation.
00:42:04:08 - 00:42:20:22
Jared Atkinson
But how do they leverage the interconnectedness? And we talk about this idea of the clean source principle, which is the idea that when you establish a security dependency, you need to make sure that the thing that you're depending on is as trustworthy, as trustworthy as the thing that is doing the depending. There's probably a better way to say that.
00:42:21:04 - 00:42:45:16
Jared Atkinson
But the but in this case, for instance, the snowflake example Snowflake has a security dependency on one thing. One has a security dependency. I think because of that ping federate inbound provision, Gateway has a dependency on, I assume, an Active Directory environment. And so now there's this situation where your snowflake environment, unbeknownst to the snowflake administrator, might have a dependency on an Active Directory domain.
00:42:45:16 - 00:43:00:02
Jared Atkinson
And that becomes this is this is why all of this kind of transitive control and downstream control is super important for us to understand because you don't exactly know where the attacker is going to gain access, but it'd be nice to understand where they could go if they did.
00:43:00:04 - 00:43:21:12
Justin Kohler
Yeah, the the only thing I would say on that, like we've talked about administrative rights and stuff and Bjorn, you hit on it like it's about the configuration reading, the configuration that the user has been put in place and certain companies will put different value on different classes of assets or identities in their systems.
00:43:21:14 - 00:43:51:12
Justin Kohler
And that's kind of what we're trying to do with BloodHound, right? Not just for those super admin layers, you know, and you mentioned Tier zero, you know, the stereotypical owners of any any like application or IDP or platform, but also like the business critical stuff. So Snowflake might hold a ton of data that we want to we want to make sure that we like zone off and understand the access to or, you know, trading platform that runs in AWS that we want to understand who has access to that
00:43:51:12 - 00:43:59:20
Justin Kohler
So that's going to depend on the customer. And and ideally we're trying to uncover that that interconnected problem, the hybrid path problem and how you could shut that down.
00:44:00:00 - 00:44:24:06
Bjorn Aannestad
Yeah, there's definitely a focus, you know, in security research on the administrative axis, but there's actually a whole spectrum of administrative access on the one and you got the root user like we talked about on the other end. You have a departmental user whose responsibility is to add new employees to a department, give them rights to particular department applications.
00:44:24:08 - 00:44:34:04
Bjorn Aannestad
They are, in a sense, an administrator because they may have password reset authority that they shouldn't have, for example. So you got to watch that as well.
00:44:34:06 - 00:44:55:08
Justin Kohler
And understanding who should or should not is highly dependent on on what that kind of leads somebody to do with it. Right. It could be perfectly benign again, but it's, you know, understanding the consequences of those actions either before you do it or at least being able to audit what you have today. It was an absolute pleasure to work with the PingOne team.
00:44:55:08 - 00:45:15:12
Justin Kohler
I know that our team was thrilled to work with you guys. The access that you provided. Honestly, your work, I mean the the ability to create a ground up system, it's obviously you guys saw through that that was that was well understood on our side. So so awesome work to you guys and again thank you for for for letting us work with you and thank you for joining us.
00:45:15:14 - 00:45:37:01
Bjorn Aannestad
you're very welcome. Thanks for the time. I enjoyed it.
