In this episode of Know Your Adversary, Jared Atkinson and Justin Kohler are joined by Steve Elovitz of Palo Alto Networks’ Unit 42, where he leads service delivery across North America. With years of incident response experience, including time at Mandiant, Steve shares what it’s like responding to hundreds of real-world security incidents each year. The conversation explores how modern...
In this episode of Know Your Adversary, Jared Atkinson and Justin Kohler are joined by Steve Elovitz of Palo Alto...
00:00:02:23 - 00:00:05:23
Jared Atkinson
Welcome back to the Know Your Adversary podcast. I'm Jared Atkinson.
00:00:06:01 - 00:00:07:02
Justin Kohler
I'm Justin Kohler.
00:00:07:04 - 00:00:14:22
Jared Atkinson
And today we're joined by Steve Elovitz from Palo Alto Networks unit 42. Steve, do you want to introduce yourself and maybe tell us a little bit about your background?
00:00:15:00 - 00:00:35:20
Steve Elovitz
Yeah, folks, first off, thank you very much for having me on here. It's an honor to be here. Really appreciate the opportunity. I'm, with unit 42. I'm responsible for our service delivery here in North America. I spent, the past ten years before that at Mandiant. Overseeing, some of our incident response team and our security transformation teams.
00:00:35:22 - 00:00:40:12
Steve Elovitz
So, you know, before that, I was doing similar work contracting for the government.
00:00:40:14 - 00:00:42:08
Jared Atkinson
Awesome. What did you do?
00:00:42:10 - 00:00:47:07
Justin Kohler
What is Palo Alto like? Unit 42, you said on North America. What do they do? Like what? What are the common things that they do?
00:00:47:08 - 00:01:07:14
Steve Elovitz
So? So unit 42, is really focused on, a few different verticals. First off, we have an intelligence team that's tracking the threat actors, right? Paying attention to what the individual threat actors ttps are. Once they get into an environment, how are they operating around? How are they getting into environment? What are their missions? Right.
00:01:07:16 - 00:01:36:08
Steve Elovitz
Our bread and butter is also our incident response team. About 800 to 1000 times a year. We respond to threat actors, inside an environment. Now, this is not. Hey, a user click the link, that they shouldn't have. Click this is 800, 1000 times a year. There's a human adversary that has got access to an environment, and they have a mission, whether that be cyber espionage, you know, nation state sponsored attack, looking to collect sensitive data aligned to a country's goals.
00:01:36:10 - 00:02:00:22
Steve Elovitz
Or maybe it's financially motivated where a actor is going to leverage their access to an environment for financial gain, typically through extortion, these days, historically through theft of, theft and, selling data. Right. We also proactively consult with organizations. We take what we learn on the front lines and help organizations build a better, defensible network.
00:02:00:23 - 00:02:22:17
Steve Elovitz
Right. How can we prioritize the different all the different efforts we have throughout our security program? Choose what to focus on to reduce the most risk and reduce the most vulnerability. And we do that both through you know, looking at a organization's security program strategically, comparing to frameworks, but also with hands on adversary simulations.
00:02:22:19 - 00:02:24:11
Jared Atkinson
Very cool.
00:02:24:12 - 00:02:35:18
Justin Kohler
Do you do you mind like, this probably. Obviously, it depends on, like, the actors and the, the stuff you're tracking or in situations. Or do you have, like some themes, like over the past, I don't know, three, six, 12 months that you've been.
00:02:35:18 - 00:02:58:18
Steve Elovitz
Yeah. Yeah. So we actually publish a, an annual report where we, really summarize all of the hacker activity we've seen in the past year. Gosh, so much has changed in the past, you know, even two years. I'd say, one of the interesting changes is we're having a lot more attacks to identity than vulnerabilities, and that's really flipped.
00:02:58:19 - 00:03:26:12
Steve Elovitz
Since, you know, in the Covid times, we saw a huge amount of zero days coming out. But in the past year, about 60% of that thousand attacks, initiated through, compromise of identity. That's social engineering, that's phishing, that's brute forcing, that's password spray. And only about 19% initiated through and external vulnerabilities. So, you know, attackers are no longer just hacking and they're logging in a lot of the times.
00:03:26:13 - 00:03:42:20
Steve Elovitz
You know, and but we're also seeing a lot more of use from the attacker side of AI, especially in that social engineering, just making the, the users who are already falling for, you know, the Nigerian prince that much more vulnerable.
00:03:42:22 - 00:04:02:04
Jared Atkinson
You just got to get rid of your emotions, right. And then you're that's. Yeah, that's the giveaway. The, one of the things that specter ops that we like, we're really interested in is, taking kind of what we learn on the red team side. We almost see that as kind of like bushwhacking going into unexplored territory to see kind of like what's on, what's on the the margin of what people know and the tradecraft.
00:04:02:04 - 00:04:19:04
Jared Atkinson
That's possible. I think there I think your, kind of experience is a great opportunity from the er perspective, like what's actually happening out there when you say that, attackers are targeting identities, can you maybe give us a little bit more about that? You said they're just logging in. How often? We hear identity as a new perimeter.
00:04:19:07 - 00:04:27:15
Jared Atkinson
How often are you seeing people, staying mostly to cloud versus, like, trying to get access and on prem still and, where's that kind of, like, dichotomy?
00:04:27:20 - 00:04:48:11
Steve Elovitz
Yeah. You know, I would say actually identity is such a, a target from the threat actor perspective that it, it almost stands out more when there's an attack that doesn't compromise identity as part of completing the mission. Right. So, I think the best example of that is a group that we, Palo Alto called Chubby Scorpius.
00:04:48:12 - 00:05:17:18
Steve Elovitz
They're like that. They are. They're known as fin 11 or clop. They, they target basically broad platforms. Just SaaS platforms. There are super interesting organization or super interesting attack group to look at because, you know, there's some overlap with to 5 or 5, which back in like 2016, 2017 was targeting places. You know, a lot of a lot of people track them separately.
00:05:17:20 - 00:05:46:10
Steve Elovitz
But there's overlap there. And then this group moved on to ransomware and then has since moved on to just this. We're going to hit a cloud SAS, you know, like XLE on or move it. Were two of their big ones. And all they do is they hit a, vulnerability, download data across hundreds, thousands of organizations and then move into basically, extortion at scale as they're extorting all of them.
00:05:46:10 - 00:06:10:07
Steve Elovitz
So much so that there was an interesting chain analysis article showing that, you know, they were responsible for, like, the majority of Bitcoin transactions over a short period of time. So and that's not really leveraging identity at all. And that's rare because, yeah, pretty much everything else, almost every other attacker that we're seeing is at some level, leveraging identity as part of their attack.
00:06:10:09 - 00:06:40:09
Jared Atkinson
When you when you say they're able to target all these organizations, these are these are consumers of say, move it, I don't want to necessarily single anybody out, but the they're, they're are they targeting the like we saw the sells off breach recently. Right. And what we what we kind of found from that was they, they gained access through a bunch of pivoting, but they eventually got to the kind of like sales left AWS tenant that was hosting the, the like, the application and then that had its tentacles kind of into everybody's individual Salesforce tenant.
00:06:40:14 - 00:06:48:07
Jared Atkinson
And they were able to leverage that to gain access to all the all the different consumers or customers of, of sales left. Is that kind of the the way that that would flow.
00:06:48:10 - 00:07:09:21
Steve Elovitz
Yeah. So in for for clop specifically they, they were hitting much more just like publicly accessible instances. Right. So each organization would have their own instance of, you know, Excel and or move it. And they had a vulnerability that allowed them to exploit it. And, you know, these are publicly accessible file transfer servers, right? Yeah. Yeah.
00:07:09:23 - 00:07:30:21
Steve Elovitz
As you're running a business, unless you, you know, IP whitelist for each individual person, which no one does. Right? No one does. They're but they tend to be publicly exposed. You know, better practice obviously would be putting up some kind of sassy so you can authenticate before you have the network, layer of, connectivity. But it's rare, right?
00:07:30:21 - 00:07:42:20
Steve Elovitz
So they get the vulnerability, they exploit it and mass, they download it in mass. And then once they have really collected the lion's share of the the data they want to leverage, then they start the extortion.
00:07:42:22 - 00:07:59:12
Justin Kohler
So it's like going in through the front door versus like the sales loft is like going through the back door, like, yeah, we have access to I'm curious when you, when you see identity attacks, which are like the majority, I've always had this perspective that like, and we see it on our, our road to engagements.
00:07:59:13 - 00:08:18:16
Justin Kohler
The initial access user you have is probably not the one that you're going to end up with. And I'm curious, like, do you have any perspective on that? Like, my, my, mine is that, the almost always the threat actor is going to have to pivot to a different identity in some form or fashion to reach some objective.
00:08:18:16 - 00:08:24:08
Justin Kohler
It's not about what they have access to now, it's what they can turn that access to into eventually.
00:08:24:10 - 00:08:34:14
Steve Elovitz
Yeah, 100%. Right. So, rarely will the initial compromise I mean, we've seen it happen, but rarely is the initially compromised user or domain happen right?
00:08:34:14 - 00:08:36:10
Justin Kohler
Everywhere someone would get lucky, right? Like, yeah.
00:08:36:15 - 00:08:41:14
Steve Elovitz
A domain admin with VPN access. You love to see it, right? Yep. But checking their.
00:08:41:14 - 00:08:44:21
Jared Atkinson
Email on the domain controller. Yeah.
00:08:44:23 - 00:09:06:07
Steve Elovitz
Hopefully not. But yeah, we we typically see the attacker gain access to the environment and then they proceed with, you know, a typical attack kill chain, right? They reconnoiter the environment, they move laterally through the environment, they escalate privileges. They establish additional additional persistence mechanisms, and then they repeat that process until they're ready to achieve their mission.
00:09:06:07 - 00:09:43:22
Steve Elovitz
Right. And all too often, it's it's far too easy, you know, I note that on the Irish side, we probably have a very different selection bias than people who are, basically doing repeat read teams. But, far too often we'll see, like a domain admin cached on a workstation. Right. You know, I find a lot of organizations overlook the, the lower privileged tier asset, protection from a privileged account so they don't enforce a control that prevents privileged accounts from being able to log in and operate on a workstation.
00:09:44:04 - 00:10:05:00
Steve Elovitz
Right. It's a domain admin. They should have their powerful accounts. Right? Why wouldn't they be able to log in to just a user workstation? Well, this is the answer, right? Attackers go in, they dump Alsace. The process of responsible for windows, authentication. And they're able to grab a cache credential of a domain admin account. But but essentially that's the attack path.
00:10:05:00 - 00:10:14:08
Steve Elovitz
They will, see what they can dump and then move on to the next host, dump more and continue moving laterally and escalating privileges for sure.
00:10:14:13 - 00:10:36:05
Jared Atkinson
We definitely we definitely are seeing a lot of, kind of that evolving a little bit. Right? So a lot of us are familiar with how that plays out with like access tokens or Kerberos tickets in an ad environment. But maybe a little bit, some people are less familiar with the, like, use of cookies or bearer tokens or, how we interplay with, like, SSL to all these different applications.
00:10:36:05 - 00:10:56:00
Jared Atkinson
So imagine that I compromise your windows workstation or even your Mac workstation, and then you have Okta, for instance. And I can steal your app, your octa token. And now I have access to Azure Active User, who then has single sign on abilities to every other, you know, web application under the sun. And so then it's just this these tentacles are just all over the place, and you can start going everywhere.
00:10:56:00 - 00:11:16:09
Jared Atkinson
And it's it's one of those things too, where when you start introducing things like skim or which is like auto provisioning of users from that IDP or so, it's a lot more convenient. But, you're definitely making it, you're creating paths that attackers are going to take once they get access. Once they get on the road, they have interstates that let them, kind of go through everything.
00:11:16:15 - 00:11:34:08
Justin Kohler
And I think we, we, we think of we think of SSL and those things as like necessarily it's not like a that we're not saying bad about it. So it's just more people need to understand that there's now a risk there. There's there's the risk of just having tons of logins and like super simple passwords and stuff like that.
00:11:34:08 - 00:11:48:21
Justin Kohler
That's a that's a bad thing. Like you should get past that. But so introduces another problem. It's this cat and mouse game. And so being aware of that like traversal that that is possible is kind of what we're trying to show people.
00:11:48:23 - 00:12:07:13
Steve Elovitz
Yeah for sure. And I mean, what you're describing is basically the scattered spider attack, right? Yeah. They start getting access to environments. They log in to, to to CISOs to the octa or similar. And hey, look at all of this, access that I have. What can I do with with this application? What can I do with that application?
00:12:07:13 - 00:12:27:03
Steve Elovitz
And just continuing to spider out and move laterally and it's, it can be wildly impactful. Right. And for the same reason what you were mentioning, it's, you know, we're we need to think beyond just domain admins when we think of privilege, right? We see attackers targeting developer workstations, because they can get API keys, they can get access to CI, CD pipelines.
00:12:27:05 - 00:12:39:16
Steve Elovitz
You know, moving into, cloud native environments, you know, from the developer systems, giving them really substantial levels of access. To accomplish their mission.
00:12:39:18 - 00:12:53:21
Justin Kohler
Yeah. We, we we, well, to be shared later, but we've had some really interesting, like, research and stuff that we're doing on the, on the kind of CI, CD stuff and I'm assuming roles. And in the process, it's, it's it's pretty eye opening.
00:12:53:21 - 00:12:56:01
Steve Elovitz
And you're going to make me wait for it.
00:12:56:03 - 00:12:59:10
Justin Kohler
Yeah. It's all right. Okay. Not very, very, very fresh.
00:12:59:10 - 00:13:20:09
Jared Atkinson
Yeah, yeah. But, it's it's an example of us leveraging red teams. Our red teamers find a new. So, again, obviously, we, we create BloodHound. And one of the things that we're constantly doing is trying to see what are where do red teamers go off the trail. Right. So imagine that BloodHound is the map. Right. And, but the map there's, there's a famous saying called the map is not the territory.
00:13:20:11 - 00:13:40:15
Jared Atkinson
And, the idea is, is that your map is a low resolution representation of what's actually possible. And so we acknowledge that the BloodHound graph is always going to be incomplete. There's always going to be other opportunities. What we find, one of the things that we think is special about specter ops is that there's, our red teamers are constantly going out there, and of course, they're going to use a map where it's reasonable and where it accomplishes their task.
00:13:40:15 - 00:14:06:08
Jared Atkinson
But sometimes, in order to reach our objective, they have to go off the trail. Right. And what we like to do is make it to where we bring that back into BloodHound, and we're able to make it to where now it's just the baseline of what everybody's able to see, right? And so now, we just had a recent red team where they were able to take advantage of, some of the CI, CD pipeline, some of the different ways that people make it easier for your CI CD pipeline to interact with other services.
00:14:06:10 - 00:14:14:21
Jared Atkinson
And, and it allows attackers who have control of, say, a GitHub repository to then, take actions in other places.
00:14:14:23 - 00:14:32:16
Justin Kohler
And I'll say that just like, like, like with Open Graph, we've been doing a lot of internal modeling and stuff, and it's just eye opening. What, what you can see when you, you know, Active Directory is not unique and that it's complex. And once you can put a model to that complexity and see it visually, you're like, oh, oh, I didn't mean to do that.
00:14:32:20 - 00:14:34:20
Justin Kohler
Like, like that person should not have that.
00:14:35:01 - 00:14:41:12
Steve Elovitz
Especially an Active Directory that's been around for like ten, 15 years, you know. Yeah.
00:14:41:14 - 00:15:01:14
Jared Atkinson
I call that the that's the entropy problem. Right. So like, a, a secure, least privileged deployment is not the natural state of being. Right. That's, that's something that takes time, effort, attention to, to kind of make happen. And over time, as you start, stop paying attention, as you stop looking at it and understanding what's happening, there's a tendency to evolve towards chaos.
00:15:01:14 - 00:15:26:03
Jared Atkinson
Right? And so, your active Directory environment has been in chaos for decades. Your AWS environment maybe hasn't had as much time to decay. But I think AWS intro all these big cloud providers are more complicated than Add. And so the tendency is that they are going to continue to decay. They have they have a little bit of an advantage and that they can like it's easier for them to make security changes.
00:15:26:06 - 00:15:42:20
Jared Atkinson
Right? When you when you find a problem in in Azure, Microsoft can just make that make that change and deploy it across the fleet. An ad that's a little bit harder because they don't have access to your on prem environment. But, yeah, it's it's complicated. And as people add more stuff, it's just going to get worse and worse and more chaotic.
00:15:42:20 - 00:15:54:14
Justin Kohler
I saw a presentation recently where it was like, the count of Azure rolls. Today is up to like 700. Like try to make sense of that in your head. No, no possible way.
00:15:54:16 - 00:15:58:00
Jared Atkinson
Every configuration under the sun is possible, I guess. Right.
00:15:58:01 - 00:16:14:21
Justin Kohler
Steve? What, what do you think? Like, what are some miscreant, misperceptions either on the front end or a post IRR where people thought that the. Yeah, problem solves, like when they're trying to secure identity, maybe. Or they thought they had this problem solved, but clearly they didn't, because they're now in the situation where we're talking to you.
00:16:14:23 - 00:16:19:06
Justin Kohler
So yeah. Well, what kind of surprises in the identity side do you think.
00:16:19:06 - 00:16:48:01
Steve Elovitz
So I would say, you know, first, people are surprised that their MFA wasn't sufficient. You know, not MFA. Not all MFA is created equal. So, you know, we we've experienced things as, you know, kind of low at low end as email, MFA, SMS, MFA is very common, and we are seeing attackers that are reliably able to sim swap and be able to, very easily circumvent some MFA.
00:16:48:03 - 00:17:10:12
Steve Elovitz
And as you know, as we've mentioned, social engineering is getting easier and easier. So, you know, one time pin MFA is, yeah, falling short as well, even with, you know, the, the device, matching and everything. The number matching rather, so, you know, wanting to see organizations move into much more resilient MFA device enrollment and registration.
00:17:10:14 - 00:17:36:20
Steve Elovitz
So we're, really authenticating both the device and the user. Yeah. Fido two is obviously a best practice and moving more in that direction. But even with that, you know, enrollment and recovery are also weaknesses. So, you know, you have your helpdesk, who's you're paying to be helpful. You know, you're you're you're training this helpdesk to help you reduce downtime and get your, your users back to productivity as soon as, as soon as possible.
00:17:36:20 - 00:18:01:12
Steve Elovitz
So they're trying to be helpful and they're very helpful when the attackers call them and say, I need to access back to my account, potentially with a, you know, Jen, I, I fake voice and and video. Right. So how do we safely recover, identities in our environment? I'd say another misconception is that, we have that account checked into Pam, so.
00:18:01:12 - 00:18:15:18
Steve Elovitz
So we're fine. The amount of times I've seen, you know, good Pam solutions that are hosted on Active Directory, join machines and attackers able to just log in to the, underlying operating system that's hosting the Pam solution.
00:18:15:20 - 00:18:16:06
Justin Kohler
And then you.
00:18:16:09 - 00:18:22:22
Steve Elovitz
Just dump out, dump out a database and take it home with, you know.
00:18:23:00 - 00:18:41:21
Justin Kohler
Do you, do you find like, you mentioned you mentioned the else, like, like attacker dumping credentials. Right. And I think that's the one thing that we're trying to highlight to people is, yeah, move to strong MFA. But MFA is not a panacea like you satisfy MFA and now you've dropped other often off material on that host.
00:18:41:21 - 00:18:52:18
Justin Kohler
You need to be aware of that. Like what we call, identities and transit risk. Yeah. That post authentication risk of of an identity.
00:18:52:20 - 00:19:18:07
Jared Atkinson
I think one of the things that we see is, there's an interest from it. So actually, this is I'm phrasing this as a statement, but it's more of a question, Steve, because you have more experience with the ear piece. So I'm kind of like stating my thoughts on it, but I don't know that it's actually true. I don't have any background to to know this, but like, it seems to be that there's a trend from attackers that they don't want to go on prem because, for instance, EDR is well known as being like this problem that they have to evade.
00:19:18:07 - 00:19:33:03
Jared Atkinson
And so if I don't have to go on prem, I'd rather not do that. And so a lot of the times when you start to push like this device bound MFA, right, what you're doing is you're kind of forcing them back on prem because I if I compromise your computer, then I have I'm acting in the context of your device.
00:19:33:03 - 00:19:50:13
Jared Atkinson
And so that that neutralizes that that capability to some degree. But that actually brings you back onto the home field. Right. So now I have now as a defender, I have an advantage. And like I'm more interested in you being on prem to some degree. Right. Because I have an advantage there as opposed to just being on the internet because I don't even have visibility a lot of times into what's going on there.
00:19:50:16 - 00:20:19:10
Steve Elovitz
I mean, I would say it completely depends on the attacker. You have your opportunistic ransomware operators, which I think is most organizations concerns. Right. What most organizations have the most to be, worried about. And, you know, they're going to basically do a broad based attack and, and then land and operate wherever they grab a foothold, as we discussed with, with fin 11, you know, some of them are capable of doing it without landing on a on prem at all and have a very effective attack.
00:20:19:12 - 00:20:42:07
Steve Elovitz
Others are going to operate primarily once they get access to an on prem environment. You know, obviously I want to, expose as little as I can to the internet. I want to set up a sassy or something similar to, to really restrict that, into an identity perimeter within a trusted network as well. Instead of having something broadly exposed to the internet.
00:20:42:09 - 00:21:09:08
Steve Elovitz
But then you have your more advanced attackers. I'm thinking of your saw. Typhoons, will operate almost exclusively on network infrastructure, VMware hypervisors, etc. and then, more recently, on five, two, two, one, which I think is, storm 2416 and the brick storm, attacker activity again, really, really advanced lots of on prem activity, but primarily on systems that don't support orders.
00:21:09:10 - 00:21:13:23
Steve Elovitz
Right. You know, you can't install an EDR on your on your firewall.
00:21:13:23 - 00:21:16:23
Jared Atkinson
Solaris machines or whatever. Yeah.
00:21:17:01 - 00:21:23:08
Steve Elovitz
And, you know, they operate from there where it's so much harder to detect them because then you don't have to worry about evading.
00:21:23:10 - 00:21:44:01
Jared Atkinson
One of the, one of the cool things that, we're starting to see with, BloodHound open graph, which is basically the ability for the community to extend BloodHound is, somebody, somebody wrote a, an extension called vCenter hound. And so that's able to kind of map out, the attack, the attack graph within the context of like a VMware ESXi, cluster deployments.
00:21:44:01 - 00:22:03:23
Jared Atkinson
Right. And so then the idea is, I said, if you have a VM, that's your domain controller, if I have access to your hypervisor, as you were kind of referencing, I now have access to your domain controller, but it's outside the purview of what you would typically see. We also had, somebody from our team, Remy, he just released Cher Hound yesterday, which is, the ability to view your network.
00:22:03:23 - 00:22:21:12
Jared Atkinson
Share. So when you're talking about ransomware, it's not just about can you laterally move to a computer, it's do I have the ability to write to the C dollar share? Yeah. And if the answer is yes, I don't even need to go there. I can just overwrite everything. But the, I don't know if this was a typhoon, but there was that big, kind of like telecom infrastructure.
00:22:21:17 - 00:22:41:19
Jared Atkinson
Problem was that cell typhoon was. Yeah. So, I was at the, Cisco session, Blackhat this, this past August, and, one of the Canadian telcos, Cisco, was speaking, and he, he was kind of like talking about what, what was going down. And, it was interesting because it's like they got control of the X plus, kind of like infrastructure.
00:22:41:19 - 00:22:58:09
Jared Atkinson
And so the the cool thing would be, what if you did a TAC X plus BloodHound open graph extension, right, to see who can log in to what and all that kind of stuff. The problem is I'm I'm very ignorant of what that setup even looks like, so I don't even know where to begin, to be honest. But, you know, hopefully somebody out there understands it and can bring that into open graph.
00:22:58:09 - 00:23:10:01
Jared Atkinson
And then you can start to see, you know, who has access to what, where and what does that look like? Right. Because I'm sure that's talk about entropy and old infrastructure that is as old as it gets. Probably.
00:23:10:03 - 00:23:37:22
Steve Elovitz
Yeah. And hopefully, hopefully we've, you know, decided to vault some of those, appropriately. And, you know, it's what, we really hope to see more organizations doing is, moving much more of their privilege access. And I'm speaking both back on active Directory as well now. Yeah. To kind of that just in time provisioning, so that they're able to check out an account and have it expire, you know, after they've used it.
00:23:38:00 - 00:23:53:01
Justin Kohler
Yeah. That we, reminds me of, like, Azure's, like, syncing, you know, privileged roles to on prem Active Directory objects, which Microsoft tells you not to, but everybody does. And so like.
00:23:53:03 - 00:24:04:02
Steve Elovitz
Yeah, the so called 80 connect. But so many times we have. Or is it like Azure connect now. But so many times we have a global admin that sync to a domain admin and an attacker or.
00:24:04:02 - 00:24:06:10
Justin Kohler
Just a regular user, just regular use. Yeah.
00:24:06:10 - 00:24:08:08
Steve Elovitz
Comes a global is the problem.
00:24:08:11 - 00:24:25:17
Jared Atkinson
This is the problem of least privilege, is that we all think that we're doing least privileged, but we're doing I. I like to call it enough privilege, which is where, you think you're starting with no privilege. But that's not actually true, right? You're starting with something, and then what you do is you keep adding one more thing until you could accomplish whatever the task is that you were hoping to accomplish.
00:24:25:20 - 00:24:37:21
Jared Atkinson
And then you're like, I'm good to go. But the problem is, is that you don't know that everything that you added is actually necessary. Right? And so you, you, it's it's just, you know, one extra privilege at a time, but you do it a million times and you got major problems.
00:24:37:23 - 00:24:56:11
Steve Elovitz
At least that the, you know, domain admin user account, the global admin account. You know, I like to see organizations moving more towards kind of a zero standing privilege, concept. Yeah. Where, you know, the legacy way of doing it is every domain admin, every sysadmin has their own domain account. So it's really, really flipping that on its head.
00:24:56:11 - 00:24:58:23
Steve Elovitz
And, you know, kind of removing all of that.
00:24:59:01 - 00:25:18:01
Justin Kohler
Sure. Yeah. You're using role like, eligible roles and elevating based on like cap and stuff. But but even then you really shouldn't be syncing those, those user objects. It's funny because you could you can implement kind of quote unquote perfect security in any one platform and then undo it because you're syncing between the two of them. Right.
00:25:18:01 - 00:25:40:04
Justin Kohler
And in ways that the vendor themselves, Microsoft tells you not to or, you know, like what we see with Cicd and like other cloud providers, you're hooking these things up together and having unintended consequences. Where in in silos they look actually. Okay. I'm curious, by the way, the, the person, who created that vCenter. How just because we plug them is more.
00:25:40:04 - 00:26:07:15
Justin Kohler
Daveed I think I pronounced his name correctly. Okay. Yeah. So he's created a couple. There's pretty cool. Curious. Steve, you've obviously you've used BloodHound in the past. Curious. Where do you see it being helpful? Like, we were talking in kind of this meeting and in, like, either during the incident or posts, and it's like, it's really not about during the incident, but maybe there is like there's there's other uses for it.
00:26:07:17 - 00:26:31:11
Steve Elovitz
Yeah. So during the incident, it's, it I tend to want to much more use a sledge hammer than a scalpel during an incident, especially if we're talking, you know, a ransomware actor who's yet to actually encrypt the environment. I'm going to want to go through and let's start privileging basically every account and start issuing new privileged accounts.
00:26:31:13 - 00:26:54:22
Steve Elovitz
I wouldn't really reach for BloodHound in that situation, but if I'm going in before the incident at which hopefully where we are, then account enterprise is a great tool for me to actually be able to visualize for for a customer. Here's all the paths that you can get to your critical assets, right? Here's kind of the Google Maps that an attacker can follow, to go from workstation and, and escalate privilege.
00:26:55:04 - 00:27:16:14
Steve Elovitz
And, you know, I've heard it called like the 7,070% problem where 70% of the standard users are able to escalate to domain admin because of, hey, there's this delegation over here. And maybe it's something that was created 12 years ago for a printer application or something that it's not needed. But just the ability to visualize and demonstrate.
00:27:16:14 - 00:27:25:07
Steve Elovitz
Hey, if we if we cut this one link here, you we're we're mitigating all of this problem is just tremendously powerful.
00:27:25:09 - 00:27:45:07
Justin Kohler
Yeah. I'd try I've been trying to say it's funny because I feel like I we have to try new ways of explaining this to to people. Whether you're BloodHound like new to BloodHound, Community Edition, or enterprise is like, you're you're trying to do all this effort in, you know, vaulting identities, which you should do. You're deploying EDR to detect them in motion.
00:27:45:07 - 00:28:07:11
Justin Kohler
You're deploying it. Detect a motion. I'm literally telling you, I have a map that shows you how that's going to happen. Yeah. Please use the map to shut down. What? And, again, like you said, in most cases, especially in an Active Directory environment, these are legacy things that nobody uses anymore. Or it is just unaware of.
00:28:07:13 - 00:28:09:16
Jared Atkinson
And honestly, it's just so difficult to unravel.
00:28:09:16 - 00:28:10:21
Justin Kohler
All the, yeah.
00:28:10:23 - 00:28:32:21
Jared Atkinson
Implications of any given privilege. Right. So it's, you know, it could be, nesting of groups. It could be, you know, you gave this privilege on this computer, and then that computer has a bunch of users logged in, and you could and then you have control of those users. There's it's just you can't you can't possibly, like, comprehend the complexity of the, of the system just in your head.
00:28:32:21 - 00:28:34:17
Jared Atkinson
You can't keep track of it is too much going on.
00:28:34:18 - 00:28:35:21
Steve Elovitz
I think that is so.
00:28:35:21 - 00:28:36:20
Justin Kohler
Much of it. Right?
00:28:37:00 - 00:28:37:19
Jared Atkinson
Yeah.
00:28:37:21 - 00:29:05:12
Steve Elovitz
And so many say, like it. Leaders are used to just receiving a list of things to remediate. Right. I have a list of vulnerabilities to patch. I have a list of, you know, updates to push. Here's a list of, you know, delegations that are, you know, maybe, old or, overprivileged. And then changing that to a, the map and showing the visual really helps you articulate the business risk.
00:29:05:14 - 00:29:30:11
Steve Elovitz
And in a much more digestible way, especially when you, you like specifically name and label your, your critical assets at the top there and show that show that graph and it's, I actually find it very, you know, enjoyable when I see an organization that's cleaning that up and you get to see the before and after there.
00:29:30:12 - 00:29:49:15
Steve Elovitz
And as especially like I mentioned, with our selection bias, a lot of times we walk in and have a very flat environment before an incident, and then afterwards we can start setting up, you know, the authentication tiers and enforcing and forcing through like 80 silos and really showing that big of a difference.
00:29:49:17 - 00:30:07:18
Jared Atkinson
Yeah. One of the things that we find with the list that becomes a problem is, if you just do the raw numbers of like exposure. So exposure is how many users have access along this path. It's kind of in our parlance, one of the problems with the list is that that configuration that creates all this exposure maybe necessary.
00:30:07:19 - 00:30:33:04
Jared Atkinson
Right. And so then the question is is okay, well I can't get rid of that. What should I do next. And what we find is the the overarching graph allows you to go forward or backward, kind of like along along the attack path and then find alternative options. Right. So it's like just because you can't fix this thing downstream doesn't mean that I can't go upstream and find some other place where something is misconfigured in a way that maybe I don't need that and it creates it might not create all the risk, but it creates some portion of the risk or.
00:30:33:05 - 00:30:36:11
Steve Elovitz
Yeah, risk. Just gotta find the find the right choke point.
00:30:36:12 - 00:30:36:21
Jared Atkinson
That's right.
00:30:36:21 - 00:30:54:17
Justin Kohler
Yeah I had a I it was funny because I had I had a client, an account, that was working with, today, and, we had this we had this path that went from authenticated users and, and on from side to global admin on the Azure side. And it's like, okay, this is we can agree that this is bad.
00:30:54:19 - 00:31:19:03
Justin Kohler
And I would say that you would want to cut it here and here at the end. But there's also probably spots in the middle because there was like there were some helpdesk, groups that through nesting actually had the ability to reset and, fully control this account that I did. So, I won't say more, but it seemed like a privileged account that you did not want your generic helpdesk, group to have access over.
00:31:19:03 - 00:31:38:17
Justin Kohler
I was like, so you probably want to look at that, too. And that, like, there's actually some cool things that we've introduced into what I'm like with privilege zones. So allow you to like, model those, not just like not just the the super admin layer, but like the other layers. But beyond that, again, it's like people get can get stuck with a list of saying like, well, I can't fix that.
00:31:38:17 - 00:31:51:02
Justin Kohler
So I'm not gonna I'm going to move on. And it's like, no. Again, we said that this is bad. This, this, this situation from zero to hero is bad. So then there's probably a method on that path that you can remove.
00:31:51:04 - 00:32:12:06
Steve Elovitz
Yeah. We also I mean, 100%, there's always multiple ways that you can mitigate an issue. We also have, clients really to hyperfocus sometimes on that global admin domain admin. And they overlook some of those, you know, the damage that can be done with a user account that can, you know, modify or create Gpos, or server admin accounts.
00:32:12:06 - 00:32:25:08
Steve Elovitz
Right. There's accounts that can log in to your VMware hypervisor. Right. As you said earlier, yeah, that's a highly privileged account. Your environment, accounts. They can log into your EDR highly privileged.
00:32:25:11 - 00:32:25:22
Justin Kohler
Oh, yeah.
00:32:26:01 - 00:32:48:11
Jared Atkinson
I'm it that's a yeah. Last thing you want is for like 100% exposure. Every user has an attack path to log in to your EDR. That would not be a good thing. Yeah. Awesome. Well, Steve, we want, I think we're reaching kind of like the time limit, but we wanted to make sure that you had a chance to kind of add anything that, we may have missed or haven't touched on and kind of give you the last, last word.
00:32:48:12 - 00:33:06:17
Steve Elovitz
Yeah. I think that, you know, I hope more people start looking at identity as a way to segment their environment. I mean, network segmentation is great as well. You know, there's a lot of ways like workstation, workstation communication can almost always be eliminated and it rarely is. So there's a lot of network layer things we can do.
00:33:06:17 - 00:33:39:21
Steve Elovitz
But, you know, I find that the tools that exist for identity layer segmentation are very powerful and very often overlooked. So I would really encourage more people to start thinking that way and thinking through attack paths and how an attacker can move laterally through in an environment, as these are humans capable of creative thought, and many of the attackers we go up against are very skilled, very creative, and, can get through an environment, faster than many defenders would believe.
00:33:39:23 - 00:33:55:18
Jared Atkinson
Yeah, I think that's one. I think that's one thing that our organizations have in common is we try to view the world through the eyes of the adversary. Right. You from the view of AI. And I mean, you have right teams as well. And so you're kind of seeing how does the bad guy see this and what are they going to do?
00:33:55:19 - 00:34:15:09
Jared Atkinson
And we, we from the red team perspective as well as like trying to, trying to understand their perspective, not necessarily what the administrator intended, but what, what the attacker has afforded to them. Right. And that's kind of that's kind of the, the direction that we go. And I think it's I think it's useful. And I think more people need to kind of understand that perspective.
00:34:15:11 - 00:34:19:00
Steve Elovitz
Well, thank you both for the invite. I this was, a great conversation.
00:34:19:01 - 00:34:20:22
Jared Atkinson
Yeah. No problem. Thanks to,
00:34:21:00 - 00:34:27:22
Justin Kohler
You guys, this team is, like, the scope is incredible. So it's it's awesome to hear your, hear your thoughts here.
00:34:28:00 - 00:34:33:10
Jared Atkinson
All right. Thanks again. We'll see everybody next time. Thanks for coming to the Know Your Adversary podcast.
