00:00:13:14 - 00:00:17:13
Justin Kohler
Welcome to the first episode of the Know Your Adversary podcast by SpecterOps.
00:00:17:17 - 00:00:25:05
Justin Kohler
My name is Justin Kohler, I’m the Chief Product Officer at SpecterOps. That's over. Primarily BloodHound and BloodHound Enterprise. And I'm joined with Jared Atkinson.
00:00:25:07 - 00:00:36:05
Jared Atkinson
I’m the Chief Technology Officer here at SpecterOps, primarily in charge of,research and development. So kind of expanding the graph, building new tradecraft for new platforms, and trying to make BloodHound more comprehensive.
00:00:36:07 - 00:01:10:28
Justin Kohler
So we wanted to start this podcast because, there's a long history here at SpecterOps for exploring attack paths and demystifying adversary tradecraft, whether that be through blogs or other, open source projects or some of the services and products that we offer. And we kind of wanted to, like, start from the beginning. Explain why now and then, we have some, focus that we want to put on a new state of the attack path management report where, we've explored a bunch of different spaces within attack path management, how to operationalize it as a practice and some kind of new tradecraft that we're seeing, emerge in the field.
00:01:11:01 - 00:01:29:05
Jared Atkinson
And maybe we can start with a little bit of history about BloodHound, where that came from, this idea of what is attack path management. What are attack paths. Yeah. Going back almost ten years now, Andy Robbins, Will Schroeder, and Rohan Vozarkar, some of the co-founders of SpecterOps created this project, this open source project called BloodHound.
00:01:29:08 - 00:01:54:20
Jared Atkinson
The the origin of that is they were all red teamers, and they, they found themselves in a in a predicament during a red team against a conglomerate based, customer. Right. So as a customer that had many different domains, many computers, we're talking hundreds of thousands of computers and, kind of before BloodHound, there used to be kind of this exercise where you collect a bunch of data, throw it into an Excel spreadsheet, and you'd have to kind of use pivot tables and really cross-reference that data.
00:01:54:20 - 00:02:01:05
Jared Atkinson
And it became very difficult once you start to get to these, these gigantic scales of these, Fortune 100 type organizations.
00:02:01:05 - 00:02:07:01
Justin Kohler
And in Excel, you're just trying to track, like, I have access to this thing, and I'm trying to go here, and it's kind of a guesswork, right?
00:02:07:01 - 00:02:29:05
Jared Atkinson
Yeah, maybe. Maybe it's maybe it's worthwhile for us to start talking about kind of what the typical, attacker approach would be. So imagine that I'm an attacker and we're kind of using this, assume breach mentality, right? So attackers would leverage some sort of client side exploit. Right. So that would be something like phishing, maybe, some sort of drive by download, maybe some sort of like password harvester of some sort.
00:02:29:08 - 00:02:45:14
Jared Atkinson
And they would get initial access. One of the problems that attackers have is that that initial access is relatively arbitrary. Right. So I sent a phishing email to 100 different users within an organization. And I'm hoping that somebody clicks, but I don't have control over who's going to click. I have control over who I send the email to.
00:02:45:16 - 00:02:51:04
Jared Atkinson
But generally I'm sending it to a wide variety of people hoping to get at least access to one computer.
00:02:51:04 - 00:03:08:19
Justin Kohler
And occasionally you can like Strike Gold right and hit right, like, okay, I got exactly who I was trying to target and I immediately have administrative access, but that's like the the hardly perfect example. Yeah, usually, usually you're landing on some low privilege, user or host, and then you're trying to find your way to your objective.
00:03:08:19 - 00:03:29:00
Jared Atkinson
Yes. Yeah. And the way you do that is you say, okay, I have access to this computer as this user. And so then you have kind of two identities that you're interacting with. Right. So the user identity and the computer identity. Yeah. And then you start to ask questions like given the identities that I currently control, what resources on the network do I have access to?
00:03:29:02 - 00:03:49:26
Jared Atkinson
When we first when BloodHound was first created, it was very, narrow scope. Right. So we were talking about user identities, computer identities, and groups. Right. So it's just three different components. So I'm a user. What groups am I a member of? What computers do those groups afford me access to? Right. Which ones do I have admin access to?
00:03:49:29 - 00:04:11:18
Jared Atkinson
When this was an Excel spreadsheet or even before the Excel spreadsheet, you would kind of do a guess and check exercise, which is I have I'm user A, I have access to access to computers, x, y and Z. Right. And so then I'm going to pick one of those arbitrarily. I'm going to pivot to those computers. And I'm going to ask who's logged on to these computers, what access, what computers do those users have access to.
00:04:11:18 - 00:04:26:05
Jared Atkinson
And it was kind of this like guess and check problem. But the issue became when you would get five hops deep and then you realize you hit, you hit a dead end, right? Yeah. Now you got to go all the way. You either go all the way back, or maybe you go back once one half and kind of redo this exercise.
00:04:26:05 - 00:04:27:25
Jared Atkinson
And it became very difficult.
00:04:27:25 - 00:04:53:04
Justin Kohler
Time consuming. Yeah. So then, long story short, creates BloodHound, which does this all to be a graph theory. And it's just like Google Maps, right. But I want I'm here and I want to go here. And rather than guesswork, it just plots a route for you. And if you've seen the, Def Con, one of my favorite, videos, the Def Con video where they released BloodHound back in 2016, you can kind of see how revolutionary that was at the time.
00:04:53:06 - 00:05:09:07
Justin Kohler
Now we're talking about, like, Active Directory and computers and users, because that's where it started. And that's where the base of the tradecraft was at the time. But this expands way out. And we've seen that today. And like we're going to explore some of that in these first few episodes. But this is not necessarily just an Active Directory focus episode.
00:05:09:07 - 00:05:16:17
Justin Kohler
That's just where we started because everybody's identities were in active Directory. Those are spread way, way beyond, at this point.
00:05:16:17 - 00:05:43:02
Jared Atkinson
Maybe we could take that and say, that's kind of what attack path management is, which is I'm an attacker or a that's what an attack path is. So I'm an attacker. I have access to a computer and I have control over an identity. How do I leverage that to then, progress towards my ultimate objective? Right. Maybe the way that we start to look at BloodHound from kind of like an enterprise approach is, something we call attack path management, which is flipping the problem on its head, which is how do we.
00:05:43:02 - 00:05:54:27
Jared Atkinson
And by understanding how attackers are going to traverse through your environment, how do we then leverage that information to, secure the systems or the resources that are most critical to the business?
00:05:54:27 - 00:06:12:15
Justin Kohler
Yeah. And, you know, when they created BloodHound, they created the it kind of stumbled on a whole new problem. It's not like there was only one path in the network. And BloodHound was really useful to find that one path. There's literally hundreds of thousands, if not millions of paths. So then it was a different problem. It's like, well, how can we fix all of these?
00:06:12:15 - 00:06:33:03
Justin Kohler
Right? Like these are attack paths are ways that you pivot from one identity to another resource, to another identity, to another resource, and then eventually take over the environment. So we need to prevent this somehow. So how would you do that? Well, you flip it on in reverse, like, like Jared was saying and start talking about what's your critical assets and identities and those with full control over the environment.
00:06:33:05 - 00:06:53:01
Justin Kohler
And then work backwards. So what attack paths are to that source. Now, we found out, in early in the early years that that's really hard to do manually. SpecterOps tried for four years to do defensive work, you know, manually with the BloodHound open source project at the time. And it was a lot of guesswork.
00:06:53:01 - 00:07:20:02
Justin Kohler
It was really time intensive. But there's there was a need. There was a need to shut these down at scale and to find specific ways or choke points where we could do that, like fix one and drop many. So that's the that's where the whole attack path management practice came from, where we understood and mapped all those attack paths and then prioritized attack path like a choke point, which is a concentration of privilege and allows you to cut off a lot of the attack paths at once.
00:07:20:05 - 00:07:38:05
Justin Kohler
So that was the practice that came out around 2021. And then we released BloodHound Enterprise. But the two are distinct. BloodHound Enterprises are a tool to do it, but there are other products in that space. So the practice is attack path management, as we described, because there's really nothing here. It's not Active Directory security because it goes beyond that.
00:07:38:05 - 00:07:56:20
Justin Kohler
It's not Azure. It's not Microsoft. I mean, any identity provider will have this, this, problem. So the practice as a whole is something that we want to really make sure is understood. People are differing levels of maturity on understanding the problem and how would they tackle it. And so that's kind of part of the purpose of this.
00:07:56:22 - 00:08:16:03
Jared Atkinson
Yeah. So one of the things that we're going to really focus on over the first few episodes is the state of attack path management report. So SpecterOps recently put together a report that's delving into, attack path management as a problem. We're going to explore, from a red teamers perspective. We're going to explore some of the attack path management theory.
00:08:16:03 - 00:08:43:25
Jared Atkinson
We're going to explore how, different trends that we're seeing amongst customers to see how they can leverage, tools like BloodHound or attack path management as a practice to really understand and make their environment more like, difficult for attackers, to, to attack. Right. We're going to dig into all these different topics with a bunch of different experts throughout SpecterOps who have different, experience and perspectives on, on the problem set and where they're going to go from there.
00:08:43:25 - 00:08:51:01
Justin Kohler
So thank you for joining us for this first episode of the Know Your Adversary podcast. We're excited to get started and explore the space with all of you.