00:00:12:04 - 00:00:15:19
Justin Kohler
Welcome back to the Know Your Adversary podcast. My name is Justin Kohler.

00:00:15:23 - 00:00:16:23
Jared Atkinson
And I'm Jared Atkinson.

00:00:16:23 - 00:00:26:06
Justin Kohler
And today we're joined by Javier Azofra from Siemens Healthineers. Javier, would you want to do a quick intro and, what you do at Siemens?

00:00:26:08 - 00:00:55:08
Javier Azofra
Okay. First of all, I'm really honored to be here. Thank you for the invite. I'm the head of continuous assessments team in Siemens Healthineers. So we try to identify and determine our security posture in, different parts of our infra and different parts of our company. So I lead a small team in Healthineers, and one of the things that we do is identity continuous assessment later on and and on other topics.

00:00:55:13 - 00:01:10:10
Justin Kohler
What where are some of the other tools used? So you you've used BloodHound before before you use BloodHound Enterprise. So for full disclosure, Javier is a BloodHound Enterprise customer but before that, you were using BloodHound. And what are some of the kind of the other tools just give you a sense of, like the the problems that you guys have to solve?

00:01:10:11 - 00:01:36:12
Javier Azofra
Yeah. So when I joined, to be fair, when I joined the company, some of my colleagues, they were already focused on AD security, and they were using basically like PowerShell scripts and really manual stuff. But I was enough back then. And then we started using Ping Castle. Mainly. Then we tried to automate that and then we moved to trying Purple Knight.

00:01:36:12 - 00:01:47:20
Javier Azofra
And that's all the tools like where they are. And we thought they were interesting. And at some point we started with BloodHound. I'm talking about the we call it legacy. I don't know what the official. Yeah, yeah.

00:01:48:00 - 00:01:49:00
Jared Atkinson
That's what we call it. It.

00:01:49:01 - 00:01:49:06
Justin Kohler
Yeah.

00:01:49:08 - 00:02:12:21
Javier Azofra
So like yeah, the first one. So we started using that and then we, we realized that it was like too much for us, to prioritize and to, let's say, like deep dive on, on everything that we were seeing and like, building the whole graph in collecting every day. So we tried to automate and prioritize, prioritize all of that.

00:02:13:03 - 00:02:20:18
Javier Azofra
And by the time we finished, you guys released Community and Enterprise. So we had to then evolve from there.

00:02:20:20 - 00:02:39:06
Justin Kohler
So then, and you, you guys have a red team, but you're not part of that team? No, that's a separate team within the company. Cool. Yes. And then, you you're here because you created a really cool integration with one of your coworkers, on CyberArk and getting visibility into that. And we're going to dive all into that.

00:02:39:08 - 00:02:50:23
Justin Kohler
But at a high level, why did you want to do that? Like, if you could give some background on what the problem you were trying to solve with CyberArk, and then I'm going to ask you some specific questions just on the layout of CyberArk as well.

00:02:50:23 - 00:03:29:03
Javier Azofra
Okay. Okay. So basically, we when we started with enterprise, we, we were seeing that our overall posture was really, really good. And the findings and everything that we were seeing and everything that the red team was seeing and, you know, like everything was really, really well, protecting our opinion. But this, this, bridge between AV and and Entra ID and cyber was like this, interaction between the identity graphs or, otherwise you if you, can phrase that that way.

00:03:29:03 - 00:03:51:14
Javier Azofra
But that's how we think about it, like these identity graphs, that those breaches, we were missing that. So AD and Entra ID you guys did that with AzureHound. So, that's that's done. But AD and CyberArk, that's something that, we really use CyberArk for, for, for not only admin accounts for credential secrets and no database credentials were enter.

00:03:51:16 - 00:04:11:05
Javier Azofra
So that's, that's our breach that we didn't have visibility into. We could only see what we had in CyberArk. But maybe not all the not all the unintended relationships and not all the hidden relationships. And that's why we we tried to build this, this connector, to try to sync that info with the graph that we already have in place on enterprise.

00:04:11:07 - 00:04:14:19
Justin Kohler
And who owns CyberArk. Siemens.

00:04:14:21 - 00:04:15:16
Javier Azofra
In our company.

00:04:15:16 - 00:04:16:02
Justin Kohler
Is different.

00:04:16:02 - 00:04:16:15
Jared Atkinson
Team.

00:04:16:17 - 00:04:26:20
Javier Azofra
Yeah, yeah. Versus part of the is part of the infra team. So cyber security operations is part of, the infra team, but it's, it's a money to identity management.

00:04:26:22 - 00:04:28:11
Justin Kohler
Cool. And then cooperate.

00:04:28:11 - 00:04:31:20
Javier Azofra
Together a lot. So it's they're our neighbors.

00:04:31:22 - 00:04:53:20
Justin Kohler
And CyberArk is probably, one of the best or top three, obviously well known privilege access management tools. And so you probably have a lot of people who understand how CyberArk works, but for those that use maybe a different platform or don't use a platform at all, can you describe how CyberArk works, like the breakdown between, a user and account, a safe you name?

00:04:53:21 - 00:04:54:12
Justin Kohler
Okay.

00:04:54:14 - 00:05:22:08
Javier Azofra
Yeah. So, like you have like mainly I would say six important entities. Not all of them are in our collective. So I would try to guide you through that. So the first, like most basic but also really important is user slash groups. Okay. So these are like the, the, the Nike Navy, like the users or groups that can be Ldap slash ad integrated or maybe local only to cyborg.

00:05:22:10 - 00:05:44:21
Javier Azofra
These are the entities that then you use to let's say map system level permission or safe level permission. And you can also, say how like if you want to MFA, force, like if you want to have MFA enforcement, if you want to have, the different authentication methods, route membership delays, Ldap directory whatever.

00:05:44:21 - 00:06:12:01
Javier Azofra
Right. So the basic entity then you have saves, save for me is like, I don't know, like key vaults in Azure or AWS, kms like, that's like the logical container in which you store your credentials, like your privileged account credentials. Okay. This saves enforce access control. And only certain users and groups with certain permissions can access those.

00:06:12:05 - 00:06:27:05
Javier Azofra
So we we don't have every like, every permission mapped 1 to 1 to every edge. So there's not. But we use those permissions and those relationships to map some of the edges that we have in the collector. Okay.

00:06:27:07 - 00:06:45:18
Jared Atkinson
That's that's a common design pattern, by the way. How there is you kind of start with the things that, you know, are valuable, the permissions that, that are valuable because a lot of times, the full complement of all the permissions just is like overwhelming. And sometimes they could mislead people into thinking that there's something going on.

00:06:45:20 - 00:07:10:01
Jared Atkinson
And so there's a, there's a tendency when we're designing, graph models to identify what are the what are the edges that we know are useful or traversable, or at least, contribute to traverse ability. Yeah. And let's include those in the model. But then other things we will ignore on purpose because, not that they're not useful, it's just that we don't know explicitly that they are useful.

00:07:10:01 - 00:07:13:10
Jared Atkinson
And so, we have a tendency to kind of add to that over time.

00:07:13:10 - 00:07:33:06
Javier Azofra
You know, we tried to simplify. One example is like, okay, I can have members to a save or I can manage save members. So for us that's you can grant access to a safe, right. For example. So we simplify that into concurrent access to safe. But maybe it's not exactly the same thing in the documentation from side. Right.

00:07:33:07 - 00:07:41:00
Javier Azofra
But for us it means the same traversal path. Like you can add a user that exists before in that save, right?

00:07:41:02 - 00:07:47:13
Justin Kohler
Yeah. For your concern, you can get access to a credential that is sensitive and you just want to understand how to do that.

00:07:47:15 - 00:08:08:17
Javier Azofra
It's like yeah. So we have users and groups we have saved and then we have accounts. And this is like a misconception that when I was going through the documentation, they were like I was like, really like not complex, but like we makes accounts and users sometimes. So for cyber accounts is the actual credential object stored in safes.

00:08:08:19 - 00:08:34:17
Javier Azofra
So not the user, not the group, but the actual credential. It can be service account, domain account, local account, SSH keys, database credential, IAM keys, whatever. Here we received the other the, pull request from, from one of your clients, that wanted to map, accounts to local accounts. We were we were only mapping accounts to domain accounts.

00:08:34:17 - 00:08:44:10
Javier Azofra
For example. So that's I mean, the I think the the possibilities are infinite because every company, we store different types of credential objects. But that's what we have.

00:08:44:12 - 00:08:55:02
Jared Atkinson
Does the account, the account, object has, I imagine, like a username, a password, and probably like a URL or like is how how do you,

00:08:55:04 - 00:09:25:03
Javier Azofra
Yeah, you have platforms which are like policies. So okay. They are templates that it's like the same the next entity after accounts that is important in my opinion, is like platforms are the templates that define how accounts behave. So how frequent they rotate, complexity requirements, the connection methods where you can connect like PSM not PSM which CPM, which is the central policy manager, which CPM handles not.

00:09:25:05 - 00:09:40:13
Javier Azofra
So that's like something that, all the things that are attached to the accounts apart from the, you know, like the, the actual credential material, like username and password mean, which is like the simple thing you can think of when you when you think of, accounts.

00:09:40:15 - 00:09:49:02
Jared Atkinson
And so what, I expect a platform to, identify the ad domain, for instance, that the, that the account corresponds to.

00:09:49:04 - 00:10:14:01
Javier Azofra
Not not really. So that's like in, in cyber like that's usually mapped to address. Okay. Platform is like, I don't know, like a template you use and use like, I don't know, like, five days tier one infra. And that's like your dream plate. And that dictates that you cannot use PSM everywhere. You can only use it here.

00:10:14:03 - 00:10:23:21
Javier Azofra
These complexity, these requirements. Vala. And the in the address, which is like a property of the account, then you can identify the like the domain perfect.

00:10:24:02 - 00:10:51:10
Jared Atkinson
Perfect. Okay. Well that's one of the with hybrid edges. So for those listening a hybrid edge is when you're connecting, a node in one platform, say cyber ark to another, a node in a different platform that might be, add an ad domain, for instance. It's sometimes very difficult because they, both sides of the relationship will often have perspectives and they'll have some information, but, it's frequently neither side has all the information.

00:10:51:10 - 00:11:07:00
Jared Atkinson
And so it becomes this situation to where it's like, I know there's an account that's an ad account, but I don't necessarily know what ad environments it corresponds to. Or maybe I have an account name, but I don't have the Sid that is associated with, let's see, unique identifier. And so sometimes that's a challenge that.

00:11:07:00 - 00:11:38:07
Javier Azofra
We have to, you know, happen to us between different environments and with other connectors that we've been trying or we've been developing. We also tried, for me, it's like a crazy approach and it doesn't scale because of time, but you can go to block on enterprise and request objects that are named like or that have an attribute like, and then see that object exists and then map that relationship if that exists, that is complex computational or like time wise.

00:11:38:07 - 00:11:45:11
Javier Azofra
But it also can give you like, I don't know, more deterministic mapping. Right.

00:11:45:13 - 00:12:08:05
Justin Kohler
As an aside, that problem, the, different ways of matching or similar entities, we are working on that problem. We should have some like, really good updates, around the second or April timeframe, for how we're going to fix that, basically. Not every like they just described the problem, but can we use properties on the user or the identity itself to match.

00:12:08:05 - 00:12:11:18
Justin Kohler
So like an email address for example. Yeah, we can just tie those users together.

00:12:11:23 - 00:12:13:21
Javier Azofra
So yeah.

00:12:13:23 - 00:12:29:18
Justin Kohler
So you so you gave us a breakdown of, of cyber ark. So what was the first question you wanted to answer? Like what was the thing that you were like when I built this, when I had visibility of the edges and nodes in Cyber Ark, and now I can see the relationships. What was the first thing you're like?

00:12:29:20 - 00:12:30:16
Justin Kohler
Curious?

00:12:30:18 - 00:13:21:16
Javier Azofra
I think our first, I remember I used to study like, operationalized cyber account. So now what? How can we operationalize that? And I think it's an open question. Yet, because we, we keep finding new stuff and we keep more that like, okay, what what is this, doing here or is this normal or how can we whatever, like I did, we model this correctly also like that also some, we found basically, a lot of connections and like, a lot of, unintended paths crossing a graph, say, by graph to a graph that were connecting different tiers that where, let's say, secure before.

00:13:21:18 - 00:13:29:17
Javier Azofra
And now we realized that they are connected and we now need to analyze if they still remain secure or not.

00:13:29:23 - 00:13:55:10
Jared Atkinson
So to to kind of break that down a little bit, the, the way that I understand that is you have an ad account which is connected via Ldap, I imagine, to your CyberArk user. So if you authenticate to CyberArk via your ad account, you now have access as some CyberArk user, which then is a member of cyber our groups, which then has permissions on cyber safes, which then has access to CyberArk accounts.

00:13:55:12 - 00:13:57:13
Javier Azofra
Which are them up to add users.

00:13:57:13 - 00:13:59:15
Jared Atkinson
Which then are mapped to users no matter how.

00:13:59:20 - 00:14:03:13
Javier Azofra
Well their scenarios from other clients or customers and whatever.

00:14:03:15 - 00:14:20:16
Jared Atkinson
Okay. Yep. And so like the worst case, I don't know if it's the worst case scenario, but the the scenario that pops into my mind immediately is maybe I have, a low privileged user. Jared. And then I have, high privilege user Jared. Admin. And we've made the decision that we should protect Jared Admins credentials in cyber Ark.

00:14:20:17 - 00:14:41:08
Jared Atkinson
And so that's a privileged account, right. But then what we what we did without necessarily thinking through all the ramifications of would be, my low privileged user is connected to my cyber ark user. Right. And so through Ldap or through some federated authentication scheme. And so I can log in to cyber Ark as Jared low privilege.

00:14:41:10 - 00:14:58:07
Jared Atkinson
And then I can access the password for Jared admin through cyber Ark which then means that there is an attack path. If I get if somebody gets control of Jared boat privilege, then they have the ability to become or take over Jared admin. And now access things that were unintended. Is that good summary.

00:14:58:13 - 00:15:30:20
Javier Azofra
And before like like if you see the inbound bots in Lathan, or if you were using Pathfinder or whatever, like the there was no there was no relationship, there was no path before because that cyber world didn't exist. So you saw that Draco exposure to non-typical users was like non-existent or controlled. And now you have something that connects, low tier or, sorry, like a tier three user to a tier.

00:15:30:20 - 00:15:34:02
Javier Azofra
See your user via your palm.

00:15:34:04 - 00:15:55:15
Justin Kohler
Yes. So like a, if you're just looking at it from an actor actor directory side or to enter ID side, you might say that like, hey, this key vault or this pipeline or whatever we care about is secured, but it's actually there's there's routes to it. You just can't see it. If you're only looking at one platform, you really need to understand how they connect and the ways that you've configured it.

00:15:55:17 - 00:16:11:22
Justin Kohler
And I imagine a little bit of it's like a light turning on. You're like, oh gosh, no. Now you just want to like, see, like you finally have the lights turn on. Now you're just searching for all these configurations to, for the for the users on the caller. Like, well if, if they're in if they're in Cyber Ark, at least that's the first step, right?

00:16:11:22 - 00:16:30:06
Justin Kohler
I mean, I would say that that's probably true. You you're not just using the stereotypical you're not just driving daily with your domain, in account. You at least have to hop through some hope to get to that credential, however, from the attacker side. And I'll probably ask Jared to describe this, like describe the attack there. Like what would why are we concerned about this.

00:16:30:06 - 00:17:00:00
Jared Atkinson
Yeah, maybe. Okay. So one one thing to kind of help that at least we've added a step is Javier, you mentioned that you could have MFA on there. And so it might not be as simple as just authenticating with your low privileged user. There may be an additional step, to, to follow, one of the, one of the problems that we, that we run into is there's this kind of, Will Schroeder had this presentation, like in 2014 called, I hunt sysadmins, and, he kind of talked about this idea of user hunting.

00:17:00:00 - 00:17:25:17
Jared Atkinson
And this is where a lot of the ideas of BloodHound and AD kind of came from, especially the, the has such an edge, which is as an attacker, I get initial access to some arbitrary computer in the environment. Right. And I want to I can active directory is somewhat unique in the sense that any user in the in the domain can explore who the admins are and what the structure of the Active Directory domain are or is.

00:17:25:19 - 00:17:43:10
Jared Atkinson
And so, you can identify who are the domain admins. And so what Will was saying is once I identify who the domain admins are, I just need to find where that admin is logged in. And there's some complications of that. Right. But there's, there's processes. This is where they has such an edge comes from, figuring out where that admin is logged in.

00:17:43:10 - 00:18:00:20
Jared Atkinson
And if I can get to that computer, whether that's, back in the day, it was because there were shared local admin credentials. Now there's all kinds of different primitives. But, if I get to that computer, I could dump that user's credentials, or I can steal their token, or there's, myriad different ways that I could take over that account, and I become that user.

00:18:00:20 - 00:18:20:12
Jared Atkinson
Now, I can access whatever I want, right? The same premise exists with Cyber Ark, right. And and Cyber Ark is really, really cool because it's like in the, the, in the case that we're talking about to where you're using Ldap to authenticate to cyber Ark, and the cyber Ark is holding 80 credentials, is very tightly integrated into your Active Directory domain.

00:18:20:13 - 00:18:42:02
Jared Atkinson
And so what happens is if I can see that, Jared, low privilege has the ability to check out Jared. Admin. Now my goal is to figure out where in the Active Directory domain Jared. Low privilege is logged in because if I could get to that computer, hey, I could take over the Jared low privilege account. And then you might say, oh, well, we have MFA enabled.

00:18:42:02 - 00:19:06:03
Jared Atkinson
And so just taking over, that user inactive directory is not sufficient to get access to the cyber ark, safe. But, actually, Jared, low privilege is eventually going to authenticate to cyber Ark and create a session in cyber Ark. And now I could steal that. And, by stealing that session, I, I just wait for the legitimate user, Jared, to satisfy that MFA condition.

00:19:06:04 - 00:19:14:09
Jared Atkinson
Condition. And now I steal the, the session, and now I can access, the safe and the the corresponding account and escalate privilege.

00:19:14:11 - 00:19:32:07
Justin Kohler
And I think there's, there's, you know, that that may seem complex. I'll will probably say that it's both. Yes. Some of it is complex, but some of it's not. I mean, that's how we we take over environments on the, on the red team side. And now real adversaries, take over, take over environments.

00:19:32:07 - 00:19:49:23
Jared Atkinson
The the way I think about it is it's complex until you know about it. Right. So, there's there's this there's this interesting problem that we run into when we're, talking about, attack paths and we talk about, a lot of times we'll talk about this idea of like, can you wait different edges, right. So that you could say this, this attack path costs more.

00:19:50:01 - 00:20:20:11
Jared Atkinson
And I think there's like a tradecraft aspect to that. So like resetting the user's password is not, ideal in a lot of cases because you're more likely to tip somebody off. That's something we're just going on. But, as far as, like, once you get rid of the tradecraft considerations, if you think about the technical difficulty to implement, or to traverse some edge, what I find is that it essentially collapses down to zero, because once we know about that edge, we could write tooling as attackers, we can write tooling to traverse it, and it eventually eventually becomes a click of a button.

00:20:20:15 - 00:20:26:02
Javier Azofra
It's two, 2 million times mind. I guess it's a question of time that a question of is yeah.

00:20:26:06 - 00:20:47:13
Justin Kohler
Yep. And I brace yourself because I think this is the first time, I mean, to say this on a podcast, but we're all seeing what's happening with like cloud code, ChatGPT, generative LMS and their use cases and both like, offensive and defensive security. The thing like the barrier of entry, of executing these paths is going to lower.

00:20:47:19 - 00:21:08:01
Justin Kohler
And so, what is difficult today is not necessarily going to be difficult in the future. And understanding where these infractions, exist, it's going to be extremely important. And, again, it's just a lot of it is just knowing where you thought that you had separation, but you actually didn't, and the varying levels of degrees.

00:21:08:01 - 00:21:28:17
Justin Kohler
And so I guess, however, when you, when you see these, local, like, unprivileged users to high privilege identity, chains, what are you looking for? Like, like, I mean, I'm going to leave the witness a little bit like privileged access workstations are talks about. Like, is that what you're thinking through when you see these kind of, attack paths?

00:21:28:17 - 00:21:31:22
Justin Kohler
Like, how do you how do you work through fixing those?

00:21:32:00 - 00:22:00:18
Javier Azofra
So basically, first we need to understand and this is like spoiler. This is not really modeled in The collector, but we need to understand like if they have like double approval processes, in place. So if the for example, if access into CyberArk is through a phishing resistant method or just purely like regular MFA. So we need to understand if the if the path is work.

00:22:00:20 - 00:22:22:06
Javier Azofra
I'm not saying impossible to, you know, like terrorist but like more complex to traverse. And if the path is supposed to be there like it's not a misconfiguration is not some guy, leaving that path behind five years ago or whatever. Like, is that path something that we, we need to keep, to maintain? The operation status of website.

00:22:22:06 - 00:22:46:03
Javier Azofra
Right. And after that, then for us, it becomes, Dr. SEO, so if we think that that, you know, that path between like user cyber user safe account and then tiers using if that is, if that path is valid and then we try to protect it as much as we can. And if we have to leave it there, then for us it's a tricky though.

00:22:46:05 - 00:23:10:22
Javier Azofra
So we will try to understand with the enterprise prioritization like okay, so now who can get from non tiers here who can get to that issue. And that will get us like different. Like that will increase our exposure that they like 1% or whatever. But and then we will try to see okay. So these users might be controlled by or has the session here or wherever.

00:23:11:03 - 00:23:15:07
Javier Azofra
And then we try to remediate, those if they exist.

00:23:15:09 - 00:23:41:15
Justin Kohler
Yeah. It could be like you mentioned going from like, it could be it could be minor stuff. Right. It doesn't have to be completely breaking the operations. It could be phishing resistant MFA. You could look at virtual privilege access work sessions or physical. I mean, it all depends on the level of criticality. When you're talking about like, like stereotypical tier zero or the root level control of a platform, you might have different controls than like a, a system that's running CI, CD pipelines.

00:23:41:15 - 00:24:03:15
Justin Kohler
Right. Like a, like that could be a, a different what we call in an enterprise, a different zone of, of assets or identities that like, you know, the big thing is here, like there's different levels of prioritization of different assets or different identities in your organization. You want to have clarity on what controls are applied where. And I think that's what you were trying to do with cyber work.

00:24:03:17 - 00:24:06:10
Justin Kohler
Jerry, I don't know if you have another question, but I think we should just show it. I mean.

00:24:06:16 - 00:24:34:12
Jared Atkinson
Yeah, I was just going I was just going to comment that I think one of the strategies that you could take for that, Javier, you mentioned, do we have a bunch of compensating controls that are built into, the CyberArk like authentication scheme? And so if you if you're confident that it's not just if I compromised this user, I now have access to CyberArk because you have phishing resistant MFA or some approval process or something like that, then, you don't necessarily have to label the, the ad user that is connected to the CyberArk.

00:24:34:12 - 00:25:05:23
Jared Atkinson
Use it. This is hard to explain because the words are the same, but, you don't have to label that user as 2 or 0 just because they have access downstream to a tier zero account. But, to Justin's kind of point, you might want to, take the computer that they use to log in to CyberArk and make that tier zero, if they have access to a tier zero account, because and then and then I don't know if, cyber work has the ability to limit, like, what computer a user can log in from, but you might, put in place some, policy that says this user can only log in

00:25:05:23 - 00:25:14:14
Jared Atkinson
from this computer. And then that computer is considered tier zero. And so now you've kind of created that Privilege access workstation, even though, you know, it's kind of like a pseudo.

00:25:14:16 - 00:25:34:20
Javier Azofra
That's one of the ideas, the other idea that, I was just discussing before, the recording with, with Julian, like, like my co-host in, in, in Silicon. And we were thinking, we were thinking about this way it's, parts of Justin was mentioning before, like, maybe I have access to that account, but I need double approval.

00:25:34:22 - 00:26:05:02
Javier Azofra
So is that like, another type of edge or is it just a weighted edge? Because I need to compromise. Like, I don't know, like AVC escalation one. Like it's like, mixture of different conditions and then it's like, complex edge. I don't know how you call it inspector off the complex edge. So I need to compromise, these user plus one of these eight users, because they are going to give they're going to give me the double approval for these user.

00:26:05:04 - 00:26:11:02
Javier Azofra
So that will be like, okay, this is connected. But I need like all complex to.

00:26:11:02 - 00:26:49:06
Jared Atkinson
Be to be completely honest. We we don't have a solution to conditional access policies at this point. That that gets mathematically really, really, really, really complicated. Yeah. The probably the like the practical way that that gets solved is or that, that gets abused is I just wait for you to get that approval and then I like I sit there and I wait as the attacker to get that approval and then I, I take your session, but, but they're conceptually you could, you could have that idea to where, if I have access to user A and I have access to user B, even though neither user A nor user B has

00:26:49:06 - 00:27:05:11
Jared Atkinson
the ability to traverse this edge by themselves, my combined aggregated access gives me the ability to do that. There's a whole litany of additional paths that would probably be revealed by that, I would imagine. But it's very, expensive to calculate.

00:27:05:11 - 00:27:41:23
Javier Azofra
And it's cool, but it will just insert like I was reading the Stop the cop article from you guys. I don't remember the author, so really sorry for that, but, like, trying to. Okay, where's the gap in the conditional access in this set of conditional access policies? And so if you mix the, like, research and maybe Lems, then like that difficulty in that, complex, how how can I put this together into the collector, into object graph that now might be like less complex or like for sure, instead of years or like this is getting like faster and faster, I think.

00:27:41:23 - 00:27:48:15
Javier Azofra
And that's where I prefer to know the gaps because someone will maybe eventually. Yeah I think.

00:27:48:15 - 00:27:49:10
Justin Kohler
Yeah.

00:27:49:12 - 00:27:51:20
Jared Atkinson
Yeah. Agreed. All right. Now we can.

00:27:51:20 - 00:27:53:08
Justin Kohler
Show. Yeah. Let's show this.

00:27:53:13 - 00:27:54:18
Javier Azofra
Okay.

00:27:54:20 - 00:28:08:16
Justin Kohler
So we're going to do our best to narrate, for those of you, that are not watching this, like, on YouTube or anything, we're going to try to narrate you through what you're going to, what you would be seeing if you'd be, joining us on YouTube. So. Okay. Go for it.

00:28:08:18 - 00:28:35:17
Javier Azofra
So I have some saved queries that I, already, prepare for this session. So we're going to start with, one of the things that, I, we discussed in the, in the previous, part of the podcast. So this is one of the, examples of connections between, non tier CTL assets and tier SEO assets.

00:28:35:17 - 00:29:06:18
Javier Azofra
This is not exactly mapped to the to 80 users, but for the people that are not watching the video, we're connecting outside sidebar group. So that's a local entity or maybe not local, because it seems to Ali that can grant access to a safe. And in that say we have different cyber accounts that are seen to an ad user that for us is tier zero, whether automatically flagged by, on or because we've decided it's tier two for us because of X or Y.

00:29:06:20 - 00:29:25:15
Javier Azofra
So that means that, let's say that the, the groups seem to add, for that group or the user that, that are part of that group, they could traverse this whole graph and get, get access to that user. So that's what obviously go to.

00:29:25:18 - 00:29:41:03
Justin Kohler
You have tier zero. So you have a group that has access to a safe. It looks like that safe contains an account and that, that syncs to an ad user. So, that that group on the left here would have access to a domain that would account for.

00:29:41:05 - 00:30:09:09
Javier Azofra
Exactly, exactly. And then this is this is the one of the like, let's say, less, less, visible examples. This is exactly 80 to 80 through cyber. These two clouds, like Ave and ad graph cloud. And then somewhere in the middle, this is exactly that. But we don't see saves here because the user, the user has access directly through, these memberships.

00:30:09:09 - 00:30:31:06
Javier Azofra
So we model that in the graph without the save in the middle because you don't have to really compromise the saved. You can just retrieve the account because of your saved membership. And that's how we simplified the edges. So here we can see a user which is non tier zero. But it seems to our cyber user that is part of our group in cyber Ark that has access to an account.

00:30:31:06 - 00:30:48:18
Javier Azofra
So this access is just a simplification of I can retrieve the password, I can connect as this account, I can do like some permissions are mapped in the collector. And then this account is in reality on a user which is tier zero. So this.

00:30:48:23 - 00:30:59:07
Jared Atkinson
Would it be safe to say that in some of these cases, you would only be able to access the tier zero account through the like the session manager in Cyber Ark.

00:30:59:11 - 00:31:00:12
Justin Kohler
Or. Yeah, that was my question.

00:31:00:12 - 00:31:08:03
Jared Atkinson
In some cases, you might be able to check out the password altogether and just use it wherever you wherever you please. Are there. Like this is a platform thing that you were talking.

00:31:08:03 - 00:31:33:01
Javier Azofra
Yeah. So that depends. That depends on the platform because you can like enforce PSM or not or where, but also it depends on your permission on on. So you can sometimes list accounts but not retrieve password. Sometimes you can connect, sometimes you can get the password. So that is also mapped in the series of permissions that you have as a user in cyber.

00:31:33:01 - 00:31:43:18
Javier Azofra
Or your group membership gives you those permissions. Right. So those are mapped and and the edge is only created view satisfy some of the permissions.

00:31:43:19 - 00:32:08:07
Jared Atkinson
Yeah. And again the the the really cool thing here is what we're showing. There's a there's a messy middle which is CyberArk. But the the real outcome here is that you have a non tier zero add user that has the ability to take control of a tier zero ad user, and without the cyber R component, it's likely that some or all of these would appear to be completely unrelated to each other.

00:32:08:09 - 00:32:27:17
Jared Atkinson
Yeah, but once you add CyberArk in there, you can see it. It's funny, we had we had a question about this when, Javier was doing like an internal presentation about this, this extension. And one of the questions was, well, like, are you creating or by adding CyberArk, you're creating new attack paths? This may be.

00:32:27:19 - 00:32:45:04
Jared Atkinson
Non-gender. For the sake of explanation, this may maybe a little bit of a non generous interpretation, but I think it's worth kind of emphasizing. But it's like, you create an attack pass and the, the, the real answer is those attack paths exist whether you know about them or not. And so we're not creating attack pass. We're under unveiling attack.

00:32:45:04 - 00:32:54:02
Jared Atkinson
That's happened. Yeah. Right. So it's that's the key as we add these new extensions, what you're doing is you're unveiling attack. So we're always there. Yeah.

00:32:54:02 - 00:33:21:00
Javier Azofra
It's like and you happen to happen the same with your own. Like that monitor identity could access the key vault that was in your computer. Was it was. It was there already. But then now you now you see the connection to the cloud. But now, for me, it's the same, like like you're connecting. It's like identity graph traversal, like you're connecting clouds of graphs that can be that are interconnected.

00:33:21:02 - 00:33:40:01
Justin Kohler
Yeah. Jared has talked about we've talked about this previously. So just getting visibility like just the visibility with BloodHound, you know, years ago with an Active Directory was kind of eye opening right. Because it's hard to discern as you even if you own the security of the environment, like think you're a domain admin of a thousand person company and you made some decisions along the way.

00:33:40:01 - 00:34:02:20
Justin Kohler
BloodHound can can, uncover a lot of that risk just by cascading privileges. But that's just the Active Directory environment. What happens when you're connecting to entry ID or to AWS or to GCP or to cyber or. And that's like the source of all of these breaches recently. Like, you know, sales leaf drift. The storm 0501 breach.

00:34:02:20 - 00:34:26:08
Justin Kohler
Like they're hopping from platform to platform. And each configuration by itself looks pretty benign, right? So, a GitHub, a GitHub repository has the ability to assume a role because that's a, that's how it's designed. But then eventually you crossed to the point where you're accessing like end customer, basically like sales. Was that the previous example from way back of the.

00:34:26:09 - 00:34:27:20
Jared Atkinson
Sales data, the drift you're talking.

00:34:27:20 - 00:35:03:04
Justin Kohler
About? Yeah, but I'm with SolarWinds is what I was trying to reach. Right. And eventually you get into a SolarWinds type scenario, and it's a bunch of individual configurations. And what we're showing is like, you know, if you're the domain, and specifically responsible for just Active Directory, now you're crossing different administrative teams, right? Like your cyber admins are probably different than your Active Directory admins that are different from your inter ID that are different from GitHub and yada yada yada, and all these connections we're making all over the place have real outcomes.

00:35:03:06 - 00:35:07:00
Justin Kohler
But you can only see that if you're able to map that. I just think it's super cool.

00:35:07:02 - 00:35:16:06
Jared Atkinson
Yeah. That's like I think the key insight is, risk accumulates between responsibility. Right?

00:35:16:06 - 00:35:17:06
Justin Kohler
So yeah.

00:35:17:06 - 00:35:39:16
Jared Atkinson
Yeah, the idea is, is, I mean, Javier's I think you even you even said this, but this is not abnormal at all, which is the people that are response to the team that's responsible for cyber is probably different than the team that's responsible for AD. In our experience, I've been working on, a GitHub extension. In our experience, we found that the people responsible for GitHub are always they've always been different than the people that are responsible for for AD.

00:35:39:18 - 00:35:54:11
Jared Atkinson
And so the risk accumulates between those responsibilities because like I'm responsible for AD, you're responsible for GitHub. Those things are connected. But like nobody's really who is responsible for that? Is it the ad team? Is it the GitHub team.

00:35:54:11 - 00:35:55:17
Javier Azofra
Responsible for the breach.

00:35:55:20 - 00:35:58:14
Justin Kohler
Or. Yeah. Who's exactly.

00:35:58:16 - 00:36:16:22
Javier Azofra
And that's where I'm really happy because in our company we have like, like huge collaboration between the infra teams and CISO. I'm really happy. But it can be like they are not your neighbors and like, see, like cybersecurity is there and the infra teams are like over like, oh, now in another building, you know, like metaphorically. Right.

00:36:16:23 - 00:36:27:16
Javier Azofra
So it's really important to understand like how can we secure those breach? First we need visibility of course. And then how can we secure the breaches between graphs.

00:36:27:18 - 00:36:36:00
Jared Atkinson
Yeah. Can you can you talk about the, permissions that are necessary to capture the cyber data to do the collection?

00:36:36:02 - 00:37:02:22
Javier Azofra
I would love to, honestly, but I'm not really. Sure, because fair enough. Yeah. So we asked the cyber team, to give us the minimum permissions to do the collection. So it's like, there's an auditor role that cannot retrieve passwords, and they can list stuff, through the rest API. And you can, like, minimize the risk through certificates and, like only allowing some things.

00:37:03:00 - 00:37:10:22
Javier Azofra
But I just know that there's an auditor role that can retrieve everything, but I don't have all the distance. Unfortunately, I'm not a cyber square, so no problem.

00:37:10:22 - 00:37:23:00
Jared Atkinson
One of the things that I was going to I was going to talk about, but we could talk about it from other, other perspectives is, in these modern, more modern systems, it's not like add to where every user can see the entire structure.

00:37:23:00 - 00:37:24:15
Justin Kohler
Usually you're limited.

00:37:24:15 - 00:37:48:06
Jared Atkinson
To seeing the structure that you have access to, which means that there's actually like an advantage to the defender who is using BloodHound to visualize all of these attack parts because the attacker is not going to be able very frequently, will be unable to collect the entire full complement of the cyber Ark data set. And so you have an advantage because you see everything all at once, and you can make decisions based off that.

00:37:48:07 - 00:38:11:09
Jared Atkinson
Well, the the actual flow of how attackers do this, at least currently tends to be I get I I'm moving through the ad environment, I get access to a computer, I check to see like what the cookies are or what the what sessions are established. I see that I have access to Cyber Ark, and now I'm going to like just opportunistically see what I can, what I can gain access to.

00:38:11:11 - 00:38:30:03
Jared Atkinson
It's not this. It's not as deliberate as the ad attack graph is to where it's like, I collected everything. Now I'm going to see I have this objective, I'm going to find the most efficient route there. It's more opportunistic, but as the defender that's trying to, reduce risk and manage these attack pass, you're able to see everything.

00:38:30:07 - 00:38:48:04
Jared Atkinson
And so you have this, kind of like disproportionate advantage in these more modern systems. This is true, at least in my research for snowflake. It's true for GitHub. It's, probably true for Cyber Ark. And so you you can take advantage of that basically because the attacker is like they're seeing the, the common phrases that they're seeing through the straw and you're seeing the whole thing.

00:38:48:04 - 00:38:52:02
Jared Atkinson
And so, this is our opportunity to kind of get ahead of the curve from that perspective.

00:38:52:03 - 00:39:13:09
Javier Azofra
Exciting. And that's also perspective. Are we seeing it's true in AV as well if you can of stuff to the graph like if you are collecting AV means like group memberships or session details that you cannot of from like a regular account, then you are a 1 or 1 half step ahead of the attacker, right?

00:39:13:09 - 00:39:32:02
Javier Azofra
So if you can recreate and you can incorporate the details in the graph, you're already cleaning stuff that on a normal regular attacker might not see. So if you can implement many graphs and you have like the full picture, then you will be remediated and you will be cleaning stuff that might not be, seen by the attacker.

00:39:32:04 - 00:39:33:06
Jared Atkinson
However, is there anything else you.

00:39:33:06 - 00:39:35:20
Justin Kohler
Wanted to show on the demo?

00:39:35:22 - 00:39:57:12
Javier Azofra
I have different court. I got more queries, but I think, it's they they all, go through the same thing, like access through, group membership and, and, yeah, some graphs that we have developed to, to remediate stuff. But yeah, I mean, I think we the full picture is, already already told.

00:39:57:14 - 00:39:59:18
Jared Atkinson
So Javier is joining us at, SO-CON.

00:39:59:18 - 00:40:23:12
Justin Kohler
Which is happening in Alexandria, Virginia in April. If you, want to come that it's it's an awesome event. We have a complete track just on opengraph libraries. And Javier is going to be presenting with, with Julian to right. He's going to join you. Yeah. Awesome. So he'll be, talking all about this. They're also going to be talking about something else they discovered, which we don't want to spoil.

00:40:23:12 - 00:40:41:05
Justin Kohler
Spoil here necessarily. But it will be pretty, exciting. We will try to have you back on the podcast to do kind of a follow up there, just for that, because there are some, things that you discovered through this work that you want to make sure people are aware of. Where can people find you Javier.

00:40:41:05 - 00:40:45:07
Justin Kohler
Yeah. I mean, you could we could find the the extension on the BloodHound Library today.

00:40:45:11 - 00:41:04:17
Javier Azofra
It's in the open graph library. I have, it's in my GitHub profile also, part of the, as you said, in the SO-CON agenda, they can find my, my name, my my contact, probably. I'm not sure. You can always invite me on LinkedIn or whatever. I'm happy to, to support you.

00:41:04:19 - 00:41:08:01
Justin Kohler
Awesome. Jared, any other final questions?

00:41:08:04 - 00:41:27:04
Jared Atkinson
No. This is this is fantastic. This is a I think, you know, kudos to Javier, who's one of the first. Javier and Julian, who are some of the first people to take BloodHound Open Graph and run with it and say, I have a problem that I'm trying to solve. Let me build an extension, to be able to visualize and then ask questions about that data.

00:41:27:06 - 00:41:36:21
Jared Atkinson
And it's, it's in this case, it's a very practical, very well integrated example that I just, is super useful and really cool to see.

00:41:36:23 - 00:41:39:12
Javier Azofra
So thank you so much.

00:41:39:14 - 00:41:56:11
Justin Kohler
Well, yeah. Thank you for joining us. And, again, if you want to join us at, second or any of our other events, check out SpecterOps.io, and you can find out all about where we're going to be and come hang out in and geek out about BloodHound, Open Graph, or anything. Cybersecurity. Thank you guys for joining us.

00:41:56:11 - 00:41:58:15
Justin Kohler
And, until next time.

00:41:58:17 - 00:42:00:16
Justin Kohler
Awesome. Thanks again. Javier.

00:42:00:18 - 00:42:06:02
Jared Atkinson
But cheers.

00:42:06:04 - 00:42:06:11
Justin Kohler
Friend.