here?

00:00:26:23 - 00:00:54:12
Robby Winchester
It's off. Sure. Yeah. Thank you. Justin. Jared, for having me on. In general, I pretty much oversee all of the professional services side. Justin has the, the joy of dealing with and overseeing a lot of the product. And BloodHound, as everyone has probably heard of, I work on the consulting, training. And just in general, what are kind of the more active roles that we play in doing new and interesting things?

00:00:54:14 - 00:00:55:14
Robby Winchester
Yeah.

00:00:55:16 - 00:01:15:05
Justin Kohler
So, like, you you've part of the founder team. I mean, you both are right. At SpecterOps services kind of, obviously evolved quite a lot over the last, what, eight years now? Yeah. I'm curious, like, this the state of attack path management report that we just put out, kind of. Do you see that?

00:01:15:05 - 00:01:24:22
Justin Kohler
Kind of like, formalizing what you've always kind of done. You know what you mean? Like, is this capturing something that, like, has always been there, but you didn't have a good way of describing it, does it? Does that make sense?

00:01:24:22 - 00:01:45:11
Robby Winchester
Yeah, I think the state of attack path management. It's really exciting. Excuse me. Really exciting report for me. I think it captures a lot of the challenges that we've seen on assessments and things that we've talked about in a way that really packages what was a lot of separate thoughts. So we would go and be able to do these attack path type things.

00:01:45:11 - 00:02:09:07
Robby Winchester
With the advent of open source initial BloodHound back in the early days giving us these, I phished. I find da type stuff as the product matured, as the edges advanced, we get new things like the ADCs that were a great other click and go. But how are we representing? Because at the end of the day it's it's the same problem, the ADCs problem.

00:02:09:07 - 00:02:31:13
Robby Winchester
The Da logged into the wrong place. It's the same. It's this identity problem. And I really like with the the State of APM report and this, this approach we're trying to expose not just here is all these things you can do. But this is the problem. This is the identity challenge especially. And you've heard it in other places, different conferences.

00:02:31:13 - 00:02:56:02
Robby Winchester
You hear about all the the advent and adoption of new AI technologies. Sure. Yeah. And it's awesome AI is going to be able to enable and do all kinds of things, but it's going to require more accounts, it's gonna require permissions, it's going to have all these problems. And so we already see a increase in complexity of systems as you add more stuff and do more things that have more automations, identity has to be a core part of that.

00:02:56:02 - 00:03:25:11
Robby Winchester
Just just by the nature of, yeah, whatever you're doing. So I think this opportunity to provide our perspective of of what is what is the problem, what are the challenges, how are we starting to try and help be prepared to address it, because it's really not a solvable problem. And I think that's the other thing is, is at the end of the day, what we all are trying to typically do in information security is quantify risk and manage risk to what is acceptable for the organization.

00:03:25:18 - 00:03:42:01
Robby Winchester
You know, the the biggest bank in the world and the smallest bank in the world aren't going to have the same budget and the same set of concerns. But there are things that they should all be worried about. And so how can we make sure you're not saying, I think this is a good idea, and you don't see the fire behind you just because you lack the visibility?

00:03:42:04 - 00:04:00:27
Justin Kohler
A do you, do you think the the way that we've tried to capture, attack path management or like, the practice, do you think it move it? We're trying to get at the core. I've talked about this with clients in the past. It's not an Active Directory problem. It's not a windows problem. It's just a scale and a complexity problem.

00:04:01:00 - 00:04:16:15
Justin Kohler
Like, do you see the way that we're framing it now to help like people understand that versus like seeing it is a problem with Active Directory and it's my Active Directory admins or it's my especially with you guys on the services that it could be my Kubernetes admins and they just screwed it up. It's like, no, no, no.

00:04:16:21 - 00:04:30:02
Justin Kohler
These problems in Kubernetes and Active Directory are the same. And you need to understand that and like, you know, have more of a systematic approach for dealing with it. Like we've talked about, like stuff like least privilege, like how do you do that at scale? You know.

00:04:30:05 - 00:04:54:00
Robby Winchester
Yeah, I think it's tough because there are there are definitely portions of it where it is the same the, the identity, misprivilege, too much privilege, effective, effective level of privilege versus intended level of privilege. That is all the same. Yet Kubernetes or be it Windows or AWS or GCP or any cloud, it doesn't matter. Any IDP, any cloud provider.

00:04:54:05 - 00:05:24:14
Robby Winchester
It's exactly the same problem philosophically from from an intellectual. What are you concerned with the challenges? Technically there can be very different things. And so at a technical level. So with this blend of I think we want to make sure we're not conflating if you solve which is what you talk about. Yeah. If we figure out a really good way to represent and understand the Active Directory implementation of the problem, we can be better about addressing that slice of the pie, but we're not solving the entire problem.

00:05:24:14 - 00:05:41:23
Robby Winchester
Yeah. And and that I think is it. But on the flip side like you have to be able to address them iteratively. But know. Again, if I solve all my Active Directory problems, I don't have no problems. If I solve all of my, you know, Entra ID or I, I go through and I get my single sign on stuff, I think I'm in a really good place with single sign on.

00:05:41:23 - 00:05:50:20
Robby Winchester
That doesn't mean you have no other problems. That just means you you maybe have a better grasp of this larger type issue in one area.

00:05:50:24 - 00:06:06:00
Jared Atkinson
You just made me think about this idea of, if you don't understand your risk at a highly technical level, what happens is you underestimate the risk. And maybe you put in place, a regime of solutions that that are not actually addressing reality. Yeah. This is where people.

00:06:06:05 - 00:06:07:02
Jared Atkinson
Will say that they.

00:06:07:02 - 00:06:25:02
Jared Atkinson
Built out like a tiered infrastructure in their ad domain, but it's not actually like, upon further scrutiny, it's not actually tiered. And the interesting thing, when we start talking about representing attack pats, it's like in order to represent them, we have to go down to this extremely deep level of granularity so that we understand technically what's going on.

00:06:25:08 - 00:06:52:16
Jared Atkinson
But then the I think the magic of a BloodHound type tool is that you're taking that technical understanding, and then you have to generalize it back out. Yeah. Right. So you you can't start a general and then present it. Generally you have to go down to the technical and then you have to think, okay, how can I summarize like you're trying to take sufficient detail to represent this situation, but you're trying to get rid of all the additional detail that's unnecessary and trying to bring it back out so somebody can, understand or comprehend what they're seeing, like the path.

00:06:52:16 - 00:06:57:22
Justin Kohler
Right? Like, like this is a visual representation of the attack. But like, the technical details are way in. Yeah, I.

00:06:57:23 - 00:07:15:10
Robby Winchester
Want it again. I think that specifically talking about kind of the differentiators of the the perspective we have is, is purely in that these are real risks. This isn't a patching list of there may or some indicator said that there may or may not be patching which is is valid to go and do. But you know, this isn't stuff you can patch away.

00:07:15:10 - 00:07:40:20
Robby Winchester
And these are real configurations that currently exist that you can go and have be abused. And so having that visibility of this actually is a problem. And you didn't know about this, but this represents reality through this kind of risk lens. And if you're okay with it I mean at the end of the day we any software vendors in the same case for us, yes, we could go in and we could deploy and everyone could be local admin, domain admin, everything.

00:07:40:26 - 00:08:14:18
Robby Winchester
And the company could say, you know what? It's so much easier for them to install printers this way. We don't care like you can't. We think that's a bad idea. And that's a risk that I would not want to accept. But there's no right answer. There's just what do you think is the trade off there? And so I think that's how can we best provide that visibility take really potentially nuanced, multi-step, complex problems and then abstract them to just say, you know, something bad exists.

00:08:14:26 - 00:08:32:16
Robby Winchester
Oh, you want to know more? Here's how severe it is. And then you want to know more. Here's why it exists. And be able to like, peel back those layers of the onion to the level of care. But I guess technical understanding, but also just like if you want to fix it, like here's the thing to fix, here's here's where you'll achieve the most effect and be able to fix it.

00:08:32:23 - 00:08:34:00
Robby Winchester
And you can take that approach too.

00:08:34:01 - 00:08:39:26
Jared Atkinson
So yeah, I'm going to hard pivot a little bit. But before we do, the people are wondering when are you going to get a haircut?

00:08:39:28 - 00:08:42:20
Robby Winchester
You know, in, in 2020, Covid changed us all.

00:08:42:20 - 00:08:43:07
Justin Kohler
Yeah.

00:08:43:10 - 00:08:43:29
Robby Winchester
The locks. Yeah.

00:08:44:00 - 00:08:51:27
Justin Kohler
You guys are both officers locks. When I was in the. Yeah, Justin still looks like he's in the military. Robby and I have. I grew my hair down. Robby grew.

00:08:51:27 - 00:08:58:05
Robby Winchester
His hair. I mean, I feel like the perfect opportunity is, I'll shave my head when you shave your face. So, you know.

00:08:58:08 - 00:09:02:04
Jared Atkinson
I'm looking at the producers. Maybe we can. We can arrange that.

00:09:02:07 - 00:09:06:27
Jared Atkinson
My children have never seen me without a beard. So I'm going to have that reveal. That's, like, super awkward.

00:09:07:00 - 00:09:08:05
Robby Winchester
They can cry at your weak chin.

00:09:08:05 - 00:09:11:05
Robby Winchester
That's fine. Okay.

00:09:11:08 - 00:09:28:22
Jared Atkinson
All right. Trying to recompose myself. So, one of the one of the articles in the State of Attack Path management was trying to introduce this idea of, taking a attack path, focused view of detection and response. Right. And, like, I know that you since the early days of BloodHound. Right.

00:09:28:22 - 00:09:52:12
Jared Atkinson
So imagine that BloodHound was first viewed as how do we facilitate red teams to actually be able to, see and then show the attack paths to clients? Then we went to kind of the enterprise version, which is how do we flip that on its head and, allow organizations and identity and access management professionals to see what are all of the attack paths, and how can you make the most effective changes, right, to, to remediate, those those attack paths.

00:09:52:14 - 00:10:14:25
Jared Atkinson
But there's also attack path, attack paths in general, or the attack graph provides value to lots of different parts of the organization. Right. And so, you early on was we're saying because Robby and I, for those that don't know, have kind of like this detection engineering background. And so you were saying, how can we leverage the insights of the attack graph, to supplement, or enrich our detections?

00:10:14:25 - 00:10:34:08
Jared Atkinson
Right. So our, our alerts and give, give defenders or soft analysts more information that allows them to make better, better decisions. And just for clarity, we're not talking about how can I detect something like BloodHound enumerating my environment 100% about the visibility that the path gives you? And how can we use that to to detect, act like.

00:10:34:10 - 00:10:56:17
Robby Winchester
You know, I think the big perspective and this is this is where this is before like we talk about this mainly before. BloodHound Enterprise was a thing because BloodHound at its core initially was a offensive attack finding offensive attack pathfinding tool. Again the typical use case of I phished I'm at a or I got initial access. I'm somewhere someone the organization I want to become DAEA.

00:10:56:22 - 00:11:18:22
Robby Winchester
What is the path to do that? And that was I mean that not to trivialize it because it was an amazing accomplishment, but that was the core use case for the first period of time. But as you're going and starting graphing, and especially with the capability of what an enterprise to look at, what are all the paths and what is all the severity, there's some interesting things that you can use from just, a tool for context.

00:11:18:25 - 00:11:19:06
Justin Kohler
Yeah.

00:11:19:12 - 00:11:39:29
Robby Winchester
Because at the end of the day, all you're doing is providing BloodHound is just providing a graph of data that we are representing and highlighting in certain ways for remediation. But like Jared said, and what my thought was is there's supplemental information there that can be really advantageous. So do you use that as a tool for I can't remediate this edge.

00:11:39:29 - 00:12:04:00
Robby Winchester
There's a business capability that I can't fix. I can't remove this account. But now I can use this as an influence of I know that this account logs into this system in this way, on this day, in this manner. And so I'm going to build detections around not abnormal for some user behavior analysis that's randomized. But I really don't want this account to ever be logged in somewhere else, because I know that that is going to cause a problem.

00:12:04:00 - 00:12:28:16
Robby Winchester
And if that does happen, it's probably an attack. So you're not you're not. You can use that. How could I prevent it. But flip it for a detect it. And then the flip side is also, you know, if you leverage because things are API and we have attack scoring, hypothetically, like it would be interesting to say, okay, we see these alerts can I use as part of my severity scoring for alerts in the SoC.

00:12:28:19 - 00:12:47:09
Robby Winchester
This this node has a definite path to escalate and this node doesn't. And so from a severity scoring I can use this as just an API enrichment. So not only is it definitely bad definitely not bad. It's this type of malware. It's this type of thing. But oh hey by the way this one is able to become Da.

00:12:47:09 - 00:12:48:18
Robby Winchester
Yeah. So you might want to look at it.

00:12:48:18 - 00:13:09:00
Jared Atkinson
For an easy example of this. So imagine that you have two different detections. Maybe you have a process injection detection. And you have a mimikatz that's credential dumping detection. A lot of organizations are very good at being able to prioritize those. Right. So I call those like intra technique prioritization, which is maybe you think mimikatz is worse in process injection, those may not be the best two examples of.

00:13:09:00 - 00:13:27:14
Jared Atkinson
Sure. So the dichotomy but but then the problem is, is that a lot of organizations treat all mimikatz alerts as being the same. Yep, yep. And so but but we know logically it's like, what is the first thing that you would ask when you see a mimikatz that's like credential dumping detection. What like what types of questions would you ask?

00:13:27:16 - 00:13:43:11
Robby Winchester
Well, you're going to see who's logged in. What are the permissions? What is the use case is this I'm going to care more if it's the CEO's computer than if it's a random person who works in reception. Yep. And what is their responsibility? What is their access? What groups? All the all the different types of stuff. So what you're going to care about.

00:13:43:12 - 00:14:08:00
Jared Atkinson
Easy enrichments from BloodHound will be upon a mimikatz credential dumping, alert being fired. You. Then you then ask the question of what accounts have sessions on the computer where that alert fired, right. If it's a bunch of nobody's, you know, then, yeah, sure. Whatever. Like, still maybe not good, but, like, it's not critical if it's a domain administrator is logged into that computer or or maybe more abstractly, somebody that has an attack path

00:14:08:00 - 00:14:13:07
Jared Atkinson
To domain admin. Yeah. Maybe we need to go do like, even if that's a false positive, we need to go figure.

00:14:13:07 - 00:14:35:02
Robby Winchester
Out what's going on when I think you're also you're talking about kind of, what is I think the more it's not as a, as much of a problem where it's an either or alert, I think where it becomes really interesting is in a circumstance, say you get a phishing campaign against your entire company and a large number of it and multiple people are going, and, they failed their annual training.

00:14:35:05 - 00:14:45:08
Robby Winchester
They bunch of people click on it. Yeah. And so now I have this larger effort that has a larger footprint. And so I have a lot of the same thing.

00:14:45:13 - 00:14:46:11
Jared Atkinson
Yep.

00:14:46:13 - 00:15:09:24
Robby Winchester
Which is I think it's even harder problem to figure out where to start. And this, this can make what is effectively the same thing. Let's rack and stack in some meaningful way and deal with the most severe, potentially the first, and reduces that perspective of sameness, or help supplement to where everything doesn't look the same and you can have a, attack path, slightly different point of view, should you want to go down that road.

00:15:09:24 - 00:15:27:11
Justin Kohler
This isn't and this is an abstract thing. I remember one of our first customers when we deployed BloodHound Enterprise they and they took it upon itself, and they just showed us after the fact. It was really cool. They used Demisto at the time. Now at Palo Alto is XSOAR to every alert that they got in. So like let's say you got five EDR alerts.

00:15:27:14 - 00:15:47:00
Justin Kohler
They would they would hit BloodHound and understand the relative path. So again, it was just like additional enrichment to understand like it's not obvious that, you know, it might not even be obvious from an access perspective. Yep. It's it's you know, again, like you mentioned, this person has this access to this person, to this person that eventually domain admin and you'd want to respond to that one first.

00:15:47:00 - 00:16:06:12
Justin Kohler
Right. That's not an abstract concept. That's actually a pretty common use case on the source side for when people integrate BloodHound Enterprise or just attack paths in general, but there's no way to get that level of detail without the graph like this. No, no, the graph allows you to extrapolate that information. Right? Yeah. Otherwise there's there's no like single data source that tells you that.

00:16:06:17 - 00:16:08:07
Justin Kohler
Yeah, it's kind of like,

00:16:08:09 - 00:16:24:11
Robby Winchester
When you also it's not just requires the graph and the capability of graph, but it requires also that you have that up to date information. Because again, what we're representing is an ephemeral certain elements of where people log in. And yeah, it's an ephemeral thing. And so that's this isn't something that you can go and do once a year and then say, okay, cool.

00:16:24:11 - 00:16:42:24
Robby Winchester
We have that perspective. And so it's that balance of like what is which is again, back to the challenge of what we do. The riskiest thing to happen today is not necessarily the riskiest thing that could happen tomorrow. Yeah. And so something that is really bad today could have little impact tomorrow because a confluence of events happened, a computer restarted, some account got changed.

00:16:42:24 - 00:16:54:04
Robby Winchester
Something happened a a update or a whatever happened. And now you have a completely different risk profile. It's the same types of challenges. But again the terrain has all changed.

00:16:54:04 - 00:17:14:03
Justin Kohler
Yeah I the so we're talking about like from the detection side I wonder if there's, there's anything more that you want to expand on this. We're talking about like you have a detection and then you can use the graph to understand the true like the, the problem. But I'm curious about, like, if chaining together multiple if that makes any sense.

00:17:14:03 - 00:17:34:12
Justin Kohler
Not just prioritizing a single alert, but like if there's multiple events, like it might look like a submarine. Only exist for a couple minutes on the top of the water if it's really going under the whole time. Right. It's going. You just might see it surface every once in a while. So, like taking disparate events in a graph context, actually shows you like true attacker movement, if that makes any sense.

00:17:34:14 - 00:17:54:28
Justin Kohler
So yes, I guess like, is that one of the things you're trying to get across in your article when you're talking about this detection like a graph? Yeah, I mean there's definitely there's definitely something there. Yeah I would say that generally speaking people currently. So one thing to think about is that every edge is an observable event.

00:17:54:28 - 00:18:12:08
Jared Atkinson
Right. So when I traverse an edge theoretically that's observable. Right. So there's there should be a log that's associated with that. Not all of those logs are turned on by default. So like a force, like a reset password, edge that there's a log that says that. Hey, a password was reset, but you have to enable that.

00:18:12:08 - 00:18:38:24
Jared Atkinson
And sometimes it's, like, very granular to enable that. Very onerous. But in theory, if you had, if you instrumented your environment to the point to where you can see those, then you can start to see the actual traversal of those edges as somebody is getting closer and closer. Yeah, yeah. Like you guys have done a lot of work on the detection side for clients for some time, and it's like taking the, it's like filtering the noise out, if that makes sense.

00:18:38:26 - 00:19:04:19
Robby Winchester
Yeah. And I think, I think the, the concept of, of seeing that there's, there's levels into which you would want to go and go and build and do this and difficulty and complexity and so certain behaviors a, a user logging on is the start of any attacks. Tons of attacks. Right? Yeah. But that doesn't mean I don't I don't need to be starting to build a path and see is the submarine happening for every single every log on.

00:19:04:19 - 00:19:04:26
Justin Kohler
Yeah.

00:19:04:26 - 00:19:23:06
Robby Winchester
That a log on happens. And so I think that there's like Jared said I agree I think there's something there. But I think that's a little bit more nuanced and complex of a thing of how do you go and chain it. I think the, the perspective that I like is there's the, how can I supplement the, the, the current detections that I have?

00:19:23:12 - 00:19:58:27
Robby Winchester
How can I use the graph and the capability of the graph and the visualizations and representations of privilege and risk there? To supplement my existing detections, I get a mimikatz alert. How bad is the system? How bad? How much risk is there? I think the other side of that is I have the graph. I have certain things that I am not going to ever be able to change because the business has to function, or how can I build detections around known sensitive systems, points of targeted privilege, like things that now I know in the graph like, hey, this group, anyone getting added to this group is going to cause me really big problems.

00:19:58:27 - 00:20:20:27
Robby Winchester
Yeah, and so I should not just have the identity team managing groups, but the SoC probably wants to be aware of if someone ever gets added to this group, that should rise to a security question of hold on. Yeah. What happened in that group? Obviously domain admins easy, but it might not be domain admins, it might be some finance group or some.

00:20:20:27 - 00:20:23:11
Robby Winchester
Specified whatever that,

00:20:23:13 - 00:20:45:05
Robby Winchester
Yeah, that is like not immediately clear. But when you looking at the the graph or log on to a certain device or certain software changes or gives you awareness of, hey, every time we do updates, we expose ourselves to a huge amount of risk because of the way that this software update thing is there. You can build detections around like, is this software system something happening or some change there?

00:20:45:05 - 00:20:47:09
Robby Winchester
Because this is where we have so much risk.

00:20:47:11 - 00:21:03:20
Jared Atkinson
A very difficult problem for detection engineering is you have a finite amount of resources to build detections. And so the question is this what's the what's the marginal detection. What's the next detection that I should build. And looking at the attack graph to give you the lay of the land allows you to make a smart prioritization decision.

00:21:03:20 - 00:21:31:19
Jared Atkinson
Right. It also imagine that, as we move towards like we're moving away from signature. So there's, there's signature based detections and those are good because you're catching all the like known bad stuff. But there's there's a huge additional, subset of behaviors that you need to be concerned with. And so as you're building in behavioral detection, the problem is, is that for any behavior that's enabled on a, on a computer or, and within an environment, there's some legitimate use of that behavior.

00:21:31:25 - 00:21:50:00
Jared Atkinson
And so when you create a behavioral detection, the problem is, is that you're always going to be capturing legitimate use of it. But one thing you could do by kind of bringing the attack graph perspective in is you can start to say, what is the specific implementation of that behavior that I'm most concerned about, right? So it's like DC sync.

00:21:50:00 - 00:22:05:11
Jared Atkinson
Right. So DC sync exists because domain domain controllers need to replicate the information between them, because you might make an update on domain Controller A, and then domain Controller B needs to be updated with that. Right. Yeah. But then you might have a user that for whatever reason has acquired the privileges to be able to DC sync.

00:22:05:17 - 00:22:24:03
Jared Atkinson
And but they're a normal user. They're not a domain admin or they're not a domain controller. More importantly. And so what you can do is you can start to say, and this is like as simple example, but you can say, I don't care about DC sync in general, I care about DC sync from this user because I know that that user, they have the ability to do it right.

00:22:24:03 - 00:22:53:08
Justin Kohler
So you're like, you're you're it might all seem bad, but I'm particularly worried about this scenario. Yeah. I mean, like we saw that with, Azure sync accounts to you, right? Like, Azure sync. Back to your point. Like, the right needs to exist for the business to function, right? So, like, I don't I might not have built in monitoring for if somebody gets added to this group that has the right to sync the directory, but like this other group does, and I need to build for that.

00:22:53:13 - 00:23:04:11
Justin Kohler
So yeah, adding somebody to a group or executing like a sync from a specific scenario, which you understand with the graph is like a super like, enabling thing on the detection side.

00:23:04:13 - 00:23:19:02
Robby Winchester
And the problem is most of these things, some of the stuff typically there's not a lot of legitimate use case situations where DC sync happens. So you can go and say DC sync is is probably why is a user, why is the user saying I am a domain controller?

00:23:19:03 - 00:23:21:03
Robby Winchester
Yeah that's wrong. Give this to me. Right.

00:23:21:06 - 00:23:40:28
Robby Winchester
But but why is the user getting out to do a group? I don't know, it happens a million times a day. Why is it user logging in? Why are they logging into a different system? These are things that happen all the time and are not explicitly bad. They're accessing a file share. They're going and doing. There's there's so many behaviors that are impossible to say, this is bad.

00:23:41:00 - 00:24:04:19
Robby Winchester
And even if I think this is the challenge of also, or one of the different perspectives of, you know, are you capturing the risk and just because it's not necessarily an adversary or you're being hacked or something bad doesn't mean you shouldn't be aware something risky is happening. So is this this could be not deliberate or even deliberate insider threat type stuff of someone is going and accessing something.

00:24:04:19 - 00:24:18:20
Robby Winchester
They're taking steps to go and get. Do you want to know? Sure, it's a false positive because it wasn't a compromise from outside. But why is this person, this account, this capability going and getting and doing this?

00:24:18:23 - 00:24:19:03
Justin Kohler
Yeah.

00:24:19:03 - 00:24:21:06
Robby Winchester
Still worth being aware of because.

00:24:21:06 - 00:24:38:00
Jared Atkinson
This goes into like the the there's a spectrum of privilege groups for instance. Right. So it's like there's the obviously privileged groups, domain admins for instance, there's the obviously unprivileged groups which often those correspond with default groups. Right. So like I kind of just by the name of it, I kind of know what authenticated users.

00:24:38:00 - 00:24:38:29
Robby Winchester
Yeah. Hopefully unprivileged.

00:24:38:29 - 00:24:59:02
Jared Atkinson
Yes. Yes. Yeah. Yeah. But then there's there's this wide group in that subset in the middle which are ambiguous. Right. And so and then you have this question of what does it mean to be privileged. Yeah. Right. Well privilege is like the amount of control or impact, right. To use our terminology that the group has. And so you can start to see what are the most privileged groups.

00:24:59:02 - 00:25:12:17
Jared Atkinson
And it's not just what is the default Microsoft defined set of privileged groups. It's what are the actually based on the permissions and control over the environment, privileged groups. And you can start to treat those differently. Right. So it's specific to the environment. It's not.

00:25:12:17 - 00:25:42:21
Robby Winchester
100%. We talked we've also talked about to the the it’s obvious domain admin, enterprise admin, control over everything really really matters because you can go from there down to kind of anything. But for the payment card industry compliance, PCI, everything you care about, where you're processing cardholder data and that. So that's you care about that data. And I don't have to be a domain admin if I have cardholder admin or I'm workstation admin or I'm the manager, I have permissions to go and do software updates on all of the workstations.

00:25:42:26 - 00:25:59:24
Robby Winchester
And I'm a help desk level one, but I'm able to go and help them turn it off and turn it back on again in order to get their card payment thing back online. I now have access not through the domain admin. I'm not coming in from the top. That's easy. I'm getting just to where I need to go.

00:25:59:24 - 00:26:26:14
Robby Winchester
Yeah, health care, HIPAA. You need to make sure that you're keeping information separate and having there's there's legal requirements understanding that. It's like it's not just yes you care about that domain admin enterprise I've been top down. I can take everything approach. But also that's not just the only problem. Yeah. And there are other there are other interesting things to be aware of and seeing those types of of impacts and graphing like what what other things could happen.

00:26:26:17 - 00:26:45:15
Robby Winchester
And being able also to kind of like go back and visualize this of if something does you have something, some other test, some other thing like the visualization capability. Yeah. Super great to see like, okay, cool. I understand the biggest thing when we would do red teams, it's kind of frustrating as a red team or as you go, you follow a path, you know, compromise user go to a group works.

00:26:45:15 - 00:27:16:22
Robby Winchester
They should go over, they fix the problem and you back next year, and you just substitute the user for a different user in the same group. And it's just the initial starting point changed, but it changed by one step to the right, and then you go all the way through. Well, that leads to a kind of disappointing attack as an attacker, but also potentially a super frustrating experience as an organization because like I thought, I fix this and it's like, well, you did fix that, but you didn't realize how specific.

00:27:16:28 - 00:27:17:28
Robby Winchester
Yeah, that was.

00:27:17:28 - 00:27:20:29
Jared Atkinson
There's there's, myriad ways to fix the same problem.

00:27:21:04 - 00:27:21:19
Robby Winchester
Right.

00:27:21:22 - 00:27:26:21
Jared Atkinson
All right. We're running up on time. Robby. You got anything you want to get in there before we close up?

00:27:26:24 - 00:27:30:28
Robby Winchester
No, I think it's great. Thank you for having me on. Yeah, nice chatting through all this stuff.

00:27:30:28 - 00:27:34:29
Jared Atkinson
Thanks for joining us. Thank you. And we'll see you next time.