00:00:11:12 - 00:00:37:14
Jared Atkinson
Welcome back to the Know Your Adversary podcast. I'm Jared Atkinson and this is Justin Kohler. And today we are joined by Kate Dawson our director of Customer Success here at SpecterOps. And we're going to talk about actually implementing an APM program. Some of the different issues that customers are experiencing when they're trying to implement remediations and the different problems and some of the some of the strategies that they're using to be more successful as they go on this journey.

00:00:37:16 - 00:01:02:15
Justin Kohler
Yeah. Before we get started, will you like, kind of explain your team, like what they do just to make sure, like we understand? Yeah, absolutely. So, my team, consists of, technical account managers that are, deeply embedded within their customers security and identity management teams, as well as a team of support engineers to,fix things that are broken.

00:01:02:19 - 00:01:42:21
Justin Kohler
Awesome. So, like, when we have a new BloodHound Enterprise customer. What what's kind of, like the first part of that journey for them? Well, the first part of that journey is, talking them off of the ledge and, helping them realize that everybody is in the same situation with decade plus of Active Directory misconfigurations and, prioritizing what comes first for them, which is obviously that securing those tier zero assets to finding those, scoping them out and then, identifying, what we want to focus on first.

00:01:42:24 - 00:02:11:09
Justin Kohler
What do you think? There's probably there's probably a bunch of ways we can take this, like in terms of, struggles that clients usually have. And what what do you think is the first roadblock that people have when they start to, like, do something like this, whether it's with BloodHound Enterprise or anything, you know, the first roadblock and one of the ones that is most challenging for organizations to overcome, in my experience, has been internal politics.

00:02:11:12 - 00:02:38:10
Kate Dawson
One of the hard truths is that security and business are sometimes at odds with each other. Security slows down business activity, getting teams that are responsible for those, applications and, identity, access, getting those teams on board and bought into the idea of, well, you can't just give everybody domain admin across the board, which we've seen before.

00:02:38:11 - 00:03:11:07
Kate Dawson
Yeah, it's real depressing. Organizations are only now starting to, to realize or to move towards identity as the secure the primary way to secure their organization. So you think, like, there's there's resistance to implementing change is what it like what I'm hearing, like. Oh, always. Yeah. Oh, I think sometimes there's this, there's an issue of when you first install the application, you get visibility and there's this problem to where, immediately you see something you thought might have been a small problem immediately becomes this overwhelming problem.

00:03:11:07 - 00:03:27:14
Jared Atkinson
You kind of alluded to that. And so you might have a thousand things that you need to fix. And the question is, is where do I start? But we all I also I'm familiar with some of our customers. It's like even if I choose to fix this thing, I don't even know who's responsible for doing that. Yeah, and that's pretty common too.

00:03:27:14 - 00:04:10:06
Kate Dawson
I mean, ownership, across enterprise applications is, something that we've been trying to deal with for years. And, you know, ultimately, I think the hardest well, one of the largest projects that these teams have to reckon with and understand how to do is, you can play Whac-A-Mole all day on these different individual attack paths, but until Active Directory or Entra is sort of re-architected to indeed isolate those, those tiers and those segments from each other, it's not going to be successful.

00:04:10:09 - 00:04:43:10
Justin Kohler
I kinda asked you what was like the biggest roadblock and select change, like implementing change because we don't know, we might break. Right. You know, or slow down the company. What do you think? What do you think is the most, when you see this in a customer, do you think, like, okay, we know that this is going to be really good, like in terms of like, do they have cross team stuff where they track stuff like diligently, like, what's one thing that you think, sets teams up for success cross organization, buy in and collaboration is really the kind of, a big cornerstone.

00:04:43:10 - 00:05:06:12
Kate Dawson
It's a big metric that we use for our customer success as well. If they have, if the teams that we're working with have buy in from the org and, you know, security is truly everyone's job, then, that is a recipe for success. We've been trying to promote this idea of identity attack path management as a practice.

00:05:06:12 - 00:05:30:16
Jared Atkinson
And so one of the one of the general ideas I imagine is probably useful is when organizations that you have that buy in from lots of people, but you also have like a systemic approach to it, as opposed to one person who is off in the corner that's running their app and like trying to fix things. It's like we have a team and we have a we have a system and there's integrations with our, you know, the rest of our system to make sure that everybody knows their role has a responsibility and things flow through properly.

00:05:30:16 - 00:05:52:22
Kate Dawson
Can you maybe give us an example of what a successful team would look like in doing that? Yeah, yeah. So, there's so many tools out there. Everybody's got, you know, something for everything. And, there are a lot of applications trying to be that single pane of glass and like, how many do you need to make a window pane?

00:05:52:22 - 00:06:19:13
Kate Dawson
And at one point stained glass instead of. Yeah. So, having an established, you know, an established process with a SEM where, you know, maybe BloodHound Enterprise feeds attack paths, new attack paths, and show up existing ones into that SEM creates tickets based on those and then assigns them out to the appropriate team for remediation.

00:06:19:15 - 00:06:51:06
Kate Dawson
That creates a really great. And then they can, you know, once they close a ticket out, then that, remediated attack path shows up in BHE, and, that sort of feedback loop is like, that is super successful. People don't need more applications. They need a better way to streamline their data. Yeah. I, I when I, I've talked to customers previously and I've been trying to explain that this is kind of, the same process that you go through with vulnerability management.

00:06:51:06 - 00:07:12:08
Justin Kohler
It's super similar. Right. Like instead of again, talking about issues on hosts and networks, we're talking about identity misconfigurations or user behaviors. Have you ever seen that click in customers heads? Like this is a very similar process, because a lot of times they don't understand if this should be in the identity team or the vulnerability management team. And you know, teams are different sizes in maturity.

00:07:12:08 - 00:07:45:20
Justin Kohler
So, I guess, like, do you see that, do you ever see that on the customer end where they have to understand how they would take, an attack path and what we want to do to close those down and shove it into their process? Yeah. Yeah. You know, that's, when I first started with the team and we started building out, the technical account manager program, we were having those discussions a lot, clarifying, you know, attack paths versus vulnerabilities.

00:07:45:20 - 00:08:09:21
Kate Dawson
There's not a cvss or anything as yet for attack paths. But as we kind of went through it, we realized that aligning with that sort of process and, mindset of, okay, here's the score. And this is, you know, how we assign severity and criticality is very similar and it's very familiar to people. So it goes down a lot easier.

00:08:09:27 - 00:08:26:28
Justin Kohler
It's funny, sometimes we'll talk to customers or, you know, people that are in prospect or trial or are exposed to attack paths for the first time. And they, they, they say this thing like, well, what happens when we clean them all up? And it's kind of like, it's kind of funny to think about that from a vulnerability management, perspective.

00:08:26:28 - 00:08:45:17
Justin Kohler
Like you're probably always going to have something that pops up and especially with identities with you creating new applications, users, you know, whatever it is, there's always going to be something there and getting people out of this. It's not a sprint. It's like a process that they have this like it will always be ongoing like that. It's like a click.

00:08:45:17 - 00:09:10:15
Justin Kohler
Like instead of figuring out how much work is this going to add to me in a month, like, how can I do this sustainably over time with the teams that are here at my company? I don't I guess there wasn't a question there. Interesting. Like, maybe I have a question. So like, I know, Justin, you've shared you have a presentation where you share like how much impact can the team that first installs BloodHound Enterprise, make on reducing attack paths in a short period of time?

00:09:10:15 - 00:09:28:05
Jared Atkinson
I don't know the details of that, but maybe, you and or Kate kind of give an idea for. It's like. Yeah, the problem might go on forever. And in fact, we're adding more edges and platforms constantly. And so like, yeah, there's new research. So like, we just released NTLM, what, in March or. Yeah. Or something.

00:09:28:06 - 00:09:41:24
Jared Atkinson
Azure PIM roles. Yeah. Azure PIM roles. So it's like yeah you got everything cleaned up and then we're like, oh by the way, there's actually stuff that you didn't know about that that might present a problem. But can can you guys talk about this idea of it's it's like there's a lot of stuff that's probably really easy to fix.

00:09:41:24 - 00:10:00:03
Jared Atkinson
Yeah. At the beginning that has gigantic impact like load. Then there's. Yeah. Then there's going to it gets a little bit harder as time goes on. You have to be more deliberate about how you make those changes. I mean, I think that's why it's so important to approach it as from a program standpoint rather than a project. You know, it's not anything that ends ever.

00:10:00:05 - 00:10:27:05
Kate Dawson
I think we added with ADCS, we added a dozen attack paths last year alone. So, you know, Microsoft always keeps things interesting and and, so there's always going to be work to be done there. And people are creative and they figure out ways around things all the time. There's like, on the impact side, it probably a lot of times this will happen honestly, before they get to Kate's team.

00:10:27:08 - 00:10:47:19
Justin Kohler
But like on the when they first deploy, like in like they're trialing BloodHound Enterprise or like, let's just say first deploy BloodHound Community Edition and you're just kind of seeing that there. The impact can be quite large because you could find a specific configuration. Like, I remember one time we found a fax machine that had, like, full control over the domain head, and it was put in place, you know, 20 years ago.

00:10:47:21 - 00:11:12:08
Justin Kohler
And but we're still removing that was really, really fast. And it immediately drops down risk. We've seen I think like on average we would expect to see a 30% drop in, in risk over the first 30 days. And that's usually because there's some systematic problem that's, both easy to fix and really impactful, domain users in the local admins group or something like that.

00:11:12:08 - 00:11:28:24
Jared Atkinson
Yeah. I mean, it's something that is there, there's a spectrum, right? So there's always going to be when you first start out, there's going to be things that are like the fax machine is obvious. It's obvious. It's like, okay, I don't need to ask anybody because someone's just sitting there shouldn't be there almost no matter what. If it breaks something and somebody had a really strange process.

00:11:28:24 - 00:11:43:17
Justin Kohler
So yeah, it's kind of like, it's kind of like if you were to give an analogy, if you're kind of new to this, it'd be like, we're going to scan, all the outside of our ports and understand that we have like S3 buckets open to the internet, like, like you can have a big impact, like, just shut that off.

00:11:43:17 - 00:12:04:25
Justin Kohler
Right. Like, so it's the same thing. It's it's, Why does everyone in Azure have control over the service principle? Like, that's a pretty obvious, cert, like, misconfiguration that has kind of represents a beachhead where any attacker that gets initial access could, like, launch an attack. So if you take that away, like you have a pretty big impact.

00:12:04:27 - 00:12:24:12
Justin Kohler
And it's also like it feels good, you know, like crush one and have this really big impact and then just kind of build on that over time. Yeah. Again, like there's the structure, like the low hanging fruit, right. That you guys will like identify, when you first deploy and then it's like you talked about this structural change.

00:12:24:15 - 00:12:47:27
Justin Kohler
I'm curious, the structural changes, like when you're separating, like, different classes of users or privileges or identities, do you get people who have said, I've tried to do that in the past, but, you know, we didn't do it correctly? Or is this a completely new concept when you're kind of introducing that? Oh, absolutely. The number of,

00:12:48:00 - 00:13:13:09
Kate Dawson
You can see those, you know, once, once, BloodHound gets deployed, you can see those efforts show up in, in groups and use and everything like that. But just like any other problem, I guess anywhere in technology, it's always going to going to be a two pronged approach. You've got the tech aspect of it, you know, taking the fax machine out of doing admins or whatever.

00:13:13:12 - 00:13:34:01
Kate Dawson
And then and then you get the policy side because, you know, neither one can really do the whole job. You have to also have these business policies established to prevent that from happening again, because it's so easy, kind of like a the lofty like, if you must like least privilege, right, where we separate our users from our admins.

00:13:34:01 - 00:13:54:10
Kate Dawson
Is that what you mean by like policy? That kind of stuff? Yeah, yeah, exactly. Like, you know, just because somebody in accounting, needs an application deployed doesn't mean that that app should automatically go into, like, the app admins or anything like that. Yeah, I think that's the, I often look at it from the technical side and that's like, that's my entire view.

00:13:54:12 - 00:14:09:25
Jared Atkinson
And then I don't consider the policy aspect. So that's like super, super useful. It's like if you're going to have the program and you're going to try to actually manage this thing, I think we have to you have to make sure that you consider both because just because you have a technical solution doesn't mean that you're going to get buy in or, have the ability to actually implement it.

00:14:09:27 - 00:14:44:10
Justin Kohler
One thing I want to make sure we hit on is, is how do people measure the effectiveness of their programs, right? Like what is what in terms of metrics, have you seen like people kind of grasp on to or or use to like surface how effective their program is or how good or bad they are? Yeah. You know, that kind of speaks to the effectiveness of our research team because those organizations that do start to work on remediating those attack paths and cutting them down, we'll see and decrease over time and exposure.

00:14:44:12 - 00:15:10:22
Kate Dawson
You're talking about the exposure of like, Tier Zero or critical identities. Yes, right? Yeah. You can see that decrease in exposure over time. But then, you know, inevitably there's, a new privilege that, is issued by Microsoft that, turns out to be a little less secure than we, originally imagined. And, so that exposure rate, the attack paths kind of jump back up again.

00:15:10:22 - 00:15:38:08
Kate Dawson
And, so it's, it's kind of that constant ebb and flow, it is very satisfying to see somebody who's, risk level exposure go down over time. And the the reassuring thing is that when those sorts of things happen, when new, attack paths are introduced, everybody gets hit by them. So it's not something that's unique to any or.

00:15:38:11 - 00:16:03:09
Justin Kohler
Yeah. So the exposure like is in total percentage of users or identities in the environment have access or have a path, an attack path to a critical resource like like global admin or domain admin. You mentioned total number of attack paths, like removed as a different metric. Is there does anybody measure like remediation speed?

00:16:03:09 - 00:16:31:07
Kate Dawson
Does anybody try to do that? That's one of those things that is really varied by the org. It depends on their, their security program's maturity. And also just how big they are. You know, we've got some really large customers that it they know that it takes 90 days from when, a finding is issued to the SIM and a ticket is created.

00:16:31:08 - 00:16:56:28
Kate Dawson
They know it takes a quarter to remediate that. Is that like change management process? Yeah. Yeah. Because it goes through all of their, you know, to Jared's point earlier, the owner of that that privilege has to be identified. And and then the extra effort to make sure that business operations aren't, interrupted, by the remediation, has to be kind of validated.

00:16:56:28 - 00:17:25:27
Kate Dawson
And, so that it can take a long time for some really large, really, regulated companies to do. But, we've also got really small companies that, it's fantastic when we, when we can get on a call and they see a new attack path and, oh, let me go fix that right now. But a lot of it I like imagine, big or small, mature or less mature, and some of it has to do with like what's the F level of effort to, to fix it?

00:17:25:27 - 00:17:47:01
Justin Kohler
What's the impact, to the organization if we don't fix it? So, it's it's been a control thing. My, I have a cousin who got downloaded BHCE, and he's the sole admin for his organization, and he was like, okay, well, I just went in and change this and we'll see what people say, you know? But like, if you're a Fortune 100, you probably don't have the ability.

00:17:47:06 - 00:18:05:03
Jared Atkinson
You might not even literally have the ability to do it, let alone the political will to do it. But although we haven't seen like, you know, that that is certainly true. The bigger you go the like, the longer the change management or whatever processes. And that's because you don't want to take systems offline. Right? It's the same thing for vulnerability management and patching.

00:18:05:05 - 00:18:26:29
Justin Kohler
However you always have that like critical problem that can get ripped out real fast if you know, so like that kind of speaks to the working together across teams. So, so thank you Kate. So yeah. We appreciate you spending time with us to talk about kind of our experience working with customers on reducing attack paths. And, we'll see everybody next time.