00:00:13:14 - 00:00:35:11
Jared Atkinson
Welcome back to the Know Your Adversary podcast. This is episode three. And in this episode we're going to explore some theoretical ideas behind attack path management. Specifically two topics. One is this idea of an access graph versus an attack graph. We'll kind of talk about what the differences between those are and why it's important to have both perspectives and then the second is this idea of identities at rest versus identities in transit.

00:00:35:18 - 00:00:54:09
Jared Atkinson
This is idea that we came up with to kind of describe a phenomenon that we've encountered, in red teams. And during, assessing attack paths in environments. And we think it's really important for people to understand this paradigm as they begin to kind of transition their thought process to seeing the world kind of like through the lens of the adversary.

00:00:54:12 - 00:01:13:21
Jared Atkinson
So Justin we can start to talk about access graphs versus attack graphs. One of the one of the things that we've noticed is that there's kind of, a dichotomy between how people view, the attackers perspective. So in in episode one, we talked about this, this problem where, attackers would have control over a certain identity.

00:01:13:21 - 00:01:29:03
Jared Atkinson
Maybe they phish a user and they have control of this user, and then they start to ask this question, which is what resources do I have access to? What file shares can I read? What, what computers do I have admin control over? So on and so forth. You want to talk about that ideal?

00:01:29:03 - 00:01:47:20
Justin Kohler
Yeah. So I think like in the, in the most basic sense, it's like if, let's go to maybe, hopefully the most common explanation of this. So a user has access to computers and let's say you're in an Active Directory environment. But this applies anywhere. So a user has direct access to a computer. That means let's say admin rights.

00:01:47:23 - 00:02:14:27
Justin Kohler
So they have admin rights over machines A, B and C that would be defined as like a you're in you're entered as the local admin on that, on that computer. Or maybe you have force change password over three specific people. That would be like direct access. And then there's this, there's other group delegated access. Right. So like, I'm a member of this group, and that gives me access to these machines, or I'm a member of the help-desk administrators so I can reset people's passwords.

00:02:14:29 - 00:02:39:15
Justin Kohler
That would be what we consider access graph like. These are my permissions whether they're direct or group delegated in the case of Active Directory. But they can be in other ways or other role based access controls like in Azure or AWS. So it kind of keeps going. But that's what we mean by access I have access, I have direct access to this thing, this is, as far as I can go as an individual or as an identity in the environment.

00:02:39:21 - 00:02:57:13
Jared Atkinson
And it's, when we start talking about access, it's, an identity has control over a resource. Yes. So they have some sort of ability. Typically we talk about it kind of at a high level, a very coarse, what I would call a coarse grained kind of perspective, which is a lot of you are familiar with, like this idea of read, write, execute.

00:02:57:19 - 00:03:16:15
Jared Atkinson
And so I have the ability to read a file. I have the ability to write to a file. I have the ability to execute a file. Right. That would be access. So it's kind of my control over a resource. And that's very important for us to understand how the, the access relationships between identities and resources. But it doesn't tell the full story.

00:03:16:18 - 00:03:40:19
Jared Atkinson
Right. So there's this, kind of secondary perspective, which we call the attack graph, which says, okay, we have the access graph as a as a foundation. So what can identity a access. But what, what we also want to layer on top of that is how can I, as an attacker, leverage the access or the control of a resource in order to take over an additional identity?

00:03:40:19 - 00:04:03:18
Jared Atkinson
Right. So, there's this fundamental idea called the identity snowball attack, right? Which is it's not that I'm switching from identity A to identity B, I'm accumulating access as I take control. I have control of identity. A I leverage some relationship, to take over identity B I now have control of both. Right. So I've accumulated access as a result of my attack.

00:04:03:21 - 00:04:33:29
Justin Kohler
So it's like if I, if I phished, if I was phished, then an attacker has control over everything that I have access to. But let's say I had force reset password on you. Then he would have both my, access and your access. And so that's how the attack graph kind of, begins to snowball. And this is, I mean, looking at it from the access perspective is useful from, like, an audit, like I Justin should not have access to these things because he does not need that for his role.

00:04:34:01 - 00:04:55:26
Justin Kohler
But that is a super impartial way of looking at how can Justin's account be used to attack us. So it would be, it would be, if I have control over Jared's account again, it's not just what I have access to, it's what Jared also has access to that could threaten the environment. This is a huge, a big breakthrough that a lot of people go through.

00:04:55:28 - 00:05:15:28
Justin Kohler
Whether you're, on the penetration testing side or the defensive side, once you understand that it's not about what somebody has access to today, it's really the accumulation of it in totality that really matters. And that's again where attack paths are so kind of sneaky. It can look pretty simple at first, but it's actually spirals out of control real fast.

00:05:16:04 - 00:05:38:16
Jared Atkinson
And Justin, not to put you on the spot because we didn't actually talk about this beforehand, but one of the, one of the things that we did in the preparation for this State of Attack Path Management report is we started to kind of analyze, some statistics from, like, customers that we have visibility into. And can you talk about kind of the impact of attack paths as far as when you start talking about it spirals out of control?

00:05:38:17 - 00:05:42:07
Jared Atkinson
Oh, yeah. What the kind of what the impact of that is on an environment.

00:05:42:14 - 00:05:46:17
Justin Kohler
Yeah. Like, you're probably referring to, like, the total number of attack paths. Yes.

00:05:46:17 - 00:05:51:19
Jared Atkinson
So number of attack paths the, total number of identities that, like exposure of tier zero.

00:05:51:19 - 00:06:20:24
Justin Kohler
Yeah, yeah, yeah. So, if you were, let's put some numbers to it. In, in an account, with 10,000 employees, let's say, the, the direct relationships. So, you know, Jared might have access to the, these things, and Justin's account might have access to these things. Those are those are what we call relationships. So you have 10,000 employees, and then you have these relationships which are like the, the different access levels that, an identity might have over resources.

00:06:20:24 - 00:06:35:14
Justin Kohler
So we call those again, relationships and we count those. So let's say 10,000 an employee environment might have, a million or 2 or 3 million different relationships that make up that. That's probably on the low side. But going off the cuff

00:06:35:14 - 00:06:56:06
Justin Kohler
A way to think about the employee count and the relationship count is think about, like, cities and roads in a country. So the number of cities or the number of cities in the United States. And we've used this analogy a lot. The number of relationships is the number of roads connecting all those cities. Now, the dangerous thing is how many routes or attack paths does that create?

00:06:56:13 - 00:07:19:00
Justin Kohler
So think of how many unique ways are there to use the combination of cities and roads to traverse the United States? I'm explaining this because that's why the numbers get so bad. So you might have, let's say 10,000 employees or 10,000, you know, objects that are connected by a couple million relationships, which create hundreds of millions or billions of different unique routes.

00:07:19:02 - 00:07:34:05
Justin Kohler
For me as an attacker, to land in your environment and get to something that really matters. And that's why I think a lot of people felt really helpless is it just felt like when somebody got in, they were reaching their objective. It was just a matter of time.

00:07:34:07 - 00:08:01:16
Jared Atkinson
And this maybe, this maybe is a relationship, with, with red team exercises. Right. So, red team exercises are extraordinarily valuable from the perspective of we're going to, exercise your incident response capability. We're going to provide you some sort of catalyst that's going to test your different capabilities, defensive capabilities. What it's not particularly great at is how do we start to make our environment more secure.

00:08:01:17 - 00:08:19:15
Jared Atkinson
Right. So how do we eliminate these attack paths? That's the problem. The problem with a red team exercise, for instance, is that you're going to be executing 1 or 2 or, single digit numbers of attack paths. Yeah. And so the problem is, is that you, as Justin said, there's if there's billions of attack paths or hundreds of millions of attacks paths.

00:08:19:16 - 00:08:32:07
Jared Atkinson
Yeah. You, you're going to show ten of those. Somebody is going to clean those up. And then next year we're going to come back and do another red team, and you're going to have the same problem, right? It's it's an inconsequential number of attack paths relative to the total number.

00:08:32:07 - 00:08:48:18
Justin Kohler
I mean, it is kind of a tangent, but like going back to the the kind of early beginnings of BloodHound, one of the problems was, you know, if we if we use BloodHound to find an attack path in an environment, debrief a client, it was almost a disservice. It was like, if you fix that attack path, yes, you should fix an attack path.

00:08:48:18 - 00:09:12:10
Justin Kohler
But like, that's one out of millions that we understand are in the background. So are you actually doing anything you're actually probably giving yourself a false sense of security by cleaning that up and thinking, okay, my work is done because the scale is huge. So again, like back to the the point access graphs are important to make sure that Jared has the rights that he should have access to, to do his role.

00:09:12:11 - 00:09:34:21
Justin Kohler
That's kind of what we call least privilege. But the I think the intent of that, the intent of least privilege is really not met with access graphs. When we think about least privilege, I think we're thinking, how can we prevent the sprawl of an adversary to take over some critical resource? And that doesn't matter whether it's my access, my direct access, or Jared's access that I can abuse my way to.

00:09:34:26 - 00:09:38:21
Jared Atkinson
Yeah. And then can you talk about the exposure? Oh initial exposure number.

00:09:38:23 - 00:09:52:16
Justin Kohler
Yeah. So exposure, when we talk about exposed what I’ll explain both exposure and impact. So think of a single identity or asset. They have exposure. Meaning, these things can get to this place. So,

00:09:52:16 - 00:10:12:20
Justin Kohler
if I'm looking at Jared's account, who has, control rights over Jared, so who can reset his password? Who can access a token on a host that he's access or window session? So that's what we mean by exposure. So he might have exposure to some percentage or some account of employees in the environment.

00:10:12:22 - 00:10:32:18
Justin Kohler
So let's say that's 50%, on the impact side, that's what Jared can control. And that's the, the total accumulation of, of control. So if we spread out as far as we can, understanding all of those different routes and relationships, how much of the environment could Jared take over? So we talk about him in two different ways exposure and impact.

00:10:32:21 - 00:10:59:13
Justin Kohler
When we talk about critical assets like tier zero resources or, or or super administrator. Right. So like global admin and Azure or or AWS admin. What we're looking at is exposure primarily. So who can get access to that account to take, use it to take it over? Most of the time when we deploy in environments, we're looking at somewhere between 70 and 100% exposure for tier, any tier zero resource.

00:10:59:15 - 00:11:27:10
Justin Kohler
So that would be, you know, in a stereotypical Active Directory environment. That's that means like 70% of your users and in some cases hundreds of thousands of employees can be used to take over your domain controllers or domain elements or global admins or yada, yada, yada. It's extremely common. And when we first started deploying BloodHound Enterprise, I came out with a blog post and I was like, I think I feel like a therapist because everybody would ask me, you know, is everybody this bad?

00:11:27:11 - 00:11:46:19
Justin Kohler
And I'd say, yes, absolutely. I mean, this is what happens when 20 years of technical debt, get piled on and nobody has kind of shown shine a light on the problem. We all felt it. We were all, you know, experiencing breaches. And we all got really frustrated with working with these systems, but we didn't we didn't know where the problem was coming from.

00:11:46:21 - 00:11:49:25
Justin Kohler
So extremely common. Hopefully that's a very long winded way.

00:11:49:25 - 00:12:09:12
Jared Atkinson
Yeah. I think the important thing is that we talked about how initial access is often this arbitrary, grants, this arbitrary starting point in the environment. And the the big problem is, is that when 70, 80, 90% of your users, have the ability to control your domain admins group, let's say. Yeah, that's a bad situation, right?

00:12:09:12 - 00:12:27:15
Jared Atkinson
Because what what you're trying to do is it's almost like game theory to where what you're trying to do is get a situation to where it's more, more likely that the phished user does not have the ability to take over your domain than than it is likely. And right now, kind of if you're not doing anything from the attack path management perspective, the odds are on the opposite side.

00:12:27:15 - 00:12:31:06
Speaker
Which is it doesn't matter who they phish, because they probably will find a path.

00:12:31:07 - 00:12:50:17
Justin Kohler
I think we've probably been deployed. I mean, BloodHound in, has been deployed in tens of thousands of environments. But, you know, we've seen, thousands of environments ourselves. And I'd say I could probably count on one hand where we weren't in the above 50%. Yeah. Okay. With the right data collection. So it's it's a big problem.

00:12:50:20 - 00:13:04:27
Justin Kohler
Again, nobody's doing anything wrong. It's just how this snowballs. Hence identity snowball. How, like, seemingly good access control or, like, access control on the least privilege side, can sprawl out like crazy on the attack path side.

00:13:04:27 - 00:13:27:25
Jared Atkinson
Yeah. In the military, we have this idea of, second order effects, right? Which is, I grant access. I grant helpdesk user the ability to change Justin’s password. Well, that that means that that helpdesk user has the ability to control Justin's user account, which then means that they have access to whatever Justin has access to. And so a lot of times when we're thinking about the access graph, we have to think about what is the second and third order effect.

00:13:27:25 - 00:13:37:09
Jared Atkinson
What what by granting this, permission to that user over this resource, how is that going to allow them to then expand their access?

00:13:37:09 - 00:14:06:13
Justin Kohler
Yeah. And it's, if you've never seen it before, it can be really kind of alarming. We've been in a couple of conversations where, you know, people have said, I don't know that that we would really benefit much from this or I don't think we have this problem because we separate our users from our administrators. And, you know, again, like, we don't want to be accusatory, but, usually it's if, if, if, if, I'll believe you, but you'd be the first one.

00:14:06:15 - 00:14:17:24
Justin Kohler
Usually people think that they've separated them, but there is there are always underlying privileges that are connecting lower resource or lower privilege resources to higher, privilege.

00:14:17:28 - 00:14:22:08
Jared Atkinson
So going back to your map analogy, sometimes it's an interstate that's connected. Sometimes it's a dirt road, right?

00:14:22:12 - 00:14:27:10
Justin Kohler
Yeah, exactly. And one decision snowballs in like, crazy ways. Yep.

00:14:27:11 - 00:14:43:19
Jared Atkinson
So the second, the second idea that I wanted to kind of explore a little bit in this episode is this idea of identities at rest, identities in transit. A lot of you that are watching this are probably familiar with this idea of data at rest versus data in transit from a data protection perspective. Right. So imagine that I have data.

00:14:43:22 - 00:15:02:15
Jared Atkinson
It's it's sensitive. And I want to make sure that I'm encrypting it to keep it secure. Right. One of the things that we realized kind of early on in cybersecurity is that the state of the data, the the state in which the data is, is, Matt, like, is going to define how we actually, apply our encryption to it, right?

00:15:02:17 - 00:15:35:04
Justin Kohler
Yeah. So like, the, the methods and the tools that we would use to encrypt data at rest versus in transit are different. And in this got, I mean, I don't want to explain your idea, but you came up with this really good way of explaining the identity problem, which a lot of people were, were, under representing, and, and not maliciously, but they didn't really understand what I mean by that is, they were taking protections that were designed to protect identities at rest and thinking that they covered the risk for identities in transit.

00:15:35:09 - 00:15:58:06
Jared Atkinson
Yeah. Let me let me dig into the definition of that. So imagine that we take that dichotomy at rest versus in transit, and we apply it at the at the identity layer. So, you have an identity at rest. That's a user account. Right. So you have a username, you have a password. And then that, that, you have almost potential energy, which is once I authenticate as this user, I will have access to these resources.

00:15:58:06 - 00:16:04:24
Jared Atkinson
Right. That's the identity address. But it's pre authentication the, the like I don't have control of that user yet. It just exists. And I know it's there.

00:16:04:24 - 00:16:09:03
Justin Kohler
It's like I haven't logged in and the password is just sitting there. That's why I haven't logged in yet.

00:16:09:06 - 00:16:32:04
Jared Atkinson
That's right. And so and and we have a number of security controls that are helping to essentially keep identities at rest. At rest. Right. So we have things like multi-factor authentication. Right. So it's, maybe I compromise your password. And so I have your username and password, I'm able to log in, but then I get hit with that MFA prompt and I'm like, oh, man, now I'm not going to be able to actually control this user account.

00:16:32:10 - 00:16:44:17
Jared Atkinson
Maybe you've vaulted passwords for a privileged identity, right? So, I don't even know what the password is. Or maybe the password is being rotated, frequently. And so even if I knew it yesterday, I might not know it today. Yeah. Okay.

00:16:44:21 - 00:17:00:17
Justin Kohler
Yeah. You use it to access and do some administrator activity as soon as you're done the vault rotates that password. And so, like, there's no way to guess it. Really? Or maybe biometrics, right? You're not even using a password you're logging with, with a fingerprint or a face ID or.

00:17:00:19 - 00:17:02:23
Jared Atkinson
A cat, for instance. Yeah, yeah.

00:17:02:25 - 00:17:05:09
Justin Kohler
So those are all are on the at rest side, right?

00:17:05:09 - 00:17:27:28
Jared Atkinson
Yeah, yeah. And so the the that's great. It's it's, it's really important for us to make sure that when an identity is not being used legitimately, that it remains at rest. The problem is, is that identities exist to be in-transit, which is in a post authenticated state. Right. So the reason why we create identities and we grant them access is because somebody is going to use them at some point in the future.

00:17:28:03 - 00:17:48:19
Jared Atkinson
There may be exceptions to that. Like you have a break glass account, for instance, that maybe, nobody uses until you need it. Right. But in general, the vast majority of identities, including service accounts or non-human identities, are going to be somewhere in your, in transit post authentication in your environment somewhere, right? Yeah.

00:17:48:21 - 00:18:12:13
Justin Kohler
Yeah. And so like the, the, the classic way I think people know to abuse this or how the, the key ways were like, oh, identities in transit are a big problem is mimikatz. That's right. Yeah. So you log in when you log into a Windows host, you create a the active user session. And you can carve those like unless and like recent protections, you were able to just carve those out of LSASS using a tool called mimikatz.

00:18:12:20 - 00:18:23:17
Justin Kohler
So that was the how we would abuse an identity in transit. So Jared logs into his computer or a different computer, and I can assume his identity by taking those credentials out of memory and then just using them.

00:18:23:17 - 00:18:42:27
Jared Atkinson
Yeah. And the way we represent that in BloodHound is if Justin has admin over a computer and I am logged in to that computer, I have a session established on that computer I've authenticated, now, just now, we assume that Justin, via his admin control, is able to, steal my token, dump my password, all kinds of different things.

00:18:42:29 - 00:19:07:07
Jared Atkinson
This actually leads to, kind of an approach, an adversarial approach, kind of, described it was originally described in the Shadow Brokers dump. But, Will Schroeder kind of, took that and talked about that a at, ShmooCon, back in the day. But it's something that we call it user hunting, which is, as an attacker, one of the things that I'm really interested in is not just the, the access graph, who can access what resources.

00:19:07:13 - 00:19:21:28
Jared Atkinson
It's where are users in transit throughout the enterprise. Right. So, if I know that Justin is logged on to computer X, I'm going to figure out how do I find a path to get me to computer X, because I want to take just control of Justin's.

00:19:21:28 - 00:19:40:25
Justin Kohler
Account, because I have rights over something that you want. That's right. So yeah. So you know that my access is this. And you're trying to find a route that again, back to the attacker off. The explanation. But the identity is in transit. There's a really dangerous like, again, it's not just the password. The password is almost irrelevant to that point.

00:19:41:02 - 00:20:04:00
Justin Kohler
So let's say that Jared logs in, through biometrics and then satisfies MFA. And even there's protections against, like, the LSASS, abuses. There's so many different ways that you can abuse an active like a log on session, whether that be through token manipulation or process injection or, or, like there's bearer tokens that are dropped now with like, a lot of cloud providers.

00:20:04:00 - 00:20:30:09
Justin Kohler
So there's, there's there after you've done that, after you've used that identity and you've access to, that like no amount of resetting passwords, MFA prompts, nothing matters at that point. Right. So and that's a huge distinction that a lot of our customers have to really understand. Or a lot of people just in general need to understand is things like vaulting, MFA, passwordless.

00:20:30:09 - 00:20:49:02
Justin Kohler
All of that is amazing technology should be used. Right. And that's why we don't have summer 23 problems anymore. Right? Like, the simple, simple passwords that are easy to guess, those are all handled for us by vaulting solutions. But there is huge residual risk in terms of the active sessions and the abusing of identities in training.

00:20:49:05 - 00:21:09:27
Jared Atkinson
I think maybe, you touched on an idea that I think is fundamental to this, discovery of this dichotomy of at rest versus in transit, which is, when we were and this is where the whole idea of Know Your Adversary becomes really important, right? It's it's important for us to understand how attackers approach the problem of gaining access to, to systems and resources.

00:21:09:27 - 00:21:38:14
Jared Atkinson
Right. One of the things that we observed is that, red teamers, when they're in environments that have, for instance, password vaults, they're able to still compromise accounts that are vaulted. And so whenever you have this, this situation, I'm not I'm not necessarily accusing the password vault vendors of making this claim, but I think kind of like the layman explanation of, like the outcome of password vault is if I vault this this account, it's a it's safe.

00:21:38:15 - 00:21:55:06
Jared Atkinson
Yeah. Right. That's, that's the layman kind of description of it. But then as an attacker, we are, we find this account, it happens to be authenticated or logged in. And then the, the common kind of response is, oh, well, that account was compromised. We should rotate the password. They rotate the password and the attacker's like.

00:21:55:06 - 00:22:15:22
Jared Atkinson
Okay, cool. I still have access to this, to this account. Yeah. And so, then it's like then that kind of gets us thinking, which is, okay, my understanding of this system is that it's supposed to stop this thing from happening. I just experience the thing still happened, even though that system was in place. Why? My Fundamental understanding of how this this whole thing works is wrong.

00:22:15:23 - 00:22:25:15
Jared Atkinson
Yeah. And so I need to have a new I need to update my map. Well, I'm very into this saying the map is not the territory. Right. So just because you have a conception of how something works doesn't mean that's actually how it works. Yeah.

00:22:25:15 - 00:22:48:19
Justin Kohler
And some things, if you don't understand this, some, some best practice can seem counterintuitive or kind of a pain to implement give you an example, Microsoft. This might seem abstract, but it's really not. Microsoft will tell you not to sync an Active Directory user to a privilege role in Azure. What they mean by that is, if you have an on prem user account that you don't.

00:22:48:26 - 00:23:11:03
Justin Kohler
SSO to an Azure user that has a privileged role like Intune Admin or Global Admin privilege, author admin, the reason they say that is because a bearer token will be dropped on the target host. So like let's say Jared is logging in, in into his computer and, and wants to do some role, like, privileged work in Azure.

00:23:11:05 - 00:23:36:29
Justin Kohler
He'll SSO and then like elevate to Intune admin or privilege off admin that drops credential material. And it doesn't matter how it conditional access MFA continuous access evaluation you have deployed. That token is on the host. So if I can get to Jared's computer I now can do anything I want in Azure with that role. That's why they say split those accounts or use cloud only accounts because they're aware of that risk.

00:23:37:01 - 00:23:50:09
Justin Kohler
Spoiler. Everybody does that. Everybody syncs those accounts because they aren't first of all unaware in which where they're doing it, but also unaware of the risk. Right. So a lot of people are like, well, yeah, they say it, but like, why? What? That is why?

00:23:50:13 - 00:24:11:05
Jared Atkinson
And maybe, maybe we'll kind of wrap up with this, this point, because we'll dig into it in a future episode, in more detail with actual substantive examples. But, this, this idea of in-transit identities is not limited to your Active Directory identities. Right? So, Justin just inferred, that there's this this same problem exists with Azure identities.

00:24:11:07 - 00:24:34:23
Jared Atkinson
One of the big points is that you are primarily operating from somewhere, right. And in a lot of enterprise environments, that somewhere is going to be your active Directory domain. And even though you're accessing cloud accounts and cloud systems, what's happening is your identities are your identities in transit, are being dropped on your Active Directory computer. And so that's always going to be this, this nexus of where those identities exist.

00:24:34:23 - 00:24:57:16
Jared Atkinson
Right. And so attackers have, I mean, we're talking your Active Directory identities in transit. We're talking to your cloud identities in transit. Maybe you have GitHub, a GitHub account, maybe you have a Snowflake account, something that we'll dig into to more in the future. Your personal accounts. Maybe you bank with Bank of America or Wells Fargo. And when you log in from your Active Directory computer, you're creating, browser cookies that attackers can steal.

00:24:57:16 - 00:25:24:09
Jared Atkinson
And then they could compromise your personal accounts. So this is just something that is very important for us to be aware of. And then where we get into big trouble is when there's a, when there's, kind of a dichotomous, dichotomous relationship between your Active Directory permissions and your permissions in some other system. So if you have like Justin mentioned, if you're an admin in Azure and you're accessing it from a computer where you're a normal user or an active directory, you now have a mismatch and that's going to cause a problem.

00:25:24:11 - 00:25:47:07
Justin Kohler
I really want to harp on this. It is not just an Active Directory problem. Like what if I don't use Active Directory? Maybe I'm in OSX environment and I just use Jamf right to like manage my my my endpoints. But we don't have Active Directory, we use Google apps or whatever. The same problem applies. The same problem applies. So you'll always have those like the the bearer tokens, cookies, you name it on the host.

00:25:47:07 - 00:26:04:11
Justin Kohler
And that's what we're saying. Like that's how we abuse identities in transit versus at rest. So this has been awesome to talk about identities in transits versus at rest. We talked about access graphs versus attack graphs. Thank you for joining us. On episode three of Know Your Adversary. Thanks a lot.

00:26:04:16 - 00:26:05:22
Jared Atkinson
Yeah, we'll see you next time.