Security has always been a universal preoccupation, and there are countless examples of societies reforming their own institutions to stave off chaos and oblivion. In the Roman Kingdom, which preceded the Roman Empire by some five centuries, the local royal quaestor (“investigator”) was tasked with investigating murders. At roughly the same time, subprefects in the Chinese state of Jin patrolled the land and conducted criminal inquiries. Far more recently, The Metropolitan Police Act of 1829 afforded London its first allotment of inspectors and constables — first in buildings at Whitehall Place, later in nearby Great Scotland Yard.
Today, organizational security is almost entirely synonymous with technological security. CIOs act not only as technological champions — but, in their own ways, as quaestor, subprefect, and constable.
The authoritative place to find an American definition for CI is the United States National Counterintelligence and Security Center. I am more familiar with the old name of this organization, the Office of the National Counterintelligence Executive (ONCIX).
The 2016 National Counterintelligence Strategy cites Executive Order 12333 (as amended) for its definition of CI:
Counterintelligence – Information gathered and activities conducted to identify, deceive,
exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities. (emphasis added)
The strict interpretation of this definition is countering foreign nation state intelligence activities, such as those conducted by China's Ministry of State Security (MSS), the Foreign Intelligence Service of the Russian Federation (SVR RF), Iran's Ministry of Intelligence, or the military intelligence services of those countries and others.
In other words, counterintelligence is countering foreign intelligence. The focus is on the party doing the bad things, and less on what the bad thing is.
The definition, however, is loose enough to encompass others; "organizations," "persons," and "international terrorist organizations" are in scope, according to the definition. This is just about everyone, although criminals are explicitly not mentioned.
The definition is also slightly unbounded by moving beyond "espionage, or other intelligence activities," to include "sabotage, or assassinations." In those cases, the assumptions is that foreign intelligence agencies and their proxies are the parties likely to be conducting sabotage or assassinations. In the course of their CI work, paying attention to foreign intelligence agents, the CI team may encounter plans for activities beyond collection.
The bottom line for this post is a cautionary message. It's not appropriate to call all intelligence activities "counterintelligence." It's more appropriate to call countering adversary intelligence activities counterintelligence.
You may use similar or the same approaches as counterintelligence agents when performing your cyber threat intelligence function. For example, you may recruit a source inside a carding forum, or you may plant your own source in a carding forum. This is similar to turning a foreign intelligence agent, or inserting your own agent in a foreign intelligence service. However, activities directing against a carding forum are not counterintelligence. Activities directing against a foreign intelligence service are counterintelligence.
The nature and target of your intelligence activities are what determine if it is counterintelligence, not necessarily the methods you use. Again, this is in keeping with the stricter definition, and not becoming a victim of scope creep.
|Senators Edward Markey and Richard Blumenthal|
Samba tells users and lets them decide if to enable data collection for analytics purposes, it does not inform customers of the real depth of the collected data, which includes much more information than users believe they are agreeing to.
#Infosec #Cybersecurity It should be known that everyone is responsible to protect his/her own #privacy— YUSUPH KILEO (@YUSUPHKILEO) May 2, 2018
How do you do that? – @cyberawaregov #Cybercrimes
Details at: https://t.co/BgEZnwObpC#GDPRready
- Kileo. pic.twitter.com/0SAr2PMO9x
During Our Board meeting - We agreed upon having The Annual @AfICTA summit 2018 in Mombasa #Kenya (East Africa) We look forwards for the very productive Summit this year! More details will follow.#ICT #Africa #Innfosec@jumuiya @AfICTA @Kayodeisaiah4 @jolufuye https://t.co/blSupj9O2R— YUSUPH KILEO (@YUSUPHKILEO) June 18, 2018
#Infosec #Cybersecurity The increase in data breach and cybercrime as modern technology takes over the world - De Rebus https://t.co/pBmmP9bRYA#Cybercrimes— YUSUPH KILEO (@YUSUPHKILEO) July 14, 2018
Today, to give a hint for the answer to this 1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
I sincerely hope that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will answer this ONE question.
Here's wishing you all a very Happy Fourth of July! Hope you have a great one!
I was supposed to answer a certain question today, but I decided to take the day off, so I'll answer it in days to come.
A few days ago I asked a (seemingly) very simple question ; no I'm not referring to this one, I'm referring to this one here -
Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?
Here's why I did so - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.
So, as promised, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.
In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.
First, A Quick Overview
For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.
Mimikatz DCSync, a Windows security tool, is the creation of the brilliant technical expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.
Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!
Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on detection as a security measure, then its unfortunately already TOO late, because the damage has already been done.
Detection Is Hardly Sufficient
They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -
Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!
Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!
This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.
How to Mitigate Mimikatz DCSync
The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.
Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.
Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient Get Replication Changes All effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.
While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.
Now, it is paramount to understand ONE subtle but profound difference here - it is NOT who has what permissions on the domain root that matters, but who has what effective permissions on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.
The Key - Active Directory Effective Permissions
If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.
In fact Effective Permissions are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to Effective Permissions.
Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as this dangerously inaccurate free tool.
Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...
Finally, How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync
Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk -
Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.
Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.
Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found here.
I'll say this one last time - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why mitigation is paramount.
PS: *Here are 4 posts I've previously penned on Mimikatz DCSync - a summary, technical details, a scenario and the question.
PS2: In days to come, I'll answer this question too.