Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO asked - "What is Active Directory?"
The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"
The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"
The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"
The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
This is for Real
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.
This Could've Been (and Can Be) Easily Prevented
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.
Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!
Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.
Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!
Fast-Forward Six Months
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
CEO, Paramount Defenses
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here etc. etc.
PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory