The world is dangerous. Adversaries can compromise accounts, masquerade with legitimate credentials, backdoor systems with simple modification with user-attributes, and to a defender, almost look like an insider threat – versus an external one.
Many times I've talked this and watched people's eyes gloss over. "Sure, this is real" most of my customers 10 years ago would say.
This is when I knew, at the time as a Microsoft employee, we had to do something. We had to not do the traditional "death by powerpoint." We needed to not do the traditional "death by fake console". We needed customers to truly see live attacks, with real malware. This would be the only way to get the true "oh ****" moment.
Nor did we want that response from the customer for sales purposes. I never was in sales, although one would always "argue everyone is in sales". Sure, but I've never been incentivized on a a sale. The real focus for me has always been focused on grounded, fact based risk.
At the time, the issues with Active Directory Federation Service were not known. Read-Only Domain Controllers (RODCs) were still though to be a security layer, added to DMZs when in reality they were just hurting operations and increasing lag time for authentication flows – or worse – leaving the customer environment in a non-supported state (RODCs always need access to a normal [read/write] Domain Controller).
So ultimately, as I rebuild my blog I wanted to point folks to a few key resources:
- The original Advanted Threat Analytics (ATA) playbook. This includes lab setup instructions.
- Updated version of a very similar playbook, when we brushed the above off for Microsoft's cloud version of ATA, what is now called Microsoft Defender for Identity (MDI)
Currently, CrowdStrike is working on a very similar one, but with more prevention use-cases and Zero Trust use-cases, fusing together hygiene of a user with the device hygiene they are authenticating to and from.
Not to make this a conversation around vendors, the purpose of this pose is to share great resources that will aid your knowledge on truly understanding these identity-based attacks. The fact that you can modify Active Directory with a skeleton key attack, the fact that you can become anyone at anytime with Forged PAC and Golden Ticket attacks, if you've not yet read up on these things, the above resources will truly be eye opening.
In future posts, unfortunately replicating one I've deleted in the past, I will show you how to build such a lab which is greatly important to test and train yourself on the state of the possible.
It's only when we know what is possible and the reasonableness of an adversary doing these actions can we ever truly know how to defend against it or even prioritize against those class of attacks.