SpecterOps Extends Reach of BloodHound Tool for Mapping Microsoft AD Attacks
SpecterOps has added the ability to track attack paths across instances of Microsoft Azure Directory (AD) running in both on-premises and on the Microsoft Azure cloud service.
Justin Kohler, vice president of products for SpecterOps, said an update to the company’s open source BloodHound attack path mapping tool can now more easily visualize how cybercriminals are, for example, exploiting misconfigurations across a hybrid AD environment.
Microsoft Entra Cloud Sync and Microsoft Entra Connect Sync allow administrators to synchronize users from on-premises AD domains up to Entra ID tenants, the identity and access management (IAM) tool that Microsoft provides. That enables administrators to enable a feature called “Password Hash Synchronization”, which replicates the password hashes from the on-premises user up to its Entra ID counterpart. Unfortunately, that synchronization also creates attack paths between AD to Entra ID that can be exploited, said Kohler.
BloodHound will whenever data is collected from an Entra ID tenant as well as an AD domain now automatically generate hybrid attack paths in the graph it surfaces, he added.
Microsoft AD remains the most widely used directory in the enterprise, but it’s also easily misconfigured, said Kohler. Few administrators follow the best practices for securing AD that Microsoft shares, mainly due to a lack of training, he noted.
Of course, that creates a major issue for cybersecurity teams because cybercriminals view AD as a platform that once compromised makes it simple for them to escalate privileges, added Kohler.
SpecterOps created BloodHound to provide cybersecurity teams with a tool that makes it simpler to visualize the attack paths that can be exploited because of the way AD has been configured.
It’s not clear to what degree misconfigurations of AD are the root cause of successful cyberattacks but in comparison to other attack vectors it’s relatively simple to exploit a misconfiguration, noted Kohler. Most cybercriminals are not going to develop complex malware when it’s easier to compromise instances of AD to steal credentials, he added.
In general, Microsoft AD is too ubiquitously deployed for organizations to easily replace it despite a wide range of known security issues. As such, the only practical alternative, from a security perspective, is to use a range of tools to better secure it. Attack path tools typically make use of a graph database to make it simpler for cybersecurity teams to visualize how cybercriminals view an IT environment. Understanding how various platforms might be compromised makes it easier for cybersecurity teams to visualize what issues need to be addressed to thwart those potential attack vectors, hopefully, before they are exploited in an era where cyberattacks continue to increase in both volume and sophistication.
The more cybersecurity professionals learn to think like cyber attackers the more successful they will become. The challenge, as always, is that the IT platforms that cybersecurity teams are trying to defend are usually configured by someone who doesn’t always have the greatest appreciation for how even the most trivial mistake might enable cybercriminals to wreak untold havoc.