So I definitely have a different mental history of active directory than most people, and recently I was doing a Glasshouse podcast with Pablo Breuer and here he says basically the same thing everyone says, which is that it's impossible to move off of technology even when that technology has a history of severe flaws, or a design flaw that means it cannot be secured.
This is the current mental stance among CIOs familiar with large companies, or even medium size companies! And I get it! But if leopards keep eating your face, and every hacker in the world keeps recommending you stop giving them a cuddle, and you say "I can't, I have legacy systems in my head that love to hug large dangerous cats" then that stops being the government's problem, in a way. Like when people ask why Cyber Insurance Markets are obvious catastrophic failures, and we point at how they can't really change any meaningful behavior, and they have to insure the total market value of whatever company they are insuring because the cost of risk is basically a sliding scale of whatever the Russian ransomware team thought up that morning over kasha, then everyone gets that surprised face and it's all very annoying.
So anyways, that brings us back to AD. AD is a system where any time you hack any computer on the network, you can become the domain controller, and own the whole company. That's just how it works. Every hacker/penetration tester has known that for two decades and the specific incantation on how you do that changes slowly over time, but it's always true. And then at INFILTRATE one year two Microsoft Research team members demonstrated an automation of the lateral movement piece which is now what
Bloodhound is. So in theory everyone knows this right now, even though they like to blame EternalBlue for all their problems in life.
But when you point that out on
Twitter, people ask you what the alternative is, and I have to admit I disagree with DDZ that it's "Zero Trust". That sounds like adding more complexity to a system that is already SO COMPLEX even lifetime specialists not named James Forshaw don't understand the BASICS of the authentication system.
Like
here's a paper that came out today that's in my queue all about Service credentials, and look - no matter how many new auditing tools or visualization thingies or AI anomaly detection alerts you deliver to your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I guarantee you that about 80% of the Russian ransomware affialiates understand Service Credentials and delegation better than your current AD management lead. Most of the time your AD ACLs are just you fooling yourself that you have a security boundary where you, in fact, don't.
Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if AD was re-implemented to use purely quantum key exchange because only Gandolf can mentally visualize the transitive trust structures implicit in how you configured your AD Forests.
Ok so that brings us back to: What do you do instead? And honestly, I don't know. I've enjoyed reading the snippets that
Grapl Security has been posting about their setup. As far as I can gather, the TL;DR is just use Google as your directory server and use Chromebooks as much as possible.
This is what I do right now - but I'm not sure how scalable this is. Maybe y'all can pitch in on this thread and suggest a solution?
Thanks,
Dave Aitel