The Active Directory Attacks Training Series with Randy Franklin Smith – Insider Threat Podcast #7

In our seventh edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. We’ve just partnered with Randy Franklin Smith at Ultimate Windows Security to deliver some of Randy’s “real training for free” on detecting and mitigating Active Directory (AD) attacks from our ongoing blog series. I’ve worked with Randy for years and we have a good relationship, but Jeff and he have been having a lot of fun geeking out with these AD Attacks.

If you’re not familiar with Randy, I bet you know his website. If you have ever searched for an event from your Windows Event log, then you have at least seen a link to his site, if not clicked on it. He always comes up first in Google, and most other search engines. (Go ahead and try it. We’ll wait.) The amount of value Randy gives away for free through his site and his webinars is staggering. Since we’re into making sure all our security pros are well-informed, too, the partnership was a no brainer. You can check out Randy’s and Jeff’s webinar, 3 Modern Active Directory Attack Scenarios and How to Detect Them on September 28 at noon by clicking here.

In the podcast, we dug into some of the ways these attacks expose nagging security issues throughout the IT stack. Things like Kerberoasting and Silver Tickets are scary, but when people do not apply least privilege access to databases and applications, these attacks become even more dangerous. Of course, we all know that security is a matter of getting things right on multiple layers and in multiple dimensions. And it’s not as if there aren’t ways to protect yourself. We cover how Privileged Information Management (PIM) solutions, using Group Managed Service Accounts, and other mitigations can help prevent some of the attack paths and damage that can be done.

We also covered one of my favorite ongoing topics – building things securely from the start. In the Microsoft world, that means looking at the approaches outlined in the Enhanced Security Administrative Environment (ESAE). If you’ve heard of things like the “tiered domain model” or the “red forest,” then you know pieces of this. These ideas originated in Microsoft Consulting’s cybersecurity practice. In the podcast, I mentioned the video from TechEd 2014 where I first encountered these ideas (which – embarrassingly – I said I saw on the scifi site io9 instead of channel9). The video is still as relevant now as it was then. There is a ton of material about this stuff out there, and a particularly good PDF from Tech Days in Hong Kong in 2015. It is difficult to sum up ESAE in a short blog post, but it focuses on building up your AD and authentication infrastructure in ways that make it very difficult for attackers to exploit you. Done well, the methods in ESAE would block many, if not most, of the attacks we talk about in our podcasts and blogs.

Click here to listen to the podcast.

To be notified of Insider Threat Podcast episodes, sign up here