In this story on the ITSPmagazine podcast network, Marco and Sean are joined by Daniel Lattimer and Guido Grillenmeier from Semperis to discuss the challenges of managing Active Directory and Azure AD in the modern cloud era.
In this story on the ITSPmagazine podcast network, Marco and Sean are joined by Daniel Lattimer and Guido Grillenmeier from Semperis to discuss the challenges of managing Active Directory and Azure AD in the modern cloud era.
The foursome speak to the difficulty of determining responsibility and ownership for directory services and touch on the value that secure businesses bring. The conversation covers the potential risks of syncing on-premises and cloud-based directories, the evolving threat landscape, and the importance of securing directory services. They also discuss Semperis' Purple Knight tool, which helps organizations assess their Active Directory security posture and identify potential indicators of compromise.
The episode includes several case studies of clients who have improved their security posture with Semperis' offerings. The conversation also explores the ongoing challenge of detecting legitimate logins that are actually malicious and the importance of ongoing monitoring and detection.
Overall, the conversation provides informative insights on the complex world of directory services and the challenges of securing them in the modern business environment.
Note: This story contains promotional content. Learn more.
Guests
Daniel Lattimer, Area Vice President - UK & Ireland at Semperis [@SemperisTech]
On Linkedin | https://www.linkedin.com/in/daniel-lattimer-37533016/
Guido Grillenmeier, Principal Technologist EMEA at Semperis [@SemperisTech]
On Linkedin | https://www.linkedin.com/in/guidogrillenmeier/
Resources
Learn more about Semperis and their offering: https://itspm.ag/semperis-1roo
Get a free Active Directory security vulnerability assessment: https://itspm.ag/semperjs0y
Visit Semperis at Infosecurity Europe 2023: https://www.infosecurityeurope.com/en-gb/exhibitor-details.org-18976101-97be-4f3d-a009-872b8e0b9079.html#/
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Show Intro00:15
Welcome to the intersection of technology, cybersecurity, and society. Welcome to ITSPmagazine. Every company has a story to tell from the small startup to the large enterprise. And everything in between. This is one of them. Knowledge is power. Now, more than ever
Marco Ciappelli00:40
Shawn,
Sean Martin 00:42
today, I feel a lovely shade of purple,
Marco Ciappelli00:47
purple color,
Sean Martin 00:48
purple is a good color. I feel majestic as well.
Marco Ciappelli00:54
It is a royal color. As a matter of fact, it's been used, I think by by kings and in royal over history. And in I heard there is a night that colors resonate.
Sean Martin 01:08
There's a night we've actually spoken to the team who have crafted is the right word, but have launched the purple knights upon us to help us guard against all things bad in Active Directory, funnily enough, the key which holds the keys to our kingdom, in many cases. So So enough of the silly analogies, we had a great conversation with the team at some Paris, talking about purple Knight a while back and around the launch of that, that offering and a lot has changed not just with the with the solution, but in the landscape and the use of the technologies that run who we are, what we are and what we do within business in the form of Active Directory, Active Directory and and ultimately Azure AD as well. So I want to welcome Dan and Guido to the show two new folks from Solaris joining us. Good to meet you. Good to see you. Thanks for Thanks for being on guys.
Daniel Lattimer02:10
Thanks for having us.
Marco Ciappelli02:13
All right. How about we start with presenting or let you present yourself here and then we will present also the night after after you though, after? Let's start with you that
Daniel Lattimer02:30
would appreciate you having us. My name is Dan Latimer. I am the area vice president for the UK here at Sampras. I've been in and around cybersecurity for a very, very long time in in and around identity for a long time. And yeah, leading leading the business here for us in the UK.
Guido Grillenmeier 02:49
Hello, everyone. And thanks for inviting me to the call. Guido grillin. Meyer, I'm the principal technologist for some parasitaemia supporting most of our largest customers and in general, our technical community, and especially is around security valuations, utilizing our tools such as purple Knight, and others
Sean Martin 03:12
will have it. So let's take a look. Back, if you will even even a few years, I'd say well is no question. Cloud has become mainstream, right? Everybody's transforming to a cloud, many clouds hybrid clouds. And with that goes there. They didn't start in the cloud, they have the transition from on premises to the cloud. And one of those critical components is Azure Active Directory more specifically. So kind of talk to me about some of the things you're seeing there from some of your customers, how are those transformations going? How are those transitions going? What's kind of changed in the past few years from that perspective?
Daniel Lattimer04:02
Yeah, there's a lot of change. There's always changing it, but the same mistakes get made. I think, a lot of the time we look at the future and look at these new technologies and new ways of doing things. I think that's going to fix everything. And don't get me wrong, there's a lot of value to it. But the older the old problems still persist. Most organizations will look at understanding who their users are and what they should have access to and building policies around that. Normally, that information is held within Active Directory. It's a solution. It's been around for a very, very long time. And it was built for allowing things to connect to other things quite easily. That problem doesn't go away by just moving to the cloud, or doing any of these kinds of zero trust programs or anything along those sorts of lines. The problem you find is moving to the cloud, you're just bringing bad technical debt with you. You know, we're moving through to AWS as a scenario that we see quite often. But what does that system connect back? To understand who the users are, and what the application should connect to. So you find this, there's a long tail of technical debt being dragged along into all these modern areas. So we're working with a lot of organizations to help reduce that technical debt and make that more easier to manage.
Guido Grillenmeier 05:16
But also add that other aspect, that's just a reality that companies face, especially those that have been around for a while, they started in the on prem world, and are then in the middle of a transformation towards cloud technologies. And those that are bound into the Microsoft ecosystem, often through Office 365, and teams and whatnot, they are often then also considering Azure and with that Azure AD as the next step forward. Now, the big thing that they are faced with that is an application migration, to modernize applications to actually utilize those new directories, since the name Active Directory and Azure Active Directory are similar, but the underlying technology for authentication of applications and users, absolutely not. So that's why it's the old applications that many businesses run on and rely on for years to come, that keep them from actually, you know, making the move away from the on prem Active Directory for quite some time into the future, until the last application has been modernized. And they've been migrated away from that.
Marco Ciappelli06:33
It's like running away from your problem, but you put them in the, in the carrier with you. Yeah, and I use carrier just because I'm already in the middle age here. As soon as you say at night, they go in a different world, but the world is the present world. So you know, there is that metaphor of the maid that defends the castle. But there is a different Castle, obviously, even if I am on the website now. And I do see there is castle with flags. And I'm excited to get to London soon and says something of that nature there. And then we'll introduce your presence of insert info security, London, but tell me about the fact that how it has been evolved in since the first conversation that we had in 2021, which I believe is when it was launched. And what new tricks had this night learned.
Guido Grillenmeier 07:32
I'll be happy to take that because I was there when it was originally launched. And I was just as excited as our product group before finally getting it out into the market. And I'm telling you that was a big moment because it was of course a first freely available tool that was really there to help the community to understand the security posture of their Active Directory, the on prem Active Directory. At that time, we only quotes had something like 35 checks that were validating basically, vulnerabilities so called indicators of exposure that we were testing against in the on prem Active Directory. Today, for the on prem Active Directory, we've got 105 tests that are being performed. So almost three times as many. We've released it on not quite monthly basis with new updates that either we researched from our research team, or we found from you know, other publications and then made tests to match those publications vulnerabilities to help our customers understand even more of what other risks out there lots of focus on certificates, because certificates have increased in usage by the cyber attackers to get to domain admin credentials. So that is has been a focus in the past lots of changes there. And if I hadn't mentioned that before, the addition of Azure Active Directory checks as well in the same product also for free, for which, of course a particular account is required in that Azure AD tenant. But the usability is the same, easy to use, very powerful in its feedback to the operator to understand what are the weak spots, and what do I need to take care of, and especially between the two, because you might have a bridge between the two that you want to avoid?
Sean Martin 09:34
And then I suppose there's a lot we could say that many people listening will say, I already know that I'm dealing with that as we speak. And just one example of I think somebody mentioned the use of Team debt aggregator, you mentioned teams. Is it possible for an organization to have on premises ad for all their legacy stuff and then implement a new feature that requires something like let's say teams that requires Azure AD. And now they have this hybrid environment. So assuming something like this possible, you can you can clarify in your response, what that might look like. People recognize whatever their scenario is, but what are some of the things that they might miss? In terms of why now I need to adjust my on premises to account for this. And as I move or implement the the Azure AD stuff, I need to consider these things. Because they don't look like the on premises stuff. And I might not understand how this environment works. There's probably a lot in there, but Ravel that, that'd be great.
Daniel Lattimer10:43
So there's a couple of things here. So when someone is moving through to as you're like, they still have to take some form of feed from their on premise Active Directory, it's going to be very, very rare that you create something completely independent all on its own. Because how is it supposed to connect back to the rest of your environment. So generally, if someone is moving to hybrid, they're still dragging some of that historical Active Directory configurations, etc. With them. The big challenge you find is that ad has been around for a long time organizations go through acquisitions and divestitures all the time, the user base is forever changing, applications are coming and going, your settings and your policies are updated constantly. It's very difficult to keep track of all of that manage all of that in an effective way. And moreover, the skill gap around Active Directory is increasing year in year out. So trying to find people that have the knowledge and the context of your environment, and then be able to do that type of work in a relatively consistent manner is challenging. Also being able to take all that information and do something useful with it is the next battle. So we've tried to make that as simple as possible to do that analysis for our, for our customers, give them that information and give them some real world actionable insight of how to actually tackle some of these problems and reduce that risk without having to be an expert within Active Directory to better achieve all that.
Guido Grillenmeier 12:11
Maybe I can add on that a little bit. Because I think it's good to have an example. What Dan just mentioned, is totally relative, you can't you're not starting from scratch, because you want to use the same user base, it's your, your user that that exists just one system warm by ID and that one body. Ideally, most companies work that way. Doesn't want to reauthenticate in 20 different places. That's where Single Sign On comes in. So you want to actually sort of connect the accounts in the Azure world and the on prem world. And that connection is happily done through Microsoft technologies such as Azure AD Connect, there's also the Cloud Connect, that's basically just one other way to synchronize your on prem Active Directory into the cloud. And multiple mistakes can be made just the starting with synchronizing your admin accounts from on prem to the cloud, and making them admins in the cloud. And that's the bridge that I mentioned, based. Typically, you reached in one, and then suddenly, both environments are easily compromised. But another example that we find all over the place. And that's that's a warning that our purple night tool would always pop up with, is the fact that there's a powerful account that you through this syncing have granted high privileges in your on prem Active Directory, that's the service account that is used to sync those two worlds. And that account has the power to read everything in the directory, including password hashes. It's it's heaven on earth for an attacker to go after that account, because then you can also grab the so called Caribee TGT hash might be too technical, but it's basically the key hash that an ad requires to generate Kerberos tokens. And if you have that, you can generate your own. That's the golden ticket that hackers love to create. They're independent of your domain controllers then. But companies often deploy that system on a weak server on a not well protected server. It's just another server. Although that server where that account is on must be protected, like a domain controller, and those are the warnings that we give with our tooling to make people aware, hey, this is critical. You have to consider how you manage this system, how you manage this account that has high privileges, be aware of it. And once you're aware of a risk, you can actually do something about it or you can choose to accept it, but ideally, you know how to handle it better.
Marco Ciappelli15:00
wanna let Shawn going in some more technical question, but I'm thinking from a business perspective to get the big picture. So I'm gonna go with dead. We're in the elevator in the tower of the castle, and you have just elevator pitch available for me, like a few steps. What? Why should I, as a business owner, or a CSO even come in and say, okay, you know, not only because it's free, but because that's you're accomplishing a, b, c, and d, I want to give it a go. So, go.
Daniel Lattimer15:34
So I think that the reality is, is regardless of what your objective is, as a business, there is going to be some form of technology that supports that, and processes that support that. And applications that support that, that have dependencies. Active Directory is going to be one of those dependencies. You know, we've had scenarios where organizations build huge multimillion pound programs that work to protect this key customer facing application, I forget the Active Directory can just log straight in. So it's, it's there in some way, shape, or form is going to be supporting whatever it is you're trying to achieve. And ignoring it introduces risk removes the likelihood of you being successful, because people make mistakes, and people are actively targeting you.
Marco Ciappelli16:20
Good enough. Thank you.
Sean Martin 16:22
Not for me, not.
Marco Ciappelli16:25
John is walking out of the elevator and he's gonna keep asking your questions.
Sean Martin 16:29
I'm following you all the way back to the office? No, because I think there's let's face it it and security's not not an easy job, right, very complex environments. You mentioned the skills gap, Dan, tough to stay up on top of things. Not many people entering this world want to go back and look at on prem, they'd rather they'd rather rather look at the funny or the fun, shiny new stuff in the cloud. So you have that further exposure, if you will. So I want to kind of paint the picture of where all the exposures might might sit, because that's the first part right? It's identifying those spots, then, and then potentially, an act of attack on those spots is is the next piece to look at. Let's look at the the exposure piece. I don't know. Do you want to want to touch on that? Where are those parts that need to be?
Guido Grillenmeier 17:28
Absolutely, I think, I mean, you've just mentioned the people aspect of it. Active Directory, the on prem Active Directory is no longer sexy for young folks to learn. You want to work in the cloud and do the new stuff. But it is because of its lack of attention. And its age. We're 2023. Now this technology is easily 25 years old, it was released in 2000. But of course develop years before that has come of age. Yeah, of course. Yeah. And it wasn't designed for the attacks of today's world, in that makes it weak Partially, because it's open. It's very open. From a read perspective. I always say it's open like a bond. Why? Because it's true. Microsoft chose the path of openness in the design of Active Directory security, that everybody that includes every user in your company, and every machine in your company has plenty of read permissions in the directory. And that, of course, also includes any intruder, that makes it into your corporate network. As soon as they have a step inside through phishing mail through some other malicious website, whatever people click. And believe me, there's always some way in through some mechanism, we hear it every day, there is an intruder in your network and that intruder, he or she has plenty of permissions to just do reconnaissance against your Active Directory. That's exactly what they're going after. Because when they find weaknesses in that, and I've just mentioned the DC sync rights of that highly privileged account, if they find it, and it's on a non web protected machine, and you go after that machine, there are accounts that are highly permission, you can find all of that, by default, that are easily so called Kerberos, double and then have a service principle name and basically very attractive method for intruders to grab hashes and basically elevate the privileges why? Why are they even after Active Directory? It's because it's not just used for you to manage your users and servers, but to actually grant permissions to data to grant permissions to business applications. So if I hack Active Directory, if I compromise it and become the domain admin of it, that's always the goal from any attacker that's in side your network. If they get that far, then all other systems are easily breached, because it's actually not a breakin anymore. It's a login. Because they just grant themselves permissions through group memberships, they add themselves might not actually be the domain admin that has permissions to the financial data, but a different group. Yeah, not so difficult to find out once you're in. And that's why Active Directory is the perfect pathway to bring you harm, of course, also really good to manage your environment. But but the point is, from the intruders perspective, that centralization of identity has given them power. And of course, that same power would exist for your cloud applications, if they are then able to attack your cloud tenant, your Azure AD tenant, no different from the on prem AD tenant. And that's why you want to protect both of them, so that the intruder can hopefully not reach their goal. And ideally, your more through proper hardening through proper tooling that are protected in your ad, so that the intruder can't get further and then chooses a different victim. That is your goal.
Sean Martin 21:16
Yeah, with great power comes great responsibility. And I want to I'll get to the get to the monitoring detection response piece in a moment, but I want to stick with the the assessment, because I think we have an opportunity here, of course, to do something good before becomes a problem. What I want to want to understand from you is kind of where this fits into the operations of vi t and security. I guess in the old days, you might have an i an ad admin that's responsible for this stuff. And perhaps they intersect at some levels with the rest of it, and systems and networking and apps. But fairly self contained, right, they own that. With the shift to DevOps, and everything, everything in the cloud pretty much or a lot, most of the stuff in the cloud, the responsibility for what gets built and how it gets deployed, and, and ownership has become very blurred along alongside the technology as well. So how, how does an organization leveraging purple mines in Paris, get a view of what's going on in the context for where the right person or team owns? Taking action on it before it becomes a problem?
Daniel Lattimer22:37
Yeah, that is a million dollar question. It's not always easy to answer, right? You kind of hit the nail on the head, it's sometimes will fall in between infrastructure sometimes will fall into identity sometimes or fall into security. And sometimes it can be it's a very weird and wonderful places that no one could ever expect and predict. And this also furthers the challenge you have in an operation where you have people making changes, and you have suppliers, making changes, sometimes suppliers manager as well. We've had to use a scenario a couple of days ago where someone said, Yeah, change what mate, we asked all the suppliers who was it and it was It wasn't me, wasn't me, this has now moved from an operational problem to a security problem. It was it was it was a legitimate, you know, someone just didn't want to make a mistake. The reality is, is helping clients working through this and actually exposing some of that risk and issue allows us to you know, work work further down that that vine to find out who actually is the person responsible, it is always a challenge to try and figure out exactly who is responsible? Do they have a an operational mindset associated with this? Or is it a security mindset? And it's always trying to tie the two different camps together, you know, the operational security teams together? Because ultimately, that's the only way that these problems get fixed. Because it is both problems
Marco Ciappelli23:52
I'm gonna I'm gonna take it here because I'm thinking and I'm kind of teased on that you know, we will meet again soon info security Europe in London, and plenty Newcastle, they're excited about it, but the conversation there. I think they choose a great theme for the event which is rethink the power of information security. And when I think about that, I think about is not just to protect, but it's also exactly in power, right? The power allowed to do business and I think the Active Directory is perfect because you can't block everything. Otherwise you block the business. That is a really important observation to to make, but also it add values to to the business nowadays, the conversation is about if you're a securities business, you are more valuable business. And I would love to hear from you maybe some maybe Greedo some some case study of clients that really You have empowered themselves to do better business because of St. Paris? And because of the the tools that you have?
Guido Grillenmeier 25:09
Absolutely, I mean, there's no names that I can mention particular, of course, but I find plenty of, first of all, we as a company have received tremendous amount of feedback from the community, from our tool that has been downloaded and used many 10s and 1000s of times already. And of course, that is growing, because you know, we're releasing new capabilities, new features. But specifically, I've worked with quite a few clients that were simply not aware of their, let's say, security posture of their Active Directory and the risks that they would face. If an intruder made it into the network, gets to the corporate network layer, and basically, is then able to easily compromise the Active Directory, that visibility wasn't there. Now, that alone has helped them to realize that they needed to reprioritize Yeah, that alone was they were able to realize, okay, with, let's say, additional, I wouldn't say push but additional hints at well think about do a dry table run as to like, what are the actual dependencies on this technology? Do you still have critical business apps that you utilize in your environment that depend on Active Directory? Yes or no? And too many hats to answer Absolutely, yes, if this wasn't working, if this was taken down and breached, we couldn't do our business. So after going through that exercise, and we had things like I mentioned, their Kerberos double account that you can do something about by making passwords of those service accounts much larger, much harder, and much longer, much harder to attack, like not in the lifetime of normal machines. Let's disregard quantum computing here for a second, because that's a totally new risk in trying to crack passwords. But in the normal systems, it would take years to crack those longer passwords or old configurations that were left over from some old web applications with unconstrained delegation turned on again, don't want to go into the technical details too much. But that helped them to realize, hey, we that's a risk of that machine, we're actually not no longer using that app, we were able to unconfigured a lot of their risky issues, and basically go through this point to point to point by point to actually make them more secure, not just feeling more secure, but also being able to prove to management, their security improvements over time, through, you know, multiple runs of the PK report. Now often, these customers then realize they need more for their Active Directory protection. Of course, we have professional tools, commercial tools to help them beyond that. But they're thankful for all the wealth of information and expertise, they're really getting with a free tool.
Sean Martin 28:17
And I mean, great examples. And it just leads me to believe and I'm going to encourage everybody to either connect with you in person in London or follow up with you after because there's so much more than we we can cover here in this conversation. But one of the things that I think purple Knight does that is critical for an organization that hasn't really looked at this in depth is indicator of compromise. And I don't know if this is the right way to look at it. But we talked about like an intrusion detection and prevention and endpoint protection, we'd look at false positives, right? Where things look like. They're their real attacks, and in fact, are not. So teams spend a lot of time tracking it down. It's not really an issue. Here, there's a potential for false negative, right? Where it looks like a real legitimate login looks like an agenda mid access, yet, in fact, it's something bad taking place. So how, how do you help organizations one, determine if there's something there that's bad already? And then ongoing? Look for activities that look legitimate, but really aren't.
Guido Grillenmeier 29:41
You want me to take that. I'll be happy to give you a few thoughts on that Dan can expand. You're touching on a very difficult point. Because of course, first of all, purple Knight is a tool that you spin up in the moment and then you check the environment And what we can find is traces of things that intruders have left behind, such as Mimi cats Dizzy shadow, it's clear signal of wounds. This has nothing to do every day in your operations. If, if there is a traces of that found in your ad, that's typical an intruder trying to persist in your environment. Now, often, the attack is of course happening not inside Active Directory, it's happening on the endpoint where companies haven't done the greatest in doing a proper tearing model that hinders a domain admin to log on to a normal end client. That's how most environments are breached. And then from that endpoint, the intruder simply steals the credentials be passed the hash password ticket doesn't matter, he becomes the domain admin, and doesn't actually change anything in your ad in you need to figure out by what they're doing, if it is it legitimate task or not. And that's where our commercial tools come into play. That's not where purple knight can help much purple knights can find specific changes that are suspicious that shouldn't have happened. Also, injection of Cid history is also a good example, that an intruder might have tried by, you know, using the CID, of a domain admin group of the domain admin group, injecting it to a lesser suspicious normal account, that normal account becomes a domain admin and you don't see it anywhere, not in domain admin group hasn't changed, et cetera. So there are ways that we can find what intruders have done with your environment, and purple night even helps there. But the act of the change, we can only capture with active components in the environment. And that's, again, where commercial directory services protector tool comes in.
Marco Ciappelli31:58
And that's the beauty of being able to make an audit on the spot, like real time, not what was six months ago. doesn't help me much. I mean, it does help better than nothing. But you know. So we're getting to the end of this conversation, but we'll meet again, soon. In London, I mentioned your time. At the Excel London, there is info security, Europe is the 20th 21st 22nd of June. And I know what you guys are there. So then you want to make a call to action to invite people to come and visit you guys to your booth where you are and what they can learn there.
Daniel Lattimer32:44
Yeah, absolutely. Absolutely. Well, the standard is e 62. will be there all three days, we're more than happy to help give you any, any and all guidance we can are on Active Directory, securing it and making your life a bit easier when managing it as well.
Sean Martin 33:00
That's the key. I think
Daniel Lattimer33:02
everyone wants an easy life. Easy.
Guido Grillenmeier 33:07
Fix it for me.
Marco Ciappelli33:11
More tech?
Sean Martin 33:12
That's right. Well, I mean, as things things become more complex, it'd be nice to know that we have some help from from folks like you and, and technologies to help people like you help us help help our teams be more successful. Well, great conversation, great to hear things are progressing and the growth of purple knights continues. And I mean, yeah, super cool stuff. And I'm excited to see you both in London along with the rest of the team, and hope to meet some folks there as well. Of course, we'll be we'll be chatting with you live on site to kind of get your feel for what's going on. And what are some of the conversations you're having there. So we encourage everybody to stay. Yep. And we'll include links to purple light and some Paris and your profiles. So and then the link to your stand. So people know where you are. So those listening and watching, you can grab all that information in the show notes. And Marco I'm still still feeling feeling Royal and purple. Good.
Marco Ciappelli34:25
Good. Good. I'm excited. At this point. I'm excited to get on the Big Bird Metal Bird and get to London and meet a lot of interesting people there. Everybody interested in and with the same objective, which is to make our business more secure. So looking forward to that and for everybody stay tune the there is a page all dedicated to info security, Europe coverage on ITSPmagazine And there'll be many more stories straight On the floor as well, we'll get creative there. So stay with us, then we'd have thank you so much again. Take care
Show Intro35:11
we hope you enjoyed this conversation. If you learned something new in the story made you think, then share itspmagazine.com with your friends, family and colleagues. We hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society.