Direct Route: How To Stop The Path Of Least Resistance Becoming The Highway To Hell
In Partnership With
Sometimes, you just need someone who’s willing to cut to the chase. And that was exactly what Lee Quinn, group head of cyber security for the Coventry Building Society, did in his opening remarks at a RANT roundtable in Manchester, hosted by SpecterOps.
“Controls are built in boxes, but attackers don’t think in boxes – they think in routes,” Quinn said. “Everybody here works for companies which have invested in all the usual defensive tech. It all looks solid. But attackers aren’t looking to smash through those. They’re looking for the small weaknesses – the service account that’s no longer used but is still active, things like that – and they’ll use those to move around our defences.”
Quinn cited the example of the 2024 ransomware attack on the American health technology firm Change Healthcare, where the lack of multi-factor authentication on a remote access server led to an identity compromise which the attackers were then able to exploit, escalating the account’s privileges and moving laterally through the corporation’s network. The impact, as he notes, was huge.
“Paralysis across the whole of U.S. healthcare; loads of patient data locked down; billions in knock-on costs,” he said.
From that first foothold, they were able to move to the heart of the company’s digital infrastructure. The end results could have cost lives; they certainly cost huge amounts of money.
Clearly, a company of that size and scale, handling data as sensitive as medical records, and working in a highly regulated, literally life-and-death sector, would not have skimped on its digital defences. But the point Quinn made was that all the expensive solutions to specific cybersecurity challenges can only solve their own discrete problem set. You still need them, and if an adversary launches themselves directly at them, they’ll probably prove strong enough to repel the attack. But because they’re there, most attacks will be designed to go around them. And that requires businesses to be thinking differently about security.
“An attack path isn’t a tool – it’s a mindset shift,” he said. Instead of thinking, where should I build my walls, and where should I put my moat? A business needs to be thinking like an attacker, and working out how defences can be bypassed, he argued. The conversation, Quinn said, needs to move from, how do I shore up my defences, to: “How would I go from here [the perimeter] to domain admin if I was attacking?”
Give The Dog A Bone
SpecterOps provide businesses with a tool called BloodHound that can help with this mindset change by, essentially, mapping all the routes an attacker could potentially take around their defences. Once the problem is made visible – in the form of a diagram that even non-technical people can easily understand – changing that mindset starts to become possible.
There are two main iterations of BloodHound – a free version, Community; and the paid, all-bells-and-whistles Enterprise. The purpose of having a free version is not just to tempt businesses to become paying customers: SpecterOps believes in the principle of a rising tide floating all boats, and its founders feel strongly that if they can help any user to understand how attackers could breach their systems and reveal ways in which they could prevent that happening, then everyone will benefit.
One challenge, though, is that the tool – in both versions – can reveal rather more routes than most business leaders would be willing to believe could exist from the tiniest cracks in the perimeter to the vital data that the business relies on to function. For the most part, this is because most businesses rely on their active directory (AD) to manage their identities, and all their access protocols are based on those identities.
AD is an ageing technology, so is well past the stage where “creaky” or “clunky” really do it justice – but its centrality to so much of what the business does means no big organisation is willing to risk seeing what might happen if they tried to replace it. Also: its existence predates many organisation’s cybersecurity departments, so its corporate ownership resides elsewhere. Consequently, its security is rarely something security teams have ownership of, despite its centrality to the entire enterprise’s digital estate. In effect, AD security isn’t just something that attackers can leverage as they waltz around and between expensive security technologies – it’s something that network defenders have to work around too, since they’re not empowered by the business to fix it.
“When you look at your AD, it’ll be a shitshow,” Colin Makin, SpecterOps’ sales director for Europe, said, deploying a piece of highly specialised technical terminology. “We did a proof-of-concept for a core national infrastructure provider: how many routes did it show? Two billion.”
This provides a fundamental challenge for the company: how do you persuade people to acquire a technology that appears to be showing them how badly they’re doing? Worse, one that appears to imply that all the spending they’ve made on security tools, while it may not have been wasted exactly, still hasn’t managed to provide much in the way of solid protection. “People don’t want to buy a tool that shows them how dirty their laundry is,” is the way he put it.
Again, the challenge here is one of encouraging the decision-makers in the business to accept that it’s time they started to re-examine their mindsets. Quinn argued that expecting a security tool to fix a problem isn’t really the right way to think about it.
“Tools like BloodHound make the attack paths easy to see, but it doesn’t fix things for you,” he said. “If forces clarity – but it’s up to you to respond.”
Problem Child
Businesses which have deployed BloodHound – whether in the Enterprise or the Community version – have started down the road towards those necessary mindset shifts. But it is not always smooth going.
“We’ve done it in our corporate environment, but in our customer environment it’s difficult,” one CISO, whose company supplies software to the public sector, explained. “We connect lots of information for public bodies. They all share data and software. Those attack paths are the most dangerous for me. It could start in one region and quickly take out the whole country. We model all the attack paths for our software – but our customers? No. And it’s them that worry me.”
“I understand our environment really well,” another senior security manager said, “but trying to get that mind shift of getting rid of the accounts that you don’t need any more…? People who work in the organisation should only have credentials that are necessary. But many organisations are very naive to what’s left lying around in their own environment.”
Just as worrying are those users who have been given greater privileges than their role actually requires. There are many reasons why this happens, but none of them appear to justify the risks created.
“A lot of people, when they ask for privileges, don’t know what they’re asking for,” Quinn said. “They say they need a domain admin identity, but all they need to do is go from A to B.”
“It’s like using a Ferrari to go to the shops,” Makin agreed.
“Or sometimes,” offered another CISO, who had clearly seen the same thing happen more than a few times, “it’s more, ‘He’s got a Ferrari, why can’t I have one too?'”
And organisations are exacerbating this problem by, as one leader put it, placing “compatibility layer on top of compatibility layer because nobody wants to switch off their AD. When are we going to architect these rules?” they said, pitching the comment partway between an exasperated plea and a frustrated cri de coeur.
Leavers, joiners and movers in the organisation are another fertile breeding ground for overprivileged accounts, duplicate identities, or worse.
“I started off in my company being a UNIX system administrator,” one veteran security leader recalled. “My job has changed, and has ranged from being really low level on some production bits, to now, where, in the nicest possible way, I shouldn’t be trusted to be on those servers. I believe all my old accounts have been disabled. They certainly should have been. But are some of them still lingering? I don’t know.”
Other attendees contributed other troubling real-life scenarios, from the firm with four people who have the same name, to the person at the table who shared a name with a colleague in their company, the only way to distinguish them on a list being one of them has a doctorate.
“The number of times privileges get mixed up between people is ridiculous,” one of these leaders said. “People add privileges to one account, but they don’t apply them to the right one. Or they don’t know which to apply them to, so they apply them to all of them.”
Dirty Deeds Done Dirt Cheap
The differences between the two BloodHound products provoked questions, with some attendees wondering how those might manifest themselves. One CISO who had moved from a rival service and taken up BloodHound’s Community edition had noticed a huge increase in the number of attack paths revealed. Is the step from Community to Enterprise likely to cause as big of a further increase, they asked?
“Yes and no,” said Mark Wilson, a SpecterOps senior sales engineer, before offering an explanation. “When you use Community you’re trying to work out a route, but you can’t see the whole map. With Enterprise, we analyse the whole map. If a company has two million paths, you’re never going to remediate them all. We map out the terrain, and work out what are the points of convergence that an attacker must traverse in order to get control.”
This methodology will help businesses to turn awareness into effective action. As Wilson notes, no SOC will have the time or the resources to individually disrupt millions of attack paths – but if three-quarters of those routes have to pass through a handful of nodes on the network, then work can be focused on those, and ways of disrupting adversaries as they move through them can be deployed.
Moreover, BloodHound Enterprise doesn’t just look at the company and customer networks. As well as the IT, it can map paths across the OT environment.
“We can add in backup servers, and take it further,” Wilson said. “We look at all the assets that are critical.”
“Hopefully OT is separate from IT,” Makin added. “But if a user can pivot between them, an adversary can too.”
Once a map exists, those embedded mindsets can, perhaps, start to shift. If a security staffer tries to tell someone in HR, or in sales, or on the board, about a security challenge, eyes tend to glaze over. Show them a map of the environment, which describes the problem in a way that they can see at a glance, and there is at least the chance for understanding to dawn, and that deeply engrained habits and ways of thinking might begin to change.
“This is a good contextual narrative to move into,” Kay Daskalakis, a SpecterOps sales engineer, said. “You can say to a colleague in HR: ‘Look – you can go from here to the server, from the server to the principal, and take over the company.’ That’s interesting to all these people. It’s not a niche problem.”
And those lessons tend to stick.
“Once you see it, you can’t unsee it,” Makin says.
Down Payment Blues
Ultimately, it all comes down to money. Around the room were CISOs, BISOs and senior security practitioners whose experience spanned numerous different companies and several different sectors. Getting together to talk through these challenges and share experiences and ideas of best practice is vital. But boards usually view security as a sunk cost, and talking them into putting extra resources into a new service is always difficult. It will be even more difficult if the service you are asking them to acquire will appear to show that much of what they have already paid for has had a more limited effect than expected.
“As a community, we’re here tonight to try to work out the best approach,” one attendee said. “We get the sales spin; there’s lots of tools. We’ve all invested so much money, and I wonder if it’s been spent wisely. Is this the best bang for our buck? The issue is: are we really, truly understanding where the risk is? This [an attack-path mapping capability] sounds like it could do some real good – but I don’t just want people to spend money on it. Do we really understand our risk?”
“Personally, I don’t think we do – often, we just install the tool,” Quinn replied.
“We invest so much money, but do we truly fix the problem?” the first leader asked. “I genuinely want everyone in this room to do that. I think everything comes back to risk: assessing it, getting that right, so you can focus your resources and your money.”
“This is a fantastic perspective,” Daskalakis said. “Why? Because it ties in 100 per cent with where we are and where we should be. You’ve put it right: there’s a load of money spend on detection, but when you look at the attack timeline, that’s during the attack – it’s not before. We need to sink some of that money into prevention. That means clarifying what is a risk, limiting the unknowns, knowing what asset risk looks like.”
But it’s that mindset shift that needs to happen before anything is going to start to change. As Makin noted, cybersecurity budgets usually only get raised after something bad has happened. Companies need to be looking at spending in ways that will prevent incidents, rather than spending after those incidents have caused damage.
“You can’t just rely on what you’ve historically got on your system to understand what your attack paths are,” Quinn said. “When people can move from initial foothold to dominance, relying on EDR and MFA is not going to work.”
“We see billions of attack paths – an attacker only needs one,” Wilson said. “My only advice is to get visibility over it.”
“There are qualitative factors you need to take into account, but there are quantitative factors you need to assess risk, too,” Daskalakis added. “BloodHound Enterprise helps you do that. It’s not about telling you what the risk is, but it does tell you how many identities have risks associated with them – and you can create a map to see the risk before it happens.”
