Fear And Loathing In The Active Directory: Can Mapping Attack Paths Point You In The Right Direction?
In Partnership With
We were somewhere around 10 minutes into a RANT roundtable in an exclusive dining establishment high above the City of London when the unavoidable cybersecurity conversation topic du jour began to take hold. Even though the event had been convened by the vendor SpecterOps, whose BloodHound platform is designed to enable security teams to visualise and understand the pathways adversaries might be able to use to compromise the active directory (AD) and move around and across networks, it was inevitable that talk would turn, at some point, to so-called “AI”. The only surprise was, perhaps, that it didn’t come up sooner.
“Can we not use heuristic tools like AI to predict future attack paths?” one CISO wondered, a wry grin perhaps visible as they asked a question which, if not straying into territory we could quite categorise as trolling, was certainly designed to cajole and provoke some forthright responses. For all that large language models and generative AI applications are causing conniptions across the security-leadership landscape, business leaders seem to remain gung-ho on deploying them inside businesses – so folks like this senior network defender are understandably keen to come up with ways to use them to help, rather than hinder, the security mission.
Unfortunately, the replies were not particularly encouraging.
“You’d need to go and proactively identify [the attack paths], which was what a threat actor would do: they’d find out how to escalate their privilege,” said Stephen Tate, global head of incident response at the London Stock Exchange Group, who guest-hosted the event on RANT’s behalf. “There is a case, I guess, to use AI, but personally I don’t think you can use AI to map out what the attack path is if the attack hasn’t already happened. You can use it to go through the logs and understand what’s gone on already – but I don’t think you can use it for the proactive part.”
“You can possibly use it to predict the next points in an attack path,” another CISO suggested, arguing that the technology as it stands at present might prove capable of projecting possible pathways a single step forward. “But the problem is, you’ll end up with too many permutations. It can be useful for a lot of things, but it’s not a silver bullet.”
“Nowhere near,” another leader agreed. “It can speed up trend analysis, but if you don’t know how it’s come up with that analysis it can send you off into a whole different forest.”
“You can ask it the same question twice and it gives you a different answer each time,” someone else moaned.
“And if you challenge it,” another leader agreed, “it goes, ‘Oh, yeah! You’re right!’.”
“We’re keen for our analysts to use it,” Tate said. “Logs are very complex when you’re doing analysis, so it’s useful to say, ‘Describe what this event means.’ The bit it’s not good at yet, in my opinion, is being able to tell me why I should care, and why a threat actor might want to do something.”
Kingdom Of Fear
While discussion of generative AI in this context might appear gratuitous or tangential, there is clearly some need for assistance when security teams are using a tool that does as much as SpecterOps’ BloodHound to reveal hitherto unknown routes attackers could use to compromise businesses’ most sensitive and closely held data. The company’s director for Europe, the Middle East and Africa, Tony Sheldrake, said that, when the tool is first deployed in a company’s systems, the effect on those inside the business is “shock and awe. We sometimes find millions of attack pathways.”
Another reason why bringing AI into the conversation makes sense is because that’s the direction some of the big players in the network-defence space have gone. In its E5 licenses, for instance, Microsoft seeks to leverage its Copilot LLM for AD security. This is the sort of work which BloodHound was specifically developed to help with, and helping to automate security of Entra ID – formerly known as Azure AD – is among the benefits touted of upgrading to the more expensive licenses.
“AD has grown and grown,” said one CISO, who described themselves as “a big fan” of BloodHound, having used it in several previous roles. “Part of the problem is, even if you have huge powershell capabilities, with the existing tools it’s impossible to see what you’re exposed to. Even with the E5 license it’s not there. Secure Copilot doesn’t do this.”
“I agree,” another CISO said. “We’re a big Microsoft house, and every time I’m looking at [Entra ID security] it’s all within this bubble. It can only see what Microsoft can see. It’s really valuable to get something external looking at it. I’m always having this challenge with my board! They say Microsoft can do this, but they can’t.”
“Interestingly,” said Sheldrake’s technical colleague, Colin Makin, “Microsoft is a customer.” So, he noted, are OpenAI, and the data-analysis platformer Palantir. Even companies as deep as those firms are in managing data, understanding connections, and securing businesses and governments, are turning to SpecterOps to help them with the parts of their mission they can’t carry out themselves.
The Proud Highway
SpecterOps are open about the organisational challenges that deploying their technology may pose. And, at least for security leaders, the advantages in being made aware of the myriad ways an attacker could access sensitive data far outweigh the problems that appear to be raised when the business is suddenly confronted with the knowledge that there are many more of them than were previously thought possible. But the journey from denial to acceptance is one that the business will have to map for itself.
“A lot of what I do is running proof-of-values, and every time I run one it comes as an absolute shock for anyone who’s had AD for any length of time,” said Makin. “I just ran one recently, in an organisation of around 8,000 people, and we surfaced 25 million attack paths.”
“The problem I have with that,” one CISO said, “is that I end up with 25 million things to fix.”
“We totally recognise that, and we flip it on its head,” Makin said. “You’re never going to fix 25 million paths. That’s why the concept of cyber hygiene is really flawed. I’m not saying you shouldn’t do it, but if you do, you don’t have a measurable reduction of risk. Our whole enterprise solution works on an attack graph. We work out which is the final path that takes an attacker to your critical assets.”
“I often say, it’s like going from Manhattan to Brooklyn,” suggested Mark Wilson, SpecterOps’ sales engineer. “There’s millions of routes to go from one to the other. But if you take away the bridges, most of them are pretty irrelevant.
“We focus on chokepoints,” he added. “After you surface loads of things and realise you’ve got the biggest to-do list in the world, we have a playbook – a remediation plan – which helps you to close those routes down.”
Sometimes, though, the attack paths revealed by BloodHound aren’t obscure routes an attacker could use to compromise the business and which should therefore be blocked. Sometimes they’re part of why the business works well.
“It [BloodHound] can surface so many things it can be overwhelming,” Sheldrake acknowledged, “but it also surfaces things that are necessary. If certain paths didn’t exist, then the business wouldn’t function.”
The fact that there may be many pathways that have to be kept clear could, therefore, simply be a function of the nature, scale and requirements of a successful enterprise. While some of the leaders around the table wondered whether this implied that the solution might lie less in tooling or technology than in recruiting, training and retaining sufficient specialist staff, Sheldrake argued that both are necessary.
“It’s twofold,” he said. “Having people who can interpret [BloodHound’s output] and who can understand what they can improve, [is important]. But also, for the SOC and for incident responders, it’s about having an awareness of those attack paths – so that, in an incident scenario, a defender can say: ‘OK, there’s an alert on this asset – what’s possible for an attacker to do from there, and what should we be concerned about?’ There are things [the business] should be able to concentrate on, in terms of strategy.”
The Great Shark Hunt
But to use an attack-path analysis effectively, there’s one other important piece that has to be in place. The business needs to be clear on its priorities, and – while this might seem like a separate issue, they tend to be linked – it needs to have clear, cogent and useful policies in place to support not just the security teams, and the rank-and-file users, but the decision-makers, too.
“You can keep your existing policies and process, and use BloodHound to check” whether everything is working well, one leader suggested. “Part of the problem,” they added, “is that policies often don’t let people see what’s going on. If you’re a domain admin you can’t find [the necessary information] so you can’t ask the question. And the people approving the process have no idea what it means.”
“There are so many players, and they can break policies without you knowing,” another said.
“In my organisation,” a third offered, “we’ve just done the vulnerability-management stuff, using discovery tools. We have two tools doing that, and they’re telling us different things. And then there’s the separate thing about attack paths, from an identity perspective.”
“You need someone to make a clear decision about what’s a priority,” one CISO said. “Too often I don’t see that. They’ll say, ‘They’re all a priority’. That’s not a decision. Well, it is, but it’s a crap decision.”
After another digression into genAI territory, a conclusion of sorts was reached. Not that it was anybody’s idea of a perfect solution.
“Everybody has to go back to basics,” was the way one CISO summed it up.
“I don’t think anyone’s saying BloodHound is going to fix all your problems,” Tate said. “But, by using it in tandem with all your other controls, you can reduce your attack surface and make it harder for the adversaries. And that gives your SOC team and defenders more time. There’s a really important point around needing the right people and the right skills, so you can apply context, interpret and contextualise effectively. Without being able to do that, you can see all your problems, but you can’t solve them. I have a bit of a love-hate relationship with people who say this, but it’s ultimately about making your defences harder to get through than your neighbours’.”