Inside Enterprise Security: AD Tiering & Privileged Access with Viktor Hedberg [MVP - MCT]

1
00:00:00,000 --> 00:00:04,420
Hello everybody to another edition of the MC65 podcast.

2
00:00:04,420 --> 00:00:07,440
Today we are diving deep into enterprise security with

3
00:00:07,440 --> 00:00:08,520
Victoria Hebert.

4
00:00:08,520 --> 00:00:10,680
Itberg, I always pronounce the right,

5
00:00:10,680 --> 00:00:12,840
focusing on active directory,

6
00:00:12,840 --> 00:00:15,160
tiering and security privilege,

7
00:00:15,160 --> 00:00:19,400
access and modern hybrid environments with over a decade and

8
00:00:19,400 --> 00:00:22,760
cyber security from the Swedish public sector to the front line,

9
00:00:22,760 --> 00:00:27,240
the FIR and proactive security work at TrueSec.

10
00:00:27,240 --> 00:00:33,200
A.B. Victor brings real world insights into how organizations can better

11
00:00:33,200 --> 00:00:34,960
defend their identities,

12
00:00:34,960 --> 00:00:37,760
admins and critical infrastructure.

13
00:00:37,760 --> 00:00:43,480
Victor, can you introduce yourself and tell us a little bit about your journey into

14
00:00:43,480 --> 00:00:44,960
cybersecurity?

15
00:00:44,960 --> 00:00:49,520
Yes, thank you very much for having me and thank you for that introduction.

16
00:00:49,520 --> 00:00:56,640
So, Hebert, he had a body in Swedish, but close enough.

17
00:00:56,640 --> 00:01:01,120
Yeah, so who am I?

18
00:01:01,120 --> 00:01:08,440
Well, I've been working at this company called TrueSec for the past five years now,

19
00:01:08,440 --> 00:01:12,120
where we're doing everything revolving around cyber security,

20
00:01:12,120 --> 00:01:17,360
you know, penetration testing, incident response, proactive security,

21
00:01:17,360 --> 00:01:22,360
security vetting, pretty much anything that revolves around security,

22
00:01:22,360 --> 00:01:27,360
be it either cyber, personal or protective or whatever.

23
00:01:27,360 --> 00:01:30,440
So, there's a lot going on.

24
00:01:30,440 --> 00:01:35,320
My journey into this actually started with my first job in IT.

25
00:01:35,320 --> 00:01:37,000
So, I took the long route.

26
00:01:37,000 --> 00:01:43,120
I don't have a fancy degree or an fancy titles from any college or anything like that.

27
00:01:43,120 --> 00:01:46,200
It's more like started in the help desk,

28
00:01:46,200 --> 00:01:51,400
working with active directory all the way from help desk to second line,

29
00:01:51,400 --> 00:01:56,520
to assist admin until I turn to the consultancy world.

30
00:01:56,520 --> 00:01:59,040
And that's where I am today.

31
00:01:59,040 --> 00:02:07,040
So, it's always been a part of me and how to get into cybersecurity from my perspective is

32
00:02:07,040 --> 00:02:13,320
well, doing that, you know, starting how to learn how to fix things first,

33
00:02:13,320 --> 00:02:15,520
and then you really know how to protect them,

34
00:02:15,520 --> 00:02:19,960
and all you can also learn how to attack them and circumvent those protections

35
00:02:19,960 --> 00:02:22,960
that are in place.

36
00:02:22,960 --> 00:02:23,800
Interesting.

37
00:02:23,800 --> 00:02:28,800
And why you are joining the blue teaming?

38
00:02:28,800 --> 00:02:32,360
Yeah, well, I'm actually a bit of both.

39
00:02:32,360 --> 00:02:39,600
I do a couple of things from the offensive side now and again as well.

40
00:02:39,600 --> 00:02:43,960
But I don't know.

41
00:02:43,960 --> 00:02:49,320
The thing for me with working with incident response is you really need to leverage

42
00:02:49,320 --> 00:02:55,960
all the tools in your toolbox to understand, you know, how to recover from an incident,

43
00:02:55,960 --> 00:03:02,360
how to rebuild, how to make it not as an attractive target again,

44
00:03:02,360 --> 00:03:06,960
to eliminate all of those weaknesses, those vulnerabilities in an environment.

45
00:03:06,960 --> 00:03:11,000
So that's where a lot of that experience comes into play,

46
00:03:11,000 --> 00:03:13,920
you know, how to secure your active directory,

47
00:03:13,920 --> 00:03:21,840
how to eliminate those privilege escalation paths that are commonly seen in many organizations.

48
00:03:21,840 --> 00:03:27,480
So yeah, that's what lured me into the blue side of things.

49
00:03:27,480 --> 00:03:32,840
But again, with working a lot with the blue side, you also learn a lot about,

50
00:03:32,840 --> 00:03:36,680
okay, how can you circumvent the things that you just put in place?

51
00:03:36,680 --> 00:03:42,360
So it's a bit of both, I would say, not that I'm acting as a penetration tester,

52
00:03:42,360 --> 00:03:48,680
but I do know how to circumvent some of the stuff that I keep telling my customers to implement.

53
00:03:48,680 --> 00:03:54,320
From your perspective, where are the biggest identity-related threats

54
00:03:54,320 --> 00:03:57,320
organizations will face today?

55
00:03:57,320 --> 00:04:03,160
So when dealing with active directory, the most common one is to,

56
00:04:03,160 --> 00:04:08,120
because the way Windows works, right, is that whenever you log into a device,

57
00:04:08,120 --> 00:04:14,440
it either be a remote desktop protocol or locally,

58
00:04:14,440 --> 00:04:18,360
you always expose your credentials to that device.

59
00:04:18,360 --> 00:04:22,280
So there's three main issues with it.

60
00:04:22,280 --> 00:04:28,120
So one being the cached credentials, which is stored locally on the device,

61
00:04:28,120 --> 00:04:30,720
doesn't matter how often you reboot it.

62
00:04:30,720 --> 00:04:36,880
That is by default stored for up to 10 different sets of credentials on every device,

63
00:04:36,880 --> 00:04:43,960
meaning that if I have logged into a device with local admin privileges or domain admin privileges,

64
00:04:43,960 --> 00:04:49,920
those pass per hashes are stored locally in the registry on that device for eternity,

65
00:04:49,920 --> 00:04:54,080
or until at least I reset my password.

66
00:04:54,080 --> 00:04:57,040
So that's one of the things.

67
00:04:57,040 --> 00:05:01,360
The other two ones are stored in memory of those active Windows sessions.

68
00:05:01,360 --> 00:05:08,720
So whenever you connect to the device, there's always a breadcrumb of your account stored in memory of that device.

69
00:05:08,720 --> 00:05:12,240
And if someone were to become a local administrator of that device,

70
00:05:12,240 --> 00:05:15,360
take the dump the memory and extract the password hashes,

71
00:05:15,360 --> 00:05:20,480
and/or Kerberos tickets to move laterally inside of the organization.

72
00:05:20,480 --> 00:05:25,160
And that's the most common topic or the common misconfiguration,

73
00:05:25,160 --> 00:05:29,880
if you will, in many organizations is that is still allowed to happen,

74
00:05:29,880 --> 00:05:36,560
meaning that a domain admin can log into any workstation, any desktop, any laptop, any server.

75
00:05:36,560 --> 00:05:38,640
So it only takes the threat actor.

76
00:05:38,640 --> 00:05:46,640
It needs to compromise one device in most cases to achieve that privilege escalation in total.

77
00:05:46,640 --> 00:05:51,640
That's makes it really attractive for attackers to...

78
00:05:51,640 --> 00:05:52,640
Yeah, absolutely.

79
00:05:52,640 --> 00:05:58,560
And I mean, I have so many war stories, and we can't really, they'll really deepen to them,

80
00:05:58,560 --> 00:06:02,040
but this is the core problem, right?

81
00:06:02,040 --> 00:06:06,080
That this is still allowed to happen, because inactive directory,

82
00:06:06,080 --> 00:06:11,440
there are several groups that allow for a privilege escalation into becoming a domain admin.

83
00:06:11,440 --> 00:06:18,160
Like you have all these operator groups, you know, account operators, server operators, print operators, backup operators,

84
00:06:18,160 --> 00:06:24,280
and all of these groups are, to some extent, used by many organizations,

85
00:06:24,280 --> 00:06:29,240
because they don't really know what the intended use for those groups are.

86
00:06:29,240 --> 00:06:35,200
So it's not uncommon that we see that, hey, they've added the domain users into the print operators group,

87
00:06:35,200 --> 00:06:39,520
because I don't know, someone needed to install some printer drivers somewhere,

88
00:06:39,520 --> 00:06:43,920
but what they don't know is that that group allows you local access to a domain controller,

89
00:06:43,920 --> 00:06:49,160
and you can fiddle with the print drivers under the main controller as well.

90
00:06:49,160 --> 00:06:54,960
So there's a lot of, like, active directory is more treated like a...

91
00:06:54,960 --> 00:07:00,880
This is an essential service that gives us the...

92
00:07:00,880 --> 00:07:02,120
What do you want to call it?

93
00:07:02,120 --> 00:07:08,560
The possibility to log into our devices, it gives us the possibility to leverage groups for managing access,

94
00:07:08,560 --> 00:07:14,760
but if you don't really know what those permissions actually entail,

95
00:07:14,760 --> 00:07:17,800
things can inspire a lot of control rather quickly.

96
00:07:17,800 --> 00:07:28,040
When we move to the cloud, is it a high risk for companies or it's less than on-prem?

97
00:07:28,040 --> 00:07:34,840
Well, it depends on how you want to look at it, because from a default standpoint, if you will,

98
00:07:34,840 --> 00:07:39,360
then you could argue that the cloud is more secure,

99
00:07:39,360 --> 00:07:42,520
because of the things that Microsoft are enforcing nowadays,

100
00:07:42,520 --> 00:07:48,840
which is mandatory, multi-factor authentication for accessing the portal, for accessing programmatic access

101
00:07:48,840 --> 00:07:51,880
with Microsoft Graph PowerShell, etc.

102
00:07:51,880 --> 00:07:57,480
However, these things in terms of if you don't really know what you're doing,

103
00:07:57,480 --> 00:08:03,880
those kind of ring true in the cloud as well, because we've seen so many cases where users are being synchronized

104
00:08:03,880 --> 00:08:06,680
from an on-premises solution into the cloud,

105
00:08:06,680 --> 00:08:12,920
allowing for a lateral movement from on-premises into the cloud instead or vice versa,

106
00:08:12,920 --> 00:08:18,760
like you're syncing a user which holds privileges on-prem into a privilege rolled in Entra.

107
00:08:18,760 --> 00:08:21,720
Since it's in Entra, I can then compromise that user.

108
00:08:21,720 --> 00:08:23,800
I now know the username and password.

109
00:08:23,800 --> 00:08:28,920
If I were to, by happenstance, know your VPN and point name,

110
00:08:28,920 --> 00:08:35,800
I can then try to work my way into your on-prem network as well with that user and compromise on-prem.

111
00:08:35,800 --> 00:08:40,120
So there's a misconception that, you know, just because it's in the cloud,

112
00:08:40,120 --> 00:08:44,680
it's by default secure because Microsoft are only providing you with a platform.

113
00:08:44,680 --> 00:08:48,840
It's up to you as a consumer to actually make sense of it and actually secure it.

114
00:08:48,840 --> 00:08:53,720
Yeah, let's dive into ADTuring for listener,

115
00:08:53,720 --> 00:08:57,960
unfamiliar with this concept. What exactly is it?

116
00:08:57,960 --> 00:09:04,200
Yeah, so the concept of administrative tiering is in a nutshell.

117
00:09:05,160 --> 00:09:12,360
We box things into different administrative zones to prevent those nasty escalations

118
00:09:12,360 --> 00:09:16,120
or lateral movements from within Active Directory itself.

119
00:09:16,120 --> 00:09:21,000
So what I'm trying to say here is that we create an administrative zone,

120
00:09:21,000 --> 00:09:28,920
we call it tier zero, which consists of anything that is required for managing the domain.

121
00:09:28,920 --> 00:09:31,720
So your domain controllers, your Entra,

122
00:09:31,720 --> 00:09:35,800
the Connect servers, your PKI servers, etc.

123
00:09:35,800 --> 00:09:41,800
Those are all treated as domain controllers pretty much because of the dependencies that they have inside of Active Directory.

124
00:09:41,800 --> 00:09:50,200
Your Entra, Connect server, for instance, that service account, it can be manipulated to reset passwords

125
00:09:50,200 --> 00:09:57,320
or you can grab all the passwords for the entire domain, regardless of if the accounts are synchronized or not.

126
00:09:57,320 --> 00:10:05,160
So there's a lot of these things to take into consideration, but provided that we put all of this into one administrative zone

127
00:10:05,160 --> 00:10:10,840
and we only allow access if you are on an equivalent level of permissions,

128
00:10:10,840 --> 00:10:12,600
meaning that you need to be a domain admin.

129
00:10:12,600 --> 00:10:21,000
We can then box that into one particular zone and say that, okay, you need to be a domain admin

130
00:10:21,000 --> 00:10:28,440
to administer these servers, right? So moving the step below that is to call it like the tier one,

131
00:10:28,440 --> 00:10:36,680
which is mainly your workload servers like your exchange server or your SharePoint or File servers,

132
00:10:36,680 --> 00:10:41,800
Print servers, what have you. But in the same time that we're creating that zone,

133
00:10:41,800 --> 00:10:48,600
we're also disallowing the possibility for a higher privileged user to log into those systems

134
00:10:48,600 --> 00:10:54,200
to try to negate that possibility of exposing those secrets on those systems.

135
00:10:54,200 --> 00:11:00,760
So the concept of administrative tiering really is it boils down to two things.

136
00:11:00,760 --> 00:11:05,640
One being the main purpose is to limit the spread of sensitive credentials in an environment.

137
00:11:05,640 --> 00:11:11,240
The other one being that, okay, we have a strict delegation practice in place

138
00:11:12,120 --> 00:11:18,600
to ensure that illegitimate or what do you want to call it, administrative activities are not

139
00:11:18,600 --> 00:11:28,600
allowed to happen. So by having those chains of thought in place and the control measures in place,

140
00:11:28,600 --> 00:11:33,880
like in group policy objects, to make sure that if you're a domain admin, you're not allowed to

141
00:11:33,880 --> 00:11:41,160
log into the SharePoint server via remote desktop protocol. We can then elevate the security posture

142
00:11:41,160 --> 00:11:46,680
of active directory, making it harder for an attacker to compromise the entire directory.

143
00:11:46,680 --> 00:11:51,000
So that's a key point as well. This is not a silver bulldozer kind of thing. This is more of a

144
00:11:51,000 --> 00:11:58,440
concept or a way of working that makes it harder. We like to call them speed bumps. And this is,

145
00:11:58,440 --> 00:12:02,840
you know, when you're driving down the driver and down the street and you're seeing a speed bump,

146
00:12:02,840 --> 00:12:06,680
you kind of need to slow down because otherwise you're going to wreck your car. So that's the

147
00:12:07,400 --> 00:12:12,520
the same kind of idea that we're trying to implement inside of any active directory.

148
00:12:12,520 --> 00:12:23,640
And the ID Turing is a must or is there other? Well, if you're using active directory,

149
00:12:23,640 --> 00:12:29,400
even Microsoft says that you should use a tiered administrative model. However, Microsoft has

150
00:12:29,400 --> 00:12:36,760
removed all of those documents describing how to do it. And I fully agree with that. If you have

151
00:12:36,760 --> 00:12:40,840
an active directory domain or an active directory forest, you, you, this is an absolute must.

152
00:12:40,840 --> 00:12:49,720
There's no, no, no shortcomings about it. You need to have this in place because, as I said,

153
00:12:49,720 --> 00:12:55,320
if it takes the one device compromised to compromise the entire domain, that's a bad,

154
00:12:55,320 --> 00:12:58,840
that's a bad day at the office. So you actually need to have this in place.

155
00:13:00,040 --> 00:13:06,600
And then it's interesting. Microsoft has the, the, the cuts this, uh, documentation. Um,

156
00:13:06,600 --> 00:13:13,000
so how has Microsoft's approach to tiering changed over the last years?

157
00:13:13,000 --> 00:13:19,240
So the, the newer documentation is more along the lines of what, what they call it, like,

158
00:13:19,240 --> 00:13:25,800
securing privileged access. Uh, and it's heavily, uh, heavily built around, you know,

159
00:13:25,800 --> 00:13:33,800
leveraging the cloud to protect on-prem. Um, uh, I, I don't think that's the, uh, necessarily the,

160
00:13:33,800 --> 00:13:39,320
the most proper route for most organizations. I'm kind of boring in that sense that I,

161
00:13:39,320 --> 00:13:45,080
I like to use, you know, legacy systems to protect legacy systems, which is on-prem, can protect on-prem,

162
00:13:45,080 --> 00:13:52,360
and we use the cloud for, for the cloud. Um, because the, uh, if we start using all of these

163
00:13:52,360 --> 00:13:57,960
cool cloud security measures to protect on-prem resources, we are in, in effect,

164
00:13:57,960 --> 00:14:03,960
increasing the risk or increasing the dependency on, uh, a secondary service, which might lead to,

165
00:14:03,960 --> 00:14:10,280
you know, a service outage in the cloud, uh, resulting in we cannot, we cannot no longer access on-prem

166
00:14:10,280 --> 00:14:15,880
to perform administrative tasks. So that's one of the main main issues I have with it, uh,

167
00:14:15,880 --> 00:14:21,480
with the current way that they are promoting the privileged access. Otherwise, looking at it from,

168
00:14:21,480 --> 00:14:30,280
um, you know, uh, a logical standpoint, it all makes sense. Like, you need to have, uh, uh, just in time,

169
00:14:30,280 --> 00:14:36,200
just enough administration permissions, yeah, sure, that, uh, that makes sense, uh, doesn't really work

170
00:14:36,200 --> 00:14:41,400
in on-premise environment because of certain things that you need to be aware of, in acting, how

171
00:14:41,400 --> 00:14:48,120
active directory works. Um, it's hard to get that GTIA kind of thing to work in, in on-prem.

172
00:14:49,560 --> 00:14:54,840
So there's, I mean, you can, you can take things from, from the current documentation that Microsoft

173
00:14:54,840 --> 00:15:00,840
provides, but again, they're saying it outright that you should use an administrative tiering

174
00:15:00,840 --> 00:15:06,040
concept in your active directory, uh, when, when dealing with these, you know, securing privileged

175
00:15:06,040 --> 00:15:09,880
access, uh, it says so in the byline, but, uh, you should have a tiered approach.

176
00:15:09,880 --> 00:15:18,600
And there's this classic GIO-01 tier 2 model, is it still relevant and what

177
00:15:18,600 --> 00:15:27,480
essence systems should be in, um, TR2, a tier 1, tier 0, tier 2? Yeah. So as I mentioned,

178
00:15:27,480 --> 00:15:33,640
there are a couple that are, you know, after, after that, uh, straight up tier 0s. I mentioned them,

179
00:15:33,640 --> 00:15:38,760
like, your domain controllers, yeah, well, they manage your entire domain. Uh, we talked a little bit

180
00:15:38,760 --> 00:15:45,400
about n-tri-deconnect or the n-tri-de cloud provisioning sink agent, uh, because of the dependencies

181
00:15:45,400 --> 00:15:50,360
that those services, service accounts have, uh, the n-tri-deconnected account that gets created by the

182
00:15:50,360 --> 00:15:58,600
n-tri-deconnect wizard, uh, it gets the directory replication, uh, what is it? Synchronize directory

183
00:15:58,600 --> 00:16:06,360
replication, all, uh, ACLs on the root of the domain. Uh, that means that it can get all of your

184
00:16:06,360 --> 00:16:13,560
password hashes, uh, in an instant. Uh, you have your PKI servers. If I can get a, uh, certificate

185
00:16:13,560 --> 00:16:20,040
template that allows me to grab a certificate for the name of administrator at, uh, which domain,

186
00:16:20,040 --> 00:16:26,840
uh, whatever, uh, that also allows me to become a domain admin without having to be, you know,

187
00:16:26,840 --> 00:16:31,640
a member of the domain admin group. So there's a lot of these different systems that are,

188
00:16:31,640 --> 00:16:38,600
they aren't domain controllers, but they, they are equally protection worthy as if they were a domain

189
00:16:38,600 --> 00:16:44,680
controller. So PKI servers is one n-tri-deconnect cloud provisioning sink agents. I know a lot of

190
00:16:44,680 --> 00:16:52,600
customers are using the Intune connector for, uh, managing their certificates for 802.1x Wi-Fi

191
00:16:52,600 --> 00:16:59,720
capabilities. That certificate template is, uh, vulnerable to that kind of ESC type of attack that

192
00:16:59,720 --> 00:17:05,880
it can supply the name of the request. You can become whoever in that organization. So that system,

193
00:17:05,880 --> 00:17:11,000
where that connector is installed is also as to be treated as a tier zero. So you really need to be

194
00:17:11,000 --> 00:17:16,680
aware of all of these different privilege escalation paths in order to be able to determine what,

195
00:17:16,680 --> 00:17:21,720
what constitutes tier zero in your environment. I've given you a couple of examples, but it can,

196
00:17:21,720 --> 00:17:28,280
it can vary. Uh, another example could be, you know, if you're using system center configuration manager,

197
00:17:28,280 --> 00:17:35,640
that agent has the powers to execute code locally on, uh, the system that is installed on in a system

198
00:17:35,640 --> 00:17:41,720
context, meaning that if I'm an admin of the, of the CM, I can then tell my domain controller to,

199
00:17:41,720 --> 00:17:48,040
hey, execute this power shell script. So there's a lot of these different, uh, what, what, what is

200
00:17:48,040 --> 00:17:55,800
tier zero and what isn't. Uh, but again, uh, as a default, I would say like the domain controllers,

201
00:17:55,800 --> 00:18:03,480
your PKI servers, your hybrid servers for syncing users to the cloud, uh, those are the traditional ones,

202
00:18:04,520 --> 00:18:09,400
and moving that into tier one, what constitutes tier one in an organization,

203
00:18:09,400 --> 00:18:15,240
well, basically anything that is sent to your zero in terms of servers. That, that's, that's the easiest

204
00:18:15,240 --> 00:18:22,200
way to, to get that definition, right? But that also means that you really need to be aware of,

205
00:18:22,200 --> 00:18:28,360
okay, which services are running on the system, permissions to those service accounts have, etc, etc.

206
00:18:29,480 --> 00:18:34,520
But in, in general, generally speaking, that's the, that's the way to look at it. Like if it is

207
00:18:34,520 --> 00:18:41,480
in tier zero, then it's a tier one system. Um, and in, in the model that we usually work with,

208
00:18:41,480 --> 00:18:46,920
we have scrapped the name tier two for managing endpoints, and we just call it tier endpoints,

209
00:18:46,920 --> 00:18:53,320
because our model, uh, has the possibility to extend, you can create a secondary server tier.

210
00:18:53,320 --> 00:18:59,160
So you can have a tier zero, a tier one, and a tier two, which is basically the same as tier one,

211
00:18:59,160 --> 00:19:04,440
it's just that you want to enforce different log-on restrictions for managing that particular

212
00:19:04,440 --> 00:19:08,520
system that is located in tier two. So you need to have multiple different accounts.

213
00:19:08,520 --> 00:19:19,480
And you have seen, I think in your career, a lot of organizations and especially, um, yeah,

214
00:19:19,480 --> 00:19:29,000
an active director. What are some dangerous misconceptions organization, uh, have around

215
00:19:29,240 --> 00:19:36,280
privilege access separation? Well, the, the ones that we've already covered is one big one, like the,

216
00:19:36,280 --> 00:19:44,360
uh, if you're not entirely sure what the, what the building groups are capable of doing, uh,

217
00:19:44,360 --> 00:19:50,360
please don't use them. Like don't use these server operators, backup operators, account operators,

218
00:19:50,360 --> 00:19:59,640
group, um, again, then not, uh, disallowing the use of domain admin log-ons on a regular workstation,

219
00:19:59,640 --> 00:20:05,640
that is a really, really common one. There are other ones as well, like we've seen a couple of

220
00:20:05,640 --> 00:20:12,680
customers trying to get creative inside of active directory to try to work with a more delegated,

221
00:20:12,680 --> 00:20:20,920
permissive, permission approach. But again, if you're, you need to really be on top of what you're doing

222
00:20:20,920 --> 00:20:25,880
because if you create, if you use the delegation, we certainly use a, hey, this group has full control

223
00:20:25,880 --> 00:20:34,120
of this, uh, OU and all of its, uh, child objects, you know, which accounts are located in that OU,

224
00:20:34,120 --> 00:20:40,280
like if the service account for the nTri-D connect is located in one of those OUs, you may have just

225
00:20:40,280 --> 00:20:47,560
given the service desk domain admin by proxy, uh, just by delegating those permissions. So it really is,

226
00:20:47,560 --> 00:20:54,120
now I got this feedback from a customer last week that, oh, I didn't know you could make a career

227
00:20:54,120 --> 00:20:58,920
out of working with active directory. I thought this was a dead product. And I'm like, yeah, well,

228
00:20:58,920 --> 00:21:05,240
that, you know, it's not a dead product and you really need to be on par with, you know, how these

229
00:21:05,240 --> 00:21:11,160
permissions interact with each other, uh, because there's a lot of, there's a lot of holes in the ground

230
00:21:11,160 --> 00:21:16,680
that you can mistakenly put your foot in if you don't really know what you're doing. So that's another,

231
00:21:16,680 --> 00:21:23,720
like, tip for the, the people listening that, uh, really make sure that you, you're, you're full control

232
00:21:23,720 --> 00:21:28,600
or you, at least you know the, the, the, to the extent of your competency when it comes to active

233
00:21:28,600 --> 00:21:34,200
directory, like, really be sure of it. You know what you know and you, you don't know what you don't know,

234
00:21:34,200 --> 00:21:39,080
to, to make that distinction because you don't want to be guessing inside of active directory because,

235
00:21:39,080 --> 00:21:45,560
as I said, one simple checkbox can make it, oh, everyone's a domain admin, that kind of scenario can occur.

236
00:21:45,560 --> 00:21:58,200
And let us change our to the red team. Uh, how can we attack or how do you attack us

237
00:21:58,200 --> 00:22:05,720
to publicly exploit poor cheering implementations? Uh, well, we've seen a major shift, uh, the last,

238
00:22:05,720 --> 00:22:11,560
the past couple of years, uh, when, when I started working with the FIR, there was a lot of,

239
00:22:11,560 --> 00:22:17,400
you know, hype around using hacking tools, you know, like Cobalt Strike for, for establishing a,

240
00:22:17,400 --> 00:22:22,200
a command and control chain, uh, we saw a lot of like metal exploits and all of these, like,

241
00:22:22,200 --> 00:22:28,360
mini cats, all of these tools that were used to try to brute force their way into an organization.

242
00:22:28,360 --> 00:22:36,280
Since security monitoring tools have been, uh, made better to detect these, we're not seeing them,

243
00:22:36,280 --> 00:22:43,160
like, at all, anymore. Uh, so what, what, what is happening now is more of a transition towards that,

244
00:22:43,160 --> 00:22:47,880
okay, the threat actors are leveraging Windows capabilities to attack Windows,

245
00:22:48,600 --> 00:22:54,760
to try to hide, uh, inside of the noise that the computer already makes. I did a demo, demo of this,

246
00:22:54,760 --> 00:23:03,320
at a, a conference in Paris in, in late April, where I, uh, I used SSH, which is installed

247
00:23:03,320 --> 00:23:11,000
by natively on Windows 11 to establish, uh, a C2 channel to, uh, uh, an open source, uh,

248
00:23:11,000 --> 00:23:17,640
platform, which is called surveil, uh, exposing RDP to the internet. Uh, the EDR did not detect this,

249
00:23:17,640 --> 00:23:21,720
it did not respond to this. It wasn't, there wasn't, there wasn't a well-eared fire on it.

250
00:23:21,720 --> 00:23:29,880
Uh, the, the threat actor then me, uh, connected to the RDP into that workstation and leveraged Windows

251
00:23:29,880 --> 00:23:35,080
to attack that domain. So there's a lot of things like, in, inside of an active directory domain,

252
00:23:35,080 --> 00:23:40,840
uh, any domain user can read anything in the domain. So you just need to have like the AD Explorer

253
00:23:40,840 --> 00:23:45,320
from, from system terminals installed on that workstation and you're good to go. You can read anything.

254
00:23:45,960 --> 00:23:52,360
And so to answer that question, like, how can, how can the, the red team work with this is, you know,

255
00:23:52,360 --> 00:23:57,480
under, as I said, if you know how Windows works and you know how active directory works,

256
00:23:57,480 --> 00:24:06,200
you know how to attack it because you know how to stay quiet. Uh, I, the, the demo, I did not have time

257
00:24:06,200 --> 00:24:12,360
to show that, but I had it in, in the pipeline to actually, uh, enable, uh, WDAQ policy on that

258
00:24:12,360 --> 00:24:18,760
device that I compromised to fully disable, uh, defender, uh, and defender EDR.

259
00:24:18,760 --> 00:24:24,440
While the portal said, still said, hey, this is fully healthy and fully operational because I did

260
00:24:24,440 --> 00:24:30,200
not touch the network agent on that, on that device. So I just killed the EDR agent, killed the,

261
00:24:30,200 --> 00:24:34,920
the, the, the Windows defender agent and I was able to execute whatever I wanted on it. And

262
00:24:34,920 --> 00:24:41,160
that's because I know how Windows works. Like, I know how, how to, I know how to protect it. I know

263
00:24:41,160 --> 00:24:47,400
what works. I know what doesn't work. And therefore I also know, what can I leverage to actually attack it?

264
00:24:47,400 --> 00:25:00,200
Um, when I got, uh, how can I figure out if I get got hacked and, and what shall I, I do as

265
00:25:00,200 --> 00:25:08,360
organization when I get, oh yeah. So, uh, hopefully you'll, you'll, you'll, uh, you'll see it before you

266
00:25:08,360 --> 00:25:15,480
see the ransom notes, uh, uh, just kidding. But, uh, it is essential in this day and age,

267
00:25:15,480 --> 00:25:23,160
actually have, uh, EDR on every system everywhere coupled with, you know, in, in the Microsoft stack,

268
00:25:23,160 --> 00:25:27,080
if you're running that, like you need to have the fennifer identity because you want to be able to

269
00:25:27,080 --> 00:25:33,480
correlate those identity related events with device related events. Um, and you need to work with

270
00:25:33,480 --> 00:25:39,640
these, uh, custom indicators that are aligned towards your organization or the, the current threat profile

271
00:25:39,640 --> 00:25:45,400
that is for your organization because I, as I just described, like, I could use Windows to attack Windows,

272
00:25:45,400 --> 00:25:52,280
but that was with a native default defender for endpoint tenant. However, if I were to create custom

273
00:25:52,280 --> 00:25:58,360
indicators for the things that I know can circumvent these protection mechanisms, I can then start firing

274
00:25:58,360 --> 00:26:04,520
alerts whenever this happens in an illegitimate fashion. So, we really need to feed that information

275
00:26:04,520 --> 00:26:09,480
into your EDR platform regardless if you're using Microsoft. If you're using CrowdStrike or,

276
00:26:09,480 --> 00:26:14,440
you know, Sentinel one or whatever you're using, you need to feed your indicators into it in order to

277
00:26:14,440 --> 00:26:21,960
make it able to detect these types of, these types of things. Uh, and if you were to come to that

278
00:26:21,960 --> 00:26:26,920
conclusion that, hey, this is probably an attack. Something is happening in our network, uh,

279
00:26:26,920 --> 00:26:36,200
whatever we're doing is not enough. Main thing here is don't turn off anything. It's better to unplug

280
00:26:36,200 --> 00:26:43,640
things like the network cable, isolated network wise, but don't turn the systems off. Because,

281
00:26:43,640 --> 00:26:49,560
when it comes to a forensic investigation, that we really need to figure out, okay, what happened,

282
00:26:49,560 --> 00:26:55,560
and how did the threat actor gain access? What did they do? All of these logs that are stored

283
00:26:55,560 --> 00:27:01,480
on the systems are essential for that type of investigation. I can't tell you how many times we've

284
00:27:01,480 --> 00:27:06,360
been in incident response engagements, and the customer has said, well, we turned off the firewall.

285
00:27:06,360 --> 00:27:11,800
Okay, now we don't have any firewall logs anymore because you're not pushing it anywhere else,

286
00:27:11,800 --> 00:27:19,080
and if everything is stored in memory of that firewall, uh, so it's gone. So don't touch anything,

287
00:27:19,080 --> 00:27:24,680
like unplug the network, as I said, like, cut the, cut the outbound internet connection,

288
00:27:24,680 --> 00:27:29,480
because threat actors are reliant upon outbound internet connection for their C2 channel,

289
00:27:29,480 --> 00:27:38,200
and call someone who knows what they're doing. Like, call an incident response company.

290
00:27:38,200 --> 00:27:43,720
I'm not saying, hey, call us, but you get the point, right? If you're, if you're suspecting that

291
00:27:43,720 --> 00:27:48,920
something has happened, we don't know what is happening, and we don't know how to fix it. As I

292
00:27:48,920 --> 00:27:55,640
said, mitigate the possibilities of it escalating, like unplug the network and call someone,

293
00:27:55,640 --> 00:28:01,800
picturing it as, you know, coming home and you see that there's, there's these marks on your door.

294
00:28:01,800 --> 00:28:06,360
What do you do? Well, you're called the police, right? You suspect there's someone in your house,

295
00:28:06,360 --> 00:28:10,680
or there has been someone in your house. You don't go in and hey, I'm going to make sure that no one

296
00:28:10,680 --> 00:28:16,360
is in here, right? I would, the first gut feeling for me would be, I'm picking up my phone and I'm

297
00:28:16,360 --> 00:28:22,120
calling, you know, the local emergency number. So that's the same kind of mindset that you need to have

298
00:28:22,120 --> 00:28:26,680
when it comes to protecting your IT real estate as well. Like, accept the fact that you're,

299
00:28:26,680 --> 00:28:31,880
you're, you're, you're, you're just, you're just a company. If you don't have a specialized

300
00:28:31,880 --> 00:28:39,160
team of people working with this day in, day out, don't get creative, don't try to fix things

301
00:28:39,160 --> 00:28:43,160
yourselves. Just, you know, unplug the network cable and wait for help to arrive.

302
00:28:45,240 --> 00:28:49,320
And what's the role of technologies like, um,

303
00:28:49,320 --> 00:28:52,840
prevalic, accessible stations, jump servers,

304
00:28:52,840 --> 00:28:57,800
could you ensure guards, LIPs? What are the rules?

305
00:28:57,800 --> 00:29:03,240
So, uh, we talked a little bit about active directory tearing and conceptually how it works.

306
00:29:03,240 --> 00:29:08,200
Now, privileged access workstations are an addition on top of that. So,

307
00:29:08,200 --> 00:29:14,200
again, to, to limit the exposure of your sensitive credentials, uh, if you add on to it,

308
00:29:14,200 --> 00:29:19,880
working from a privileged access workstation, leveraging active directory security features,

309
00:29:19,880 --> 00:29:25,880
such as authentication policies and authentication policy silos, you can actually say that

310
00:29:25,880 --> 00:29:31,720
if you're a domain admin, you can only log in interactively on this particular device.

311
00:29:31,720 --> 00:29:37,240
So in the greater sense, then, to, to look at how can we limit credential exposure? Well,

312
00:29:37,240 --> 00:29:42,760
if you have those features in place, your credential exposure is one device because the way

313
00:29:42,760 --> 00:29:50,520
authentication policy silos work is that your, if your account is in a silo coupled with your

314
00:29:50,520 --> 00:29:55,880
privileged access workstation, that is the only device in the entire domain where your credentials

315
00:29:55,880 --> 00:30:01,800
will work when you're typing them in from the keyboard. And adding on to that, then, with things

316
00:30:01,800 --> 00:30:07,880
like dimension like remote guard or restricted admin mode, those are great additions to it as well,

317
00:30:07,880 --> 00:30:15,800
to actually make these, uh, RDPing or day to day administration of your environment even easier,

318
00:30:15,800 --> 00:30:21,480
because it, it allows you as an admin to, to leverage single sign on using Kerberos.

319
00:30:21,480 --> 00:30:28,040
And a by-effect of that feature is that nothing gets stored on the target system in terms of

320
00:30:28,040 --> 00:30:32,360
password hashes. So there's nothing on those systems that you're connecting to that you're actually

321
00:30:32,360 --> 00:30:39,400
able to steal and reuse for a lateral movement. So these are things that are incorporated in the

322
00:30:39,400 --> 00:30:45,560
tiering model that we work in. So we create all of these things to, to help people change the way

323
00:30:45,560 --> 00:30:51,400
you're working. And I know this is a big pain point for, I mean, I've done hundreds of tiering

324
00:30:51,400 --> 00:30:57,160
implementations during, during my time here at Truzic. And the, the most common pain point for

325
00:30:57,160 --> 00:31:04,040
any organization is that here comes an external consultant telling me that the way I've been

326
00:31:04,040 --> 00:31:10,440
managing my IT environment for the past 25 odd years is not secured. And I need to change. And

327
00:31:10,440 --> 00:31:17,400
we're all humans and we all hate changes. So that, that's the biggest, like, uh, learning curve to

328
00:31:17,400 --> 00:31:21,880
get over. Like you need to start, you need to start managing your environment in a different way.

329
00:31:21,880 --> 00:31:29,160
Working remotely is even better. Like you already have the server manager, which was in its current

330
00:31:29,160 --> 00:31:34,120
state, we introduced in Windows Server 2012 or two. I mean, it all works with remote power

331
00:31:34,120 --> 00:31:39,560
shell in the back end. So you can add all of your servers into server manager. You can edit shares,

332
00:31:39,560 --> 00:31:45,720
you can restart services. What have you? You never need to use remote desktop protocol.

333
00:31:45,720 --> 00:31:50,200
And that's the, that's the thing that we're trying to challenge with, with this, that, hey,

334
00:31:50,200 --> 00:31:55,720
you need to change the way you're working. Move it to a remote administration mindset instead.

335
00:31:55,720 --> 00:32:00,920
Working with server manager, working with remote server administration tools or with Windows

336
00:32:00,920 --> 00:32:06,120
Admin Center, which, uh, has been upgraded recently. And it's, it's really, really good at this.

337
00:32:06,120 --> 00:32:12,600
So you can actually perform all of these administrative tasks without having to RDP into different

338
00:32:12,600 --> 00:32:19,400
systems. They in and they out. When we look a little bit into a link, and there is one

339
00:32:20,120 --> 00:32:25,720
thing in cyber security groups, there are a lot of posts and it's about privilege,

340
00:32:25,720 --> 00:32:35,080
privilege, access management. Why is this right now such a big topic? And why has it become

341
00:32:35,080 --> 00:32:42,040
central focused in cyber security? Well, I'm, as I said, I'm one of the naysayers

342
00:32:42,760 --> 00:32:49,640
in this industry. I don't, I don't necessarily feel like a privileged access management solution

343
00:32:49,640 --> 00:32:54,760
is the correct way to go, especially when dealing with like tier zero levels of permissions.

344
00:32:54,760 --> 00:33:00,600
Because I'm always thinking like one, two steps ahead. If we have that privileged access

345
00:33:00,600 --> 00:33:06,280
management solution in place, uh, you have a dependency on a service account, which is a domain

346
00:33:06,280 --> 00:33:10,920
admin, regardless how you want to look at it. It has either, it's a direct member of the

347
00:33:10,920 --> 00:33:15,000
main admins or it has permissions on the admin, as they hold their object in your active directory.

348
00:33:15,000 --> 00:33:23,560
So there's a, I feel like it's a, it's a way of challenging what I've already been talking about

349
00:33:23,560 --> 00:33:28,520
for the past half hour with, you know, administrative tiering and try to make it easy. Like this is

350
00:33:28,520 --> 00:33:34,440
the silver bullet. If you're just by this privilege, access management solution, everything is fine

351
00:33:34,440 --> 00:33:42,040
and dandy and you don't need to worry about it. That is not necessarily true. And so usually when

352
00:33:42,040 --> 00:33:47,160
I talk to my customers about this topic, you know, how can we incorporate this with a privileged

353
00:33:47,160 --> 00:33:52,200
access management solution? Well, it's an active directory solution. So you, of course, it's fully

354
00:33:52,200 --> 00:33:59,960
incorporable or integratable with a PAM solution. But again, then, then you have a dependency on one

355
00:33:59,960 --> 00:34:04,520
particular service. What happens if that service dies? It goes down. How do you then access and

356
00:34:04,520 --> 00:34:08,920
administer your environment? So I usually recommend my customers to say, okay, you can use the PAM

357
00:34:08,920 --> 00:34:13,800
solution that targets it towards, you know, tier one administration. But because that's where you're

358
00:34:13,800 --> 00:34:19,720
going to have the bulk of your administrative users anyway. Don't let it touch your tier zero resources.

359
00:34:19,720 --> 00:34:25,400
The same goes for your IAM solution. Don't let your IAM solution automatically create new domain

360
00:34:25,400 --> 00:34:30,520
admin accounts. That needs to be done by a human because we need to stay in control in terms of the,

361
00:34:30,520 --> 00:34:35,000
you know, you're familiar with the CIA triangle, you know, confidentiality, integrity availability.

362
00:34:35,000 --> 00:34:41,560
Having those kinds of systems in place, it actually messes with that CIA triangle because

363
00:34:41,560 --> 00:34:47,800
we all, then we already have, you know, the dependency on different solutions, different systems

364
00:34:47,800 --> 00:34:52,680
that can interact with the confidentiality and the integrity of the active directory environment.

365
00:34:54,680 --> 00:34:58,920
And how important is draft enough and draft and time access today?

366
00:34:58,920 --> 00:35:06,520
So as I said earlier, it's difficult to get that mindset into an active directory on-premise

367
00:35:06,520 --> 00:35:13,240
environment without having external integrations. I've seen a couple of professionals in the cybersecurity

368
00:35:13,240 --> 00:35:17,560
community talking about, hey, we can leverage privileged identity management with like group

369
00:35:17,560 --> 00:35:24,040
write back to make you a domain admin on-prem. Again, what happens if the cloud is unreachable or

370
00:35:24,040 --> 00:35:31,400
something goes down? I mean, keep it simple. Use on-prem for managing on-prem stuff.

371
00:35:31,400 --> 00:35:38,280
So on that topic, it's kind of hard to get that just in time administration when it comes to

372
00:35:38,280 --> 00:35:44,440
the higher privileges in an on-premise solution. However, when it comes to just enough administration,

373
00:35:44,440 --> 00:35:51,320
are you familiar at all with the power show way of thinking around just in time, just enough

374
00:35:51,320 --> 00:35:57,320
administration? We can actually create like an XML file that says which service you're allowed to

375
00:35:57,320 --> 00:36:06,600
restart, etc. Yeah, a little bit. I know what you're saying. You was scriptural, so a little bit,

376
00:36:06,600 --> 00:36:15,800
but I'm not really bad. Yeah, so we're currently, we're recommending customers to think in these

377
00:36:15,800 --> 00:36:21,720
lines because instead of delegating full admin permissions on a Windows server, you can actually

378
00:36:21,720 --> 00:36:28,920
delegate like almost full admin privileges on that system. You can do pretty much anything inside

379
00:36:28,920 --> 00:36:35,240
of PowerShell except for these four different tasks, just an example. So that's a real, if you reach

380
00:36:35,240 --> 00:36:41,880
that level, you're on a really mature level when it comes to elevating your cybersecurity posture.

381
00:36:41,880 --> 00:36:47,800
But again, don't over complicate things. I'm not saying that you should start by looking into,

382
00:36:47,800 --> 00:36:52,280
okay, how can we enforce just in time and just enough administration in terms of PowerShell

383
00:36:52,280 --> 00:36:57,320
when we're still allowing domain admins to login from anywhere? So we need to start somewhere.

384
00:36:57,320 --> 00:37:01,720
Start with the basics. Get the basics right and then you can always progress into a more mature state

385
00:37:01,720 --> 00:37:11,800
moving on. Yeah, I have taken a look in the new Azure service map with tower 100 service

386
00:37:11,800 --> 00:37:21,320
obviously, yeah, it's amazing. And my field there are 10% of the tools are related to the cyber security

387
00:37:21,320 --> 00:37:31,320
topic. There are so much tools like Microsoft Defender XDR, Microsoft Entry, Deepin and Microsoft

388
00:37:31,320 --> 00:37:40,360
PUE view. How can we take, or how can an organization have an overview of all what they need in

389
00:37:40,360 --> 00:37:47,640
all these tools? Oh, well, that's a really difficult question to answer because it's, you know,

390
00:37:47,640 --> 00:37:55,960
how long is a string? But again, as I said, you need to have an EDR in place in this day and age.

391
00:37:55,960 --> 00:38:01,560
So yes, you need to use Defender XDR if you're a Microsoft customer on all of your systems,

392
00:38:01,560 --> 00:38:08,040
including your domain controllers and your Android connects. I mean, we cannot let them be unmonitored

393
00:38:08,040 --> 00:38:11,560
just because they are privileged or they are sensitive in that sense.

394
00:38:11,560 --> 00:38:20,360
So, but it also plays into, you know, okay, which tools set do we use to protect which administrative

395
00:38:20,360 --> 00:38:25,880
interface? So as you mentioned, like PIM and all of these things, they're great for protecting,

396
00:38:25,880 --> 00:38:31,400
you know, standing access permissions inside of the cloud. In my book, they're not so great at

397
00:38:31,400 --> 00:38:35,960
doing the same on-prem. And they shouldn't be used on-prem if you're asking me. I think

398
00:38:35,960 --> 00:38:41,480
let's take a step back, keep it simple. Like, we have one set of administering on-prem and we have

399
00:38:41,480 --> 00:38:49,080
another set of way to administer the cloud. We can keep the same concepts or the same ideas

400
00:38:49,080 --> 00:38:55,640
fluent through each workload, but when it comes to the technical specifics or the technical

401
00:38:55,640 --> 00:39:02,600
features that we're leveraging, try to keep it like on-prem for on-prem, cloud for cloud in that sense.

402
00:39:04,680 --> 00:39:13,160
How do you look, a company work with a cybersecurity company? Is it here? I got you the keys to my car

403
00:39:13,160 --> 00:39:20,760
and you drive me secure to success or how is it working? So when we work in, in like these,

404
00:39:20,760 --> 00:39:26,200
what do you want to call it, proactive security engagements? It's more along the lines of what

405
00:39:26,200 --> 00:39:32,840
you and I are doing right now. There's some sort of video conferencing solution and I'm the backseat

406
00:39:32,840 --> 00:39:39,320
driver. So I give you the keys and I say, no, you keep the keys, but I'll tell you where to go.

407
00:39:39,320 --> 00:39:46,200
So it's more of a combined effort that the customer is doing all of the heavy lifting because I

408
00:39:46,200 --> 00:39:52,360
want to try to or we want to try to employ some sort of competency handover,

409
00:39:52,360 --> 00:39:57,160
like the sort of education standpoint that we want to make sure that you understand what you're

410
00:39:57,160 --> 00:40:03,000
doing and why you're doing it, whilst we are helping you to enhance the security in your environment.

411
00:40:03,000 --> 00:40:09,320
But when it comes to incident response engagements, well, then it's the opposite. Then we basically

412
00:40:09,320 --> 00:40:15,400
just say, okay, hand over the keys and don't touch anything. This is a crime scene. We'll do the

413
00:40:15,400 --> 00:40:22,360
investigation. We'll let you come back in once everything is fine and dandy. So it really depends

414
00:40:22,360 --> 00:40:30,440
on the situation in that sense. Yeah, but it's, I think, a 24 hour job.

415
00:40:30,440 --> 00:40:39,320
Or I think the most companies don't shut down after working hours, they have service and so on.

416
00:40:39,320 --> 00:40:45,880
So yeah, you must have someone, I think, money draw 24 hours.

417
00:40:45,880 --> 00:40:51,000
Yeah, absolutely. So we talked about this. You need to have an EDR.

418
00:40:51,000 --> 00:40:55,560
Well, it doesn't really matter if you have an EDR, if the only coverage is from, you know,

419
00:40:55,560 --> 00:41:03,000
working like 8 AM to 5 PM, which is regular Swedish working hours, because what happens if the

420
00:41:03,000 --> 00:41:09,640
threat actor attacks you at 6 PM or 5 15 PM. So it really is, you know, if you have these ice

421
00:41:09,640 --> 00:41:14,840
and ears, you need to have someone look at those logs 24 7 365 days of the year.

422
00:41:14,840 --> 00:41:20,360
And that's exactly to your point, like cyber security is a 24 hour industry.

423
00:41:20,360 --> 00:41:27,960
Well, just this last winner, I worked on a case, I stayed up working until like 4 AM.

424
00:41:27,960 --> 00:41:34,600
And then I got up at 6 AM to drive my kids to school. So it's a 24 hour schedule for people in

425
00:41:34,600 --> 00:41:44,600
in my industry as well. Awesome. When, or what advice would you give to security teams trying to

426
00:41:44,600 --> 00:41:51,560
make sure up there, their identity and security post or tips can you give them?

427
00:41:51,560 --> 00:42:01,880
Well, as I said numerous times now, so keep it simple. Get the basics from done right first,

428
00:42:01,880 --> 00:42:07,160
prior to looking into, hey, how can we leverage this PAM or PIM or whatever you want to call it

429
00:42:07,160 --> 00:42:12,680
solution to enhance our security posture? Just take a look at, or if you don't know how to,

430
00:42:12,680 --> 00:42:19,400
then list someone to take a look at your environment in detail. Hey, do these things like right now.

431
00:42:19,400 --> 00:42:25,080
Get the basics done right. We need to shift back to, you know, what are you going to call it?

432
00:42:25,080 --> 00:42:30,600
Like regular IT security hygiene. Like shift back to make sure that the basics are in place,

433
00:42:30,600 --> 00:42:37,240
build on that, implement these things in terms of, well, if you don't want to go full-out

434
00:42:37,240 --> 00:42:42,680
tiering, well, at least ensure that domain admins can log in everywhere or administrators in the

435
00:42:42,680 --> 00:42:50,280
domain or at the enterprise admins or schema admins, etc. Like think big and start small. Do these

436
00:42:50,280 --> 00:42:55,480
small things to, to start the journey because then you can always take bigger and bigger steps

437
00:42:55,480 --> 00:43:02,200
as soon as you feel more mature or feel more comfortable with that current set that you're working with.

438
00:43:03,640 --> 00:43:10,840
I read a special on-site security groups that my past model finally dying is a true.

439
00:43:10,840 --> 00:43:19,560
Well, it depends. Is the boring answer? When it comes to like the cloud

440
00:43:19,560 --> 00:43:26,120
side of business, like I haven't used a password for accessing my work laptop in the past five

441
00:43:26,120 --> 00:43:33,400
years. So I'm working with Windows Hello 100%. So in that sense for companies that are

442
00:43:33,400 --> 00:43:40,040
in that scenario, yeah, passwords are pretty much a thing of the past. However, as I said, working

443
00:43:40,040 --> 00:43:46,040
with on-premises active directory environments, no passwords aren't dead. If you want to transition

444
00:43:46,040 --> 00:43:52,360
towards a password less authentication mechanism that works on-prem, well, certificates are your next

445
00:43:52,360 --> 00:43:59,160
next best thing. So passwords, yeah, sure, we want to tell them that the passwords are dead,

446
00:43:59,160 --> 00:44:03,160
but they're not dead in that definition that they're not being used anymore. I mean,

447
00:44:03,160 --> 00:44:09,240
we're telling you that they are dead in terms of don't use this as a primary method of authentication.

448
00:44:09,240 --> 00:44:15,480
Try to move towards transition towards password less authentication, like Windows Hello or Fido to

449
00:44:15,480 --> 00:44:23,640
authentication mechanisms, like hardware key, the PASC key inside of Microsoft Authenticator app,

450
00:44:23,640 --> 00:44:28,680
those things, to try to eliminate that weak point in your security posture.

451
00:44:29,720 --> 00:44:38,280
So in every session I do a fast rapid-fire round. So I give a question, I say,

452
00:44:38,280 --> 00:44:44,600
question, short answer. So the most underrated Microsoft security feature.

453
00:44:44,600 --> 00:44:45,560
Defender for identity.

454
00:44:45,560 --> 00:44:50,520
Biggest AD security, but sorry.

455
00:44:51,560 --> 00:44:57,640
Well, the biggest AD security, the out there.

456
00:44:57,640 --> 00:44:59,880
It's secured by default.

457
00:44:59,880 --> 00:45:04,040
I want to think every enterprise will fix tomorrow.

458
00:45:04,040 --> 00:45:07,560
Block domain admins from logging into everything.

459
00:45:07,560 --> 00:45:10,520
Who are the cool guys? Dread team or routine?

460
00:45:10,520 --> 00:45:12,920
Both.

461
00:45:15,720 --> 00:45:22,520
Is there a favorite cyber security book or resource you can say that has everyone to read?

462
00:45:22,520 --> 00:45:27,560
Oh, it's not a book, but a podcast, Darknet Diaries by Jack Recyder.

463
00:45:27,560 --> 00:45:33,720
And coffee, red, bull, or tea during incidents.

464
00:45:33,720 --> 00:45:35,960
Oh, energy drinks 100%.

465
00:45:35,960 --> 00:45:41,880
So yeah, thank you for your time.

466
00:45:41,880 --> 00:45:51,720
So it was really nice, this deep dive, and now we have learned also AD is not dead.

467
00:45:51,720 --> 00:45:54,920
It won't be. Sorry, but it won't be.

468
00:45:54,920 --> 00:45:58,120
It will not die.

469
00:45:58,120 --> 00:46:05,400
Damn. Yeah, so what is the one thing you say should everyone take from from this session?

470
00:46:05,400 --> 00:46:10,280
Well, as I said, like, start with getting the basics right.

471
00:46:10,280 --> 00:46:16,600
Like, we need to toggle back a couple of years to say, hey, maybe we shouldn't look at which tool

472
00:46:16,600 --> 00:46:23,160
to buy to help us prevent this. We should actually work with the basics first to get those in line,

473
00:46:23,160 --> 00:46:29,240
because we can add tools later that can help us maintain those basics later on down the line.

474
00:46:29,240 --> 00:46:37,640
Yeah, then I say, thank you all. This is not you find all the information about Victor in the show notes.

475
00:46:38,280 --> 00:46:43,960
And links in and so on. And yeah, thank you for your time.

476
00:46:43,960 --> 00:46:47,160
Yeah, thanks for having me. Bye.

477
00:46:47,160 --> 00:46:49,320
Bye.