Semperis, the pioneer of identity-driven cyber resilience for enterprises, today announced the availability of Purple Knight, a free security assessment tool that allows organizations to safely probe their Microsoft Active Directory (AD) environment to uncover dangerous misconfigurations and other weaknesses that attackers can exploit to steal data and launch malware campaigns. Built and managed by an elite group of Microsoft identity experts, the tool empowers organizations to combat the deluge of escalating attacks targeting AD by spotting indicators of exposure and compromise in their environments and providing corrective guidance to close gaps.
As the gatekeeper to critical applications and data in 90% of organizations worldwide, AD is a prime target for attackers and extremely complex to secure. Increasingly, stealth attacks take advantage of built-in protocols in the Windows operating system—and AD itself—to avoid detection. The threat actors associated with the SolarWinds attack, for example, allegedly used native Windows tools such as Windows Management Instrumentation (WMI) to enumerate the certificate-signing capability of AD Federation Services. Since AD is rarely safeguarded effectively, attackers have come to depend on weak configurations to identify attack paths, access privileged credentials, and get a foothold into target networks.
“Considering that 80% or more of cyberattacks involve the abuse of privileged credentials, inherent Active Directory vulnerabilities have the potential to compromise an organization’s entire security infrastructure, which puts pressure on AD managers and security teams to stay ahead of the threats," said Mickey Bresman, CEO of Semperis. “However, securing AD can be difficult given its constant flux and the relatively limited number of AD security specialists in the world. To lock down AD, you must think like an attacker. With the release of Purple Knight, Semperis is giving organizations a window into the security posture of their AD environments, with the ultimate goal of empowering organizations to safely challenge their defenses, find weak spots, and take immediate action before those weaknesses are exploited.”
To flag security vulnerabilities such as suboptimal configurations and policies, Purple Knight queries an organization’s AD environment and performs a comprehensive set of tests against the most common and effective attack vectors that correlate to known security frameworks such as the MITRE ATT&CK. With no special installation required, the tool maps to pre- and post-attack security indicators across five core aspects of AD’s security posture, including AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. Once the assessment is complete, Purple Knight generates a summary report that provides an overall risk score, details the indicators of exposure detected and likelihood of compromise, and recommends actionable remediation steps before any weaknesses can be exploited by attackers.
Purple Knight is currently used by some of the largest organizations with the most complex identity environments in the world. In early findings from the tool, users report an average failing score of 61%, with Kerberos security being the top risk area with an average score of 43%. Other category scores from initial results were 58% for Group Policy security, 59% for account security, 68% for AD delegation, and 77% for AD infrastructure security. Results from these early reports also revealed that the largest organizations, often with the most resources, are particularly susceptible to falling behind in securing their critical identity systems because of the sheer size and complexity of their environments.
Some of the common scenarios uncovered in the Purple Knight security assessments that lead to AD vulnerabilities are:
Password policies that are inadequate for modern account protection
Accounts with elevated privileges in place that have not been adequately reviewed
Accounts with delegated permissions over Active Directory that have unwanted consequences on AD security that have proliferated over time
Weaknesses in Kerberos usage that are increasingly being exploited to gain privileged access
Weak Group Policy configuration, which creates a variety of holes that attackers can exploit
“Purple Knight addresses a need that has become more pronounced in the wake of the Exchange Server Hafnium attack, which prompted Microsoft to advise customers to scan their systems for IOEs and IOCs,” said Darren Mar-Elia, Semperis VP of Products. “Any large organization that has had Active Directory deployed for a long time is going to have weaknesses in their security posture, which means that if attackers got in, they would find it easy to exploit these vulnerabilities. Large, complex organizations tend to have a spider web of permissions that have accumulated over time—and no idea whether that situation can be exploited. You have to plug the holes and hope for the best.”
Purple Knight will initially be distributed through an approved network of partners, who have all rigorously tested the tool and are able to help organizations understand the implications of their unique results.
“With Purple Knight, we have the power of elite Active Directory domain expertise packaged into an easy to use, extremely powerful tool," said Chris Vermilya, Director of Identity and Access Management (IAM) at Fishtech Group. “The tool safely uncovers weak configurations in client environments and helps us quickly close the gaps before attackers can exploit them. Since Active Directory is such a critical system that is constantly targeted, Purple Knight goes a long way in hardening organizational security, starting at the most common initial access point.”